当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0193199

漏洞标题:东航旗下上海航空国际旅游某分站SQL注入导致主站疑似全网用户账号密码泄露(含个人信息)

相关厂商:中国东方航空股份有限公司

漏洞作者: 低调的瘦子

提交时间:2016-04-06 18:29

修复时间:2016-05-22 10:00

公开时间:2016-05-22 10:00

漏洞类型:用户资料大量泄漏

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-06: 细节已通知厂商并且等待厂商处理中
2016-04-07: 厂商已经确认,细节仅向厂商公开
2016-04-17: 细节向核心白帽子及相关领域专家公开
2016-04-27: 细节向普通白帽子公开
2016-05-07: 细节向实习白帽子公开
2016-05-22: 细节向公众公开

简要描述:

RT。。小漏洞大问题。好多敏感信息,这次给个20rank呗

详细说明:

注入地址:http://en.satrip.com/AboutUs/Contact.asp?Flag=3 注入参数Flag
这个英文站注入点太多了,厂商没用就更新下或者换掉吧。
此处随便拿这个注入地址进行注入,共34个数据库。
这里选择

sh962008

该数据库进行操作
列表名

WEB_FREETRAVEL_BOOK_REMARK
CEAIR_CTRAVEL_ROUTE
WEB_QUNARHDS_HOTELIMAGE_OLD
WEB_QUNARHDS_HOTELBRAND_OLD
CMS_ORDER_VISA_MATERIAL
WEB_GUEST_ALL*
CMS_OPERATOR_ROLE
WEB_FREETRAVEL_BOOK_ACCOUNT
XIANGHONG_DEPARTMENT
WEB_INSURANCE_ALLIANZ_BOOK_PERSON
XIANGHONG_USER
WEB_FREETRAVEL_BOOK_PAYMENT
WEB_INSURANCE_CHARTIS_BOOK_PERSON
WEB_INVOICE
XIANGHONG_MANAGER
XIANGHONG_PAYMENT
WEB_NEWS_FLAG
WEB_FLIGHT_BOOK_FLIGHTS_GUEST
CITYCODE_CHS*
WEB_ETRAVEL_BOOK_ITEM
CMS_ORDER_PAYMENT
WEB_TOPIC_FLAG
WEB_SITE_MANAGER_EXPRESS
CMS_ORDER_HOTEL_ROOMS
WEB_ETRAVEL_BOOK_PRICE
WEB_FLIGHT_BOOK_REMARK
WEB_VOUCHER
CITYCODE_INT*
WEB_SITE_MANAGER_EXPRESS_REMARK
WEB_FREETRAVEL_BOOK_PRICE
WEB_SITE_MANAGER_PACT
WEB_AIR_AIRWAYS
WEB_ETRAVEL_BOOK_PAYMENT
WEB_FLIGHT_BOOK_FLIGHTS
WEB_BBS_TOPIC
CMS_ORDER_CLAUSE
WEB_MAIL_LOG
XIANGHONG_PAYMETHOD
WEB_FLIGHT_RULES
CMS_OPERATOR_DEPARTMENT
WEB_CTRAVEL_BOOK
WEB_CHINAPAY_STATUS
ELONG_EHOTEL_LOCALTION
AspNet_SqlCacheTablesForChangeNotification
WEB_MEMBER_VOUCHER*
WEB_SITE_MANAGER_KPI_RECEPTION
WEB_FLIGHT_MANAGER
ELONG_HOTEL_BRAND
WEB_FREETRAVEL_ITEM*
CMS_ORDER_HOTEL
ELONG_HOTEL_BUSINESSZONE
WEB_FREETRAVEL_BOOK_ROUTE
ELONG_HOTEL_CODE
ELONG_HOTEL_ERROR_LOG
WEB_FREETRAVEL_SPECIAL*
WEB_HOTEL_CATCH
ELONG_HOTEL_FEATURE
WEB_VOUCHER_REMARK
WEB_FLIGHT_CUSTOMER
ELONG_HOTEL_LANDMARK
SHH_SalesDepart
WEB_SCENERY
WEB_CTRAVEL_BOOK_PAYMENT
ELONG_HOTEL_ORDER
WEB_SITE_LOGIN_LOG
SHH_TripInfo
WEB_GUEST_ALL_1*
WEB_FLIGHT_BOOK_PRICE
ELONG_HOTEL_ORDER_ACCOUNT
WEB_COMPLAIN_REMARK
WEB_INTENTION_BOOK
ELONG_HOTEL_ORDER_COST
CMS_PRODUCT_VISA
WEB_HOTEL_BRAND
WEB_CANCEL_CAUSE
ELONG_HOTEL_ORDER_GUEST
WEB_INTENTION_BOOK_REMARK
ELONG_HOTEL_ORDER_HOTELINFO
WEB_ITEM_DESTINATION
ELONG_HOTEL_ORDER_INVOICE
WEB_FREETRAVEL_PORNAME*
WEB_FEEDBACK
CMS_EXPRESS_THINGS
ELONG_HOTEL_ORDER_ITEM
CEAIR_ROUTE_TOPIC
WEB_HOTEL_LANDMARK
ELONG_HOTEL_ORDER_PAYMENT
WEB_SITE_MANAGER_ORDER
ELONG_HOTEL_ORDER_PRICE
ELONG_HOTEL_ORDER_REMARK
WEB_CITYCODE
CMS_PRODUCT_VISA_MATERIAL
ELONG_HOTEL_PROVIDER
WEB_HOTEL_ROOM
CMS_PAY_LOG
WEB_ERR_LOG
ELONG_HOTEL_ROOM
WEB_CTRAVEL_BOOK_PRICE
ELONG_HOTEL_ROOM_RATEPLAN
WEB_AIR_BOOK
WEB_OPID_SENDSMS_LOG
ELONG_HOTEL_ROOM_RATEPLAN_RATE
WEB_MEMBER_BUS
WEB_SITE_MANAGER_USERTYPE
CMS_OPERATOR_ROLE_CONTROL
WEB_HOTEL*
WEB_FREETRAVEL_ROUTE*
sysdiagrams
WEB_HOTEL_CREDITCARDS
WEB_HOTEL_BOOK_COST
pangolin_test_table
CMS_PRODUCT_OPERATOR_LOG
WEB_DEPT
WEB_TEMP
WEB_AIR_BOOK_FLIGHT
WEB_BBS_IMG
WEB_EN_CITY_INFO
CMS_OPERATOR
WEB_FLIGHT_BOOK_ACCOUNT
WEB_SITE_INFO
WEB_SITE_MANAGER_GROUP
WEB_FREETRAVEL_NOTICE*
MLS_QUES
WEB_SITE_MANAGER_KPI_EVENT
WEB_HOTEL_CONTACT*
CEAIR_ETRAVEL
WEB_PUBLIC_CODE
WEB_FREETRAVEL_FLIGHT_AGREE
WEB_HOTEL_BOOK
WEB_FREETRAVEL_BOOK
WEB_INSURANCE_CHARTIS_ERRORCODE
WEB_AIR_BOOK_REMARK
WEB_CACHE_ETRAVEL
CMS_ORDER_OPERATOR_LOG
WEB_HOTEL_CACHE_TEMP*
WEB_QUNARHDS_CITYLIST
WEB_SITE_MANAGER_CLAIMREFUND
WEB_HOTEL_CACHE*
WEB_QUNARHDS_HOTELBRAND
WEB_FLIGHT_BOOK_PAYMENT
dtproperties
WEB_INSURANCE_CX
WEB_ROUTE_PROMOTION
WEB_EN_TOUR
WEB_ACT_BOOK*
syscommand
WEB_AIR_BOOK_ACCOUNT
WEB_CTRAVEL_BOOK_ACCOUNT
WEB_COMPLAIN_RESPONSIBLE*
WEB_DATUM_AREA
WEB_THINGS_REFUND
WEB_FREETRAVEL_PROVIDER
WEB_INSURANCE_CX_BOOK
WEB_BBS_BOARD
WEB_ROUTE
WEB_ETRAVEL_BOOK_ACCOUNT
WEB_POINT
WEB_LOTTERY
WEB_ETRAVEL
CMS_ORDER_PRICE
WEB_TEAM_BOOK
WEB_FLIGHT_REMARK
WEB_ADMIN_NEWS
ELONG_HOTEL_IMG
WEB_FREETRAVEL_BOOK_COST
CMS_IMG_BANNER
WEB_AIR_BOOK_COST
WEB_ETRAVEL_BOOK_COST
WEB_FREETRAVEL_BOOK_PEOPLES_MATERIAL
WEB_CURRENCY
WEB_FREETRAVEL_FLIGHT
WEB_ETRAVEL_ITEM
WEB_SITE_MANAGER_KPI_CALLER
WEB_HOTEL_PORNAME*
WEB_FLIGHT_TOSTAY
WEB_MEMBER_GUEST
WEB_FREETRAVEL_ROUTE_CONTENT*
WEB_DATUM
CMS_ORDER_PROMOTION
WEB_HOTEL_FEATURE*
WEB_CTRAVEL_BOOK_COST
WEB_HOTEL_ROOM*
CEAIR_CTRAVEL
WEB_HOTEL_DISTRICT
WEB_ROUTE_COMMENT
WEB_ETRAVEL_BOOK_PEOPLES_MATERIAL
WEB_CONTINENTCODE*
ELONG_HOTEL_DISTRICT
CMS_PRODUCT
WEB_ETRAVEL_MATERIAL
WEB_FREETRAVEL_BOOK_PEOPLES
WEB_USERGROUP
WEB_FLIGHT_CLEAR
WEB_HOTEL_ROOM_PRICE*
CITYCODE_COUNTRY
WEB_COUNTRYCODE*
WEB_ETRAVEL_DESTINATION
WEB_SITE_MANAGER
CMS_PRODUCT_PRICE
WEB_EN_DESTINATION
WEB_BOOK_COMPACT
WEB_ETRAVEL_BOOK_CLAUSE
WEB_INSURANCE_CPIC_BOOK
WEB_FREETRAVEL_DESTINATION
WEB_FLIGHT_OPENTICKET
WEB_VOUCHER_CONSUME
WEB_FLIGHT_AIRLINE
WEB_AIR_SEATS*
WEB_FREETRAVEL_FLIGHT_CUSTOMER
CMS_SMS_TEMPLATE
WEB_HOTEL_GORUP
CMS_ORDER_EVERYDAY
WEB_ROUTE_HOT_DESTINATION
CEAIR_USER
WEB_FREETRAVEL_FLIGHT_ROUTE
CMS_PRODUCT_FILE
CMS_NOTICE
systree*
WEB_FLIGHT_PLANETYPE
WEB_HOTEL_BOOK_INVOICE
sysfile1*
WEB_FREETRAVEL_BOOK_FEEDBACK
WEB_INSURANCE_CHARTIS_BOOK
DFXZ_QA
WEB_HOTEL_THEME
D99_Tmp
WEB_MEMBER
WEB_TEAM_BOOK_REMARK
WEB_HOTEL_BOOK_GUEST
WEB_CTRAVEL_BOOK_INVOICE
WEB_MEMBER_VOUCHER**
WEB_INSURANCE_CX_BOOK_PERSON
WEB_CTRAVEL_BOOK_ROUTE_EVERYDAY
WEB_TOPIC
WEB_CACHE_CTRAVEL_DESTINATION
WEB_ORDERNAME
WEB_ETRAVEL_AREA*
CMS_PUBLIC_CODE
WEB_NEWS
WEB_FLIGHT_BOOK_INVOICE
WEB_FLIGHT_ROUTE
CMS_COUNT_ROUTE
CMS_ORDER_FLIGHTS
WEB_HOTEL_BOOK_ACCOUNT
WEB_ETRAVEL_BOOK_PEOPLES_CERTIFICATE
WEB_SITE_MANAGER_CLAIMREFUND_REMARK
WEB_SUPPLY
WEB_VOTING_KOREA*
WEB_FLIGHT_FLIGHT
CMS_INSURANCE
CITYCODE
CMS_ORDER_GUEST_MATERIAL
WEB_QUNARHDS_HOTELCITY
WEB_HOTEL_BOOK_PAYMENT
WEB_LOTTERY_ORDER
WEB_SITE_MANAGER_EXTNUM
CMS_ORDER_OPOPERATOR
WEB_SITE_MANAGER_KPI_DEPT
WEB_VOTING_KOREA_MOBILECHECK*
CMS_PROVIDER
SPELL
CMS_ORDER_COST
WEB_FREETRAVEL_BOOK_INVOICE
SQLin
WEB_COMPLAIN
WEB_HOTEL_BOOK_PIRCE
CMS_OPERATOR_ROLE_PAGE
WEB_SITE_MANAGER_KPI
CMS_ERR_LOG
WEB_SITE_MANAGER_KPI_DESC
CMS_ORDER_GUEST
WEB_VOTING_KOREA_WB*
WEB_FLIGHT_BOOK
WEB_HOTEL_PIC_ERROR*
CMS_ORDER_APPOINT
WEB_VOTING_KOREA_MEMBER*
WEB_CACHE_ETRAVEL_DESTINATION
WEB_FREETRAVEL_BOOK_HOTEL
WEB_FREETRAVEL_FLIGHT_SALE
WEB_AIR_PLANE*
WEB_ETRAVEL_KEYWORD_STATIC
CMS_ORDER_OPERATOR
XIANGHONG_TEMP_MEMBER
WEB_VOTING_KOREA_HIT*
WEB_POINT_CONSUME
WEB_ETRAVEL_BOOK
WEB_CTRAVEL_CITY*
WEB_ETRAVEL_BOOK_CANCELLATION
MOBILE_BLOG_APP
MOBILE_PRODUCT_ADVERT
WEB_ORDERSTATUS
WEB_ETRAVEL_BOOK_INVOICE
WEB_CTRAVEL_KEYWORD_STATIC
MOBILE_SYSTEM_VERSION
WEB_DATUM_COUNTRY
WEB_CTRAVEL_DESTINATION
WEB_ROUTE_TOPIC
WEB_KMGOP_BOOK*
WEB_TOPIC_TEMP
WEB_AIR_BOOK_PAYMENT
WEB_ETRAVEL_BUS
CMS_ORDER
WEB_SPECIAL_ROUTE_SMS
WEB_EN_INFO
WEB_SMS
CMS_EXPRESS
WEB_ROUTE_POSITION
WEB_ETRAVEL_BOOK_PEOPLES
CMS_VISA_MATERIAL_TEMPLATE
WEB_EN_EXCHANGE
WEB_HOTEL_BUSINESSZONE
WEB_CHINAPAY
WEB_EN_INFO_FLAG
WEB_DEPT_SERVICE_LOG
WEB_KMGOP_BOOK_EVENT*
WEB_QUNARHDS_HOTELLIST
WEB_EN_WEATHER
WEB_AIR_FLIGHTTYPE
WEB_ETRAVEL_BOOK_REMARK
CMS_ORDER_EVENT
WEB_FREETRAVEL_BUS
WEB_HOTEL_ROOM_CACHE*
WEB_FREETRAVEL_BOOK_FCTAIWAN_HOTEL*
WEB_EN_CITY_CODE
TOPIC_314
WEB_AIR_BOOK_INVOICE
WEB_FREETRAVEL_ROUTE_HOTEL*
WEB_ETRAVEL_KEYWORD
WEB_VOTING*
WEB_POINT_SAL
WEB_FREETRAVEL_BOOK_FCTAIWAN_FLIGHT*
WEB_SPECIAL_ROUTE
WEB_ROUTE_FILTER
WEB_SITE_MANAGER_EXPRESS_THINGS
WEB_SPECIAL_ROUTE_EMAIL
WEB_HOTEL
CMS_OPERATOR_DEPARTMENT_JOB
WEB_SITE_MANAGER_KPI_OPERATION
WEB_ETRAVEL_BOOK_ROUTE_EVERYDAY
WEB_INSURANCE_ALLIANZ
WEB_HOTEL_IMG
WEB_MATERIAL_ERROR_LOG
WEB_FLIGHT
WEB_CITYCODE_SCENIC
CMS_ORDER_INSURANCE
WEB_HOTEL_BOOK_REMARK
WEB_FREETRAVEL_BOOK_FLIGHT
WEB_HOTEL_BOOK_ITEM
WEB_SITE_MANAGER_KPI_DESC_FACTNUM
WEB_ETRAVEL_BOOK_ROUTE
CMS_OPERATOR_LOGIN_LOG
WEB_CTRAVEL_BOOK_REMARK
WEB_INSURANCE_CHARTIS
WEB_IBE_RULES
ELONG_HOTEL
WEB_AIR_INFO*
WEB_FREETRAVEL_BOOK_CLAUSE
CMS_PRODUCT_CLAUSE
WEB_AIR_MEMBER*
CMS_PUBLIC_TOKEN
WEB_CTRAVEL_BOOK_PEOPLES
WEB_INSURANCE_CPIC
WEB_INSURANCE_ALLIANZ_BOOK
WEB_TMALL_ROUTE
WEB_QUNARHDS_HOTELDETAIL
CMS_ORDER_DEPOSIT
WEB_AIR_RULES*
CMS_ORDER_VISA
WEB_POINT_ITEM
WEB_QUNARHDS_HOTELIMAGE
WEB_INSURANCE_CPIC_BOOK_PERSON
WEB_QUNARHDS_HOTELLIST_OLD
WEB_SCENERY_IMG
WEB_MEMBER_COLLECTION
CEAIR_ETRAVEL_ROUTE
WEB_FREETRAVEL_BOOK_ITEM
WEB_TMALL_ROUTE_EVERYDAY
WEB_QUNARHDS_CITYLIST_OLD
WEB_AIR_BOOK_PEOPLES
WEB_VOUCHER_TEMPLATE
WEB_QUNARHDS_HOTELDETAIL_OLD
WEB_BOOK_PROMOTION
WEB_ORDERSTATUS_OPERATION
WEB_FLIGHT_BOOK_COST
CMS_ORDER_INVOICE


里面信息很多,翻了好久,然后在web_member翻到N多用户账号信息,通过得到的password解密后在主站登录发现都可以登录!!!!
具体该裤子是之前的还是现在的无法查证, 厂商自行评估。
另外一个危害较大的是疑似你们家运维的邮箱帐号密码被我翻出来了,还想去新网重置下密码发现不是用你们公司的邮箱注册的,目测是用aliyun的邮箱。
邮箱帐号:alanqiu@satrip.com 密码 jietao 这密码强度实在不敢恭维。涉及该运维人员小米、京东账号。
另外你们公司的appstore账号:

> 账号:web@satrip.com
> 密码:S马赛克8

,应该可以替换你们家的app吧??

漏洞证明:

QQ截图20160405125750.jpg


QQ截图20160405125957.jpg


QQ截图20160405130042.jpg


QQ截图20160405220616.jpg


QQ截图20160406170821.jpg


QQ截图20160406171640.jpg

修复方案:

过滤,加waf!

版权声明:转载请注明来源 低调的瘦子@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-04-07 09:52

厂商回复:

十分感谢!

最新状态:

暂无