东航旗下上海航空国际旅游某分站SQL注入导致主站疑似全网用户账号密码泄露（含个人信息）

2017年5月3日17:28:18评论448 views字数 236阅读0分47秒阅读模式

摘要

2016-04-06：细节已通知厂商并且等待厂商处理中
2016-04-07：厂商已经确认，细节仅向厂商公开
2016-04-17：细节向核心白帽子及相关领域专家公开
2016-04-27：细节向普通白帽子公开
2016-05-07：细节向实习白帽子公开
2016-05-22：细节向公众公开

漏洞概要关注数(4) 关注此漏洞

缺陷编号： WooYun-2016-193199

漏洞标题：东航旗下上海航空国际旅游某分站SQL注入导致主站疑似全网用户账号密码泄露（含个人信息）

漏洞作者：低调的瘦子

提交时间： 2016-04-06 18:29

公开时间： 2016-05-22 10:00

漏洞类型：用户资料大量泄漏

危害等级：高

自评Rank： 20

漏洞状态：厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：无

0人收藏

漏洞详情

披露状态：

简要描述：

RT。。小漏洞大问题。好多敏感信息，这次给个20rank呗

详细说明：

注入地址：http://en.satrip.com/AboutUs/Contact.asp?Flag=3 注入参数Flag

这个英文站注入点太多了，厂商没用就更新下或者换掉吧。

此处随便拿这个注入地址进行注入，共34个数据库。

这里选择

code 区域

sh962008

该数据库进行操作

列表名

code 区域

WEB_FREETRAVEL_BOOK_REMARK
 CEAIR_CTRAVEL_ROUTE
 WEB_QUNARHDS_HOTELIMAGE_OLD
 WEB_QUNARHDS_HOTELBRAND_OLD
 CMS_ORDER_VISA_MATERIAL
 WEB_GUEST_ALL*
 CMS_OPERATOR_ROLE
 WEB_FREETRAVEL_BOOK_ACCOUNT
 XIANGHONG_DEPARTMENT
 WEB_INSURANCE_ALLIANZ_BOOK_PERSON
 XIANGHONG_USER
 WEB_FREETRAVEL_BOOK_PAYMENT
 WEB_INSURANCE_CHARTIS_BOOK_PERSON
 WEB_INVOICE
 XIANGHONG_MANAGER
 XIANGHONG_PAYMENT
 WEB_NEWS_FLAG
 WEB_FLIGHT_BOOK_FLIGHTS_GUEST
 CITYCODE_CHS*
 WEB_ETRAVEL_BOOK_ITEM
 CMS_ORDER_PAYMENT
 WEB_TOPIC_FLAG
 WEB_SITE_MANAGER_EXPRESS
 CMS_ORDER_HOTEL_ROOMS
 WEB_ETRAVEL_BOOK_PRICE
 WEB_FLIGHT_BOOK_REMARK
 WEB_VOUCHER
 CITYCODE_INT*
 WEB_SITE_MANAGER_EXPRESS_REMARK
 WEB_FREETRAVEL_BOOK_PRICE
 WEB_SITE_MANAGER_PACT
 WEB_AIR_AIRWAYS
 WEB_ETRAVEL_BOOK_PAYMENT
 WEB_FLIGHT_BOOK_FLIGHTS
 WEB_BBS_TOPIC
 CMS_ORDER_CLAUSE
 WEB_MAIL_LOG
 XIANGHONG_PAYMETHOD
 WEB_FLIGHT_RULES
 CMS_OPERATOR_DEPARTMENT
 WEB_CTRAVEL_BOOK
 WEB_CHINAPAY_STATUS
 ELONG_EHOTEL_LOCALTION
 AspNet_SqlCacheTablesForChangeNotification
 WEB_MEMBER_VOUCHER*
 WEB_SITE_MANAGER_KPI_RECEPTION
 WEB_FLIGHT_MANAGER
 ELONG_HOTEL_BRAND
 WEB_FREETRAVEL_ITEM*
 CMS_ORDER_HOTEL
 ELONG_HOTEL_BUSINESSZONE
 WEB_FREETRAVEL_BOOK_ROUTE
 ELONG_HOTEL_CODE
 ELONG_HOTEL_ERROR_LOG
 WEB_FREETRAVEL_SPECIAL*
 WEB_HOTEL_CATCH
 ELONG_HOTEL_FEATURE
 WEB_VOUCHER_REMARK
 WEB_FLIGHT_CUSTOMER
 ELONG_HOTEL_LANDMARK
 SHH_SalesDepart
 WEB_SCENERY
 WEB_CTRAVEL_BOOK_PAYMENT
 ELONG_HOTEL_ORDER
 WEB_SITE_LOGIN_LOG
 SHH_TripInfo
 WEB_GUEST_ALL_1*
 WEB_FLIGHT_BOOK_PRICE
 ELONG_HOTEL_ORDER_ACCOUNT
 WEB_COMPLAIN_REMARK
 WEB_INTENTION_BOOK
 ELONG_HOTEL_ORDER_COST
 CMS_PRODUCT_VISA
 WEB_HOTEL_BRAND
 WEB_CANCEL_CAUSE
 ELONG_HOTEL_ORDER_GUEST
 WEB_INTENTION_BOOK_REMARK
 ELONG_HOTEL_ORDER_HOTELINFO
 WEB_ITEM_DESTINATION
 ELONG_HOTEL_ORDER_INVOICE
 WEB_FREETRAVEL_PORNAME*
 WEB_FEEDBACK
 CMS_EXPRESS_THINGS
 ELONG_HOTEL_ORDER_ITEM
 CEAIR_ROUTE_TOPIC
 WEB_HOTEL_LANDMARK
 ELONG_HOTEL_ORDER_PAYMENT
 WEB_SITE_MANAGER_ORDER
 ELONG_HOTEL_ORDER_PRICE
 ELONG_HOTEL_ORDER_REMARK
 WEB_CITYCODE
 CMS_PRODUCT_VISA_MATERIAL
 ELONG_HOTEL_PROVIDER
 WEB_HOTEL_ROOM
 CMS_PAY_LOG
 WEB_ERR_LOG
 ELONG_HOTEL_ROOM
 WEB_CTRAVEL_BOOK_PRICE
 ELONG_HOTEL_ROOM_RATEPLAN
 WEB_AIR_BOOK
 WEB_OPID_SENDSMS_LOG
 ELONG_HOTEL_ROOM_RATEPLAN_RATE
 WEB_MEMBER_BUS
 WEB_SITE_MANAGER_USERTYPE
 CMS_OPERATOR_ROLE_CONTROL
 WEB_HOTEL*
 WEB_FREETRAVEL_ROUTE*
 sysdiagrams
 WEB_HOTEL_CREDITCARDS
 WEB_HOTEL_BOOK_COST
 pangolin_test_table
 CMS_PRODUCT_OPERATOR_LOG
 WEB_DEPT
 WEB_TEMP
 WEB_AIR_BOOK_FLIGHT
 WEB_BBS_IMG
 WEB_EN_CITY_INFO
 CMS_OPERATOR
 WEB_FLIGHT_BOOK_ACCOUNT
 WEB_SITE_INFO
 WEB_SITE_MANAGER_GROUP
 WEB_FREETRAVEL_NOTICE*
 MLS_QUES
 WEB_SITE_MANAGER_KPI_EVENT
 WEB_HOTEL_CONTACT*
 CEAIR_ETRAVEL
 WEB_PUBLIC_CODE
 WEB_FREETRAVEL_FLIGHT_AGREE
 WEB_HOTEL_BOOK
 WEB_FREETRAVEL_BOOK
 WEB_INSURANCE_CHARTIS_ERRORCODE
 WEB_AIR_BOOK_REMARK
 WEB_CACHE_ETRAVEL
 CMS_ORDER_OPERATOR_LOG
 WEB_HOTEL_CACHE_TEMP*
 WEB_QUNARHDS_CITYLIST
 WEB_SITE_MANAGER_CLAIMREFUND
 WEB_HOTEL_CACHE*
 WEB_QUNARHDS_HOTELBRAND
 WEB_FLIGHT_BOOK_PAYMENT
 dtproperties
 WEB_INSURANCE_CX
 WEB_ROUTE_PROMOTION
 WEB_EN_TOUR
 WEB_ACT_BOOK*
 syscommand
 WEB_AIR_BOOK_ACCOUNT
 WEB_CTRAVEL_BOOK_ACCOUNT
 WEB_COMPLAIN_RESPONSIBLE*
 WEB_DATUM_AREA
 WEB_THINGS_REFUND
 WEB_FREETRAVEL_PROVIDER
 WEB_INSURANCE_CX_BOOK
 WEB_BBS_BOARD
 WEB_ROUTE
 WEB_ETRAVEL_BOOK_ACCOUNT
 WEB_POINT
 WEB_LOTTERY
 WEB_ETRAVEL
 CMS_ORDER_PRICE
 WEB_TEAM_BOOK
 WEB_FLIGHT_REMARK
 WEB_ADMIN_NEWS
 ELONG_HOTEL_IMG
 WEB_FREETRAVEL_BOOK_COST
 CMS_IMG_BANNER
 WEB_AIR_BOOK_COST
 WEB_ETRAVEL_BOOK_COST
 WEB_FREETRAVEL_BOOK_PEOPLES_MATERIAL
 WEB_CURRENCY
 WEB_FREETRAVEL_FLIGHT
 WEB_ETRAVEL_ITEM
 WEB_SITE_MANAGER_KPI_CALLER
 WEB_HOTEL_PORNAME*
 WEB_FLIGHT_TOSTAY
 WEB_MEMBER_GUEST
 WEB_FREETRAVEL_ROUTE_CONTENT*
 WEB_DATUM
 CMS_ORDER_PROMOTION
 WEB_HOTEL_FEATURE*
 WEB_CTRAVEL_BOOK_COST
 WEB_HOTEL_ROOM*
 CEAIR_CTRAVEL
 WEB_HOTEL_DISTRICT
 WEB_ROUTE_COMMENT
 WEB_ETRAVEL_BOOK_PEOPLES_MATERIAL
 WEB_CONTINENTCODE*
 ELONG_HOTEL_DISTRICT
 CMS_PRODUCT
 WEB_ETRAVEL_MATERIAL
 WEB_FREETRAVEL_BOOK_PEOPLES
 WEB_USERGROUP
 WEB_FLIGHT_CLEAR
 WEB_HOTEL_ROOM_PRICE*
 CITYCODE_COUNTRY
 WEB_COUNTRYCODE*
 WEB_ETRAVEL_DESTINATION
 WEB_SITE_MANAGER
 CMS_PRODUCT_PRICE
 WEB_EN_DESTINATION
 WEB_BOOK_COMPACT
 WEB_ETRAVEL_BOOK_CLAUSE
 WEB_INSURANCE_CPIC_BOOK
 WEB_FREETRAVEL_DESTINATION
 WEB_FLIGHT_OPENTICKET
 WEB_VOUCHER_CONSUME
 WEB_FLIGHT_AIRLINE
 WEB_AIR_SEATS*
 WEB_FREETRAVEL_FLIGHT_CUSTOMER
 CMS_SMS_TEMPLATE
 WEB_HOTEL_GORUP
 CMS_ORDER_EVERYDAY
 WEB_ROUTE_HOT_DESTINATION
 CEAIR_USER
 WEB_FREETRAVEL_FLIGHT_ROUTE
 CMS_PRODUCT_FILE
 CMS_NOTICE
 systree*
 WEB_FLIGHT_PLANETYPE
 WEB_HOTEL_BOOK_INVOICE
 sysfile1*
 WEB_FREETRAVEL_BOOK_FEEDBACK
 WEB_INSURANCE_CHARTIS_BOOK
 DFXZ_QA
 WEB_HOTEL_THEME
 D99_Tmp
 WEB_MEMBER
 WEB_TEAM_BOOK_REMARK
 WEB_HOTEL_BOOK_GUEST
 WEB_CTRAVEL_BOOK_INVOICE
 WEB_MEMBER_VOUCHER**
 WEB_INSURANCE_CX_BOOK_PERSON
 WEB_CTRAVEL_BOOK_ROUTE_EVERYDAY
 WEB_TOPIC
 WEB_CACHE_CTRAVEL_DESTINATION
 WEB_ORDERNAME
 WEB_ETRAVEL_AREA*
 CMS_PUBLIC_CODE
 WEB_NEWS
 WEB_FLIGHT_BOOK_INVOICE
 WEB_FLIGHT_ROUTE
 CMS_COUNT_ROUTE
 CMS_ORDER_FLIGHTS
 WEB_HOTEL_BOOK_ACCOUNT
 WEB_ETRAVEL_BOOK_PEOPLES_CERTIFICATE
 WEB_SITE_MANAGER_CLAIMREFUND_REMARK
 WEB_SUPPLY
 WEB_VOTING_KOREA*
 WEB_FLIGHT_FLIGHT
 CMS_INSURANCE
 CITYCODE
 CMS_ORDER_GUEST_MATERIAL
 WEB_QUNARHDS_HOTELCITY
 WEB_HOTEL_BOOK_PAYMENT
 WEB_LOTTERY_ORDER
 WEB_SITE_MANAGER_EXTNUM
 CMS_ORDER_OPOPERATOR
 WEB_SITE_MANAGER_KPI_DEPT
 WEB_VOTING_KOREA_MOBILECHECK*
 CMS_PROVIDER
 SPELL
 CMS_ORDER_COST
 WEB_FREETRAVEL_BOOK_INVOICE
 SQLin
 WEB_COMPLAIN
 WEB_HOTEL_BOOK_PIRCE
 CMS_OPERATOR_ROLE_PAGE
 WEB_SITE_MANAGER_KPI
 CMS_ERR_LOG
 WEB_SITE_MANAGER_KPI_DESC
 CMS_ORDER_GUEST
 WEB_VOTING_KOREA_WB*
 WEB_FLIGHT_BOOK
 WEB_HOTEL_PIC_ERROR*
 CMS_ORDER_APPOINT
 WEB_VOTING_KOREA_MEMBER*
 WEB_CACHE_ETRAVEL_DESTINATION
 WEB_FREETRAVEL_BOOK_HOTEL
 WEB_FREETRAVEL_FLIGHT_SALE
 WEB_AIR_PLANE*
 WEB_ETRAVEL_KEYWORD_STATIC
 CMS_ORDER_OPERATOR
 XIANGHONG_TEMP_MEMBER
 WEB_VOTING_KOREA_HIT*
 WEB_POINT_CONSUME
 WEB_ETRAVEL_BOOK
 WEB_CTRAVEL_CITY*
 WEB_ETRAVEL_BOOK_CANCELLATION
 MOBILE_BLOG_APP
 MOBILE_PRODUCT_ADVERT
 WEB_ORDERSTATUS
 WEB_ETRAVEL_BOOK_INVOICE
 WEB_CTRAVEL_KEYWORD_STATIC
 MOBILE_SYSTEM_VERSION
 WEB_DATUM_COUNTRY
 WEB_CTRAVEL_DESTINATION
 WEB_ROUTE_TOPIC
 WEB_KMGOP_BOOK*
 WEB_TOPIC_TEMP
 WEB_AIR_BOOK_PAYMENT
 WEB_ETRAVEL_BUS
 CMS_ORDER
 WEB_SPECIAL_ROUTE_SMS
 WEB_EN_INFO
 WEB_SMS
 CMS_EXPRESS
 WEB_ROUTE_POSITION
 WEB_ETRAVEL_BOOK_PEOPLES
 CMS_VISA_MATERIAL_TEMPLATE
 WEB_EN_EXCHANGE
 WEB_HOTEL_BUSINESSZONE
 WEB_CHINAPAY
 WEB_EN_INFO_FLAG
 WEB_DEPT_SERVICE_LOG
 WEB_KMGOP_BOOK_EVENT*
 WEB_QUNARHDS_HOTELLIST
 WEB_EN_WEATHER
 WEB_AIR_FLIGHTTYPE
 WEB_ETRAVEL_BOOK_REMARK
 CMS_ORDER_EVENT
 WEB_FREETRAVEL_BUS
 WEB_HOTEL_ROOM_CACHE*
 WEB_FREETRAVEL_BOOK_FCTAIWAN_HOTEL*
 WEB_EN_CITY_CODE
 TOPIC_314
 WEB_AIR_BOOK_INVOICE
 WEB_FREETRAVEL_ROUTE_HOTEL*
 WEB_ETRAVEL_KEYWORD
 WEB_VOTING*
 WEB_POINT_SAL
 WEB_FREETRAVEL_BOOK_FCTAIWAN_FLIGHT*
 WEB_SPECIAL_ROUTE
 WEB_ROUTE_FILTER
 WEB_SITE_MANAGER_EXPRESS_THINGS
 WEB_SPECIAL_ROUTE_EMAIL
 WEB_HOTEL
 CMS_OPERATOR_DEPARTMENT_JOB
 WEB_SITE_MANAGER_KPI_OPERATION
 WEB_ETRAVEL_BOOK_ROUTE_EVERYDAY
 WEB_INSURANCE_ALLIANZ
 WEB_HOTEL_IMG
 WEB_MATERIAL_ERROR_LOG
 WEB_FLIGHT
 WEB_CITYCODE_SCENIC
 CMS_ORDER_INSURANCE
 WEB_HOTEL_BOOK_REMARK
 WEB_FREETRAVEL_BOOK_FLIGHT
 WEB_HOTEL_BOOK_ITEM
 WEB_SITE_MANAGER_KPI_DESC_FACTNUM
 WEB_ETRAVEL_BOOK_ROUTE
 CMS_OPERATOR_LOGIN_LOG
 WEB_CTRAVEL_BOOK_REMARK
 WEB_INSURANCE_CHARTIS
 WEB_IBE_RULES
 ELONG_HOTEL
 WEB_AIR_INFO*
 WEB_FREETRAVEL_BOOK_CLAUSE
 CMS_PRODUCT_CLAUSE
 WEB_AIR_MEMBER*
 CMS_PUBLIC_TOKEN
 WEB_CTRAVEL_BOOK_PEOPLES
 WEB_INSURANCE_CPIC
 WEB_INSURANCE_ALLIANZ_BOOK
 WEB_TMALL_ROUTE
 WEB_QUNARHDS_HOTELDETAIL
 CMS_ORDER_DEPOSIT
 WEB_AIR_RULES*
 CMS_ORDER_VISA
 WEB_POINT_ITEM
 WEB_QUNARHDS_HOTELIMAGE
 WEB_INSURANCE_CPIC_BOOK_PERSON
 WEB_QUNARHDS_HOTELLIST_OLD
 WEB_SCENERY_IMG
 WEB_MEMBER_COLLECTION
 CEAIR_ETRAVEL_ROUTE
 WEB_FREETRAVEL_BOOK_ITEM
 WEB_TMALL_ROUTE_EVERYDAY
 WEB_QUNARHDS_CITYLIST_OLD
 WEB_AIR_BOOK_PEOPLES
 WEB_VOUCHER_TEMPLATE
 WEB_QUNARHDS_HOTELDETAIL_OLD
 WEB_BOOK_PROMOTION
 WEB_ORDERSTATUS_OPERATION
 WEB_FLIGHT_BOOK_COST
 CMS_ORDER_INVOICE

里面信息很多，翻了好久，然后在web_member翻到N多用户账号信息，通过得到的password解密后在主站登录发现都可以登录！！！！

具体该裤子是之前的还是现在的无法查证，厂商自行评估。

另外一个危害较大的是疑似你们家运维的邮箱帐号密码被我翻出来了，还想去新网重置下密码发现不是用你们公司的邮箱注册的，目测是用aliyun的邮箱。

邮箱帐号：密码 jietao 这密码强度实在不敢恭维。涉及该运维人员小米、京东账号。

另外你们公司的appstore账号：

code 区域

> 账号：
 > 密码：S马赛克8

，应该可以替换你们家的app吧？？

漏洞证明：

修复方案：

过滤，加waf！

版权声明：转载请注明来源低调的瘦子@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2016-04-07 09:52

厂商回复：

十分感谢！

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞概要 关注数(4) 关注此漏洞

缺陷编号： WooYun-2016-193199

漏洞标题： 东航旗下上海航空国际旅游某分站SQL注入导致主站疑似全网用户账号密码泄露（含个人信息）

相关厂商： 中国东方航空股份有限公司

漏洞作者： 低调的瘦子

提交时间： 2016-04-06 18:29

公开时间： 2016-05-22 10:00

漏洞类型： 用户资料大量泄漏

危害等级： 高

自评Rank： 20

漏洞状态： 厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 无

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 低调的瘦子@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(4) 关注此漏洞

漏洞标题：东航旗下上海航空国际旅游某分站SQL注入导致主站疑似全网用户账号密码泄露（含个人信息）

相关厂商：中国东方航空股份有限公司

漏洞作者：低调的瘦子

漏洞类型：用户资料大量泄漏

危害等级：高

漏洞状态：厂商已经确认

Tags标签：无

版权声明：转载请注明来源低调的瘦子@乌云

漏洞评价(共0人评价):

登陆后才能进行评分