乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-21: 细节已通知厂商并且等待厂商处理中 2016-04-22: 厂商已经确认,细节仅向厂商公开 2016-05-02: 细节向核心白帽子及相关领域专家公开 2016-05-12: 细节向普通白帽子公开 2016-05-22: 细节向实习白帽子公开 2016-06-06: 细节向公众公开
APP安全之SQL注入
目标:爱街wifi Android APP检测发现以下地方皆存在SQL注入:注入参数city_name/uuid,报错注入
POST http://p.aijee.cn/CApp1_2_4/GetCityDomain HTTP/1.1Content-Length: 183Content-Type: application/x-www-form-urlencodedHost: p.aijee.cnConnection: Keep-AliveUser-Agent: android-async-http/1.4.3 (http://loopj.com/android-async-http)Accept-Encoding: gzipuuid=4c060d301c774d409a523793331c607f&city_name=%E6%B7%B1%E5%9C%B3&location=%7B%22longitude%22%3A%22113.948691%22%2C%22latitude%22%3A%2222.536312%22%7D&mac=98%3A6c%3Af5%3A57%3Aeb%3A73
POST http://p.aijee.cn/UserApp/getMacLocation HTTP/1.1Content-Length: 108Content-Type: application/x-www-form-urlencodedHost: p.shenzhen.aijee.cnConnection: Keep-AliveUser-Agent: android-async-http/1.4.3 (http://loopj.com/android-async-http)Accept-Encoding: gziprouter_mac=00%3A87%3A46%3A1e%3A03%3A4e&uuid=4c060d301c774d409a523793331c607f&mac=98%3A6c%3Af5%3A57%3Aeb%3A73
POST http://p.aijee.cn/CApp1_3_5/checkNet HTTP/1.1Content-Length: 69Content-Type: application/x-www-form-urlencodedHost: p.shenzhen.aijee.cnConnection: Keep-AliveUser-Agent: android-async-http/1.4.3 (http://loopj.com/android-async-http)Cookie: SERVERID=c2cfc9a902b60014578f943a98093b4f|1461132545|1461132538; PHPSESSID=9h3u0bcb44dqlgv2r961ta63f5Cookie2: $Version=1Accept-Encoding: gzipuuid=4c060d301c774d409a523793331c607f&mac=98%3A6c%3Af5%3A57%3Aeb%3A73
1、所有数据库,共136个
2、用户表,共5000W+,发现天津最多~具体就不深入了
请多指教~
危害等级:高
漏洞Rank:15
确认时间:2016-04-22 11:12
已经在处理,非常感谢。
暂无