当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080193

漏洞标题:某建站系统存在多处SQL注入

相关厂商:nxsuny.com

漏洞作者: 路人甲

提交时间:2014-10-21 19:07

修复时间:2015-01-19 19:08

公开时间:2015-01-19 19:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-01-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT
一共四处奥 如果这个再被认定为不是同一套系统,我那就真对乌云失望了

详细说明:

宁夏闪讯网络科技有限公司开发的建站系统存在多处SQL注入,一共四处
官网:http://www.nxsuny.com
案例:
http://nxsmnszs.com/about.asp?AsSortID=1
http://nxsmnszs.com/proinfo.asp?id=351
http://nxsmnszs.com/newsinfo.asp?id=369
http://nxsmnszs.com/message.asp?AsSortID=33
http://www.nxadmc.com/about.asp?AsSortID=3
http://www.nxadmc.com/proinfo.asp?id=198
http://www.nxadmc.com/newsinfo.asp?id=210
http://www.nxadmc.com/message.asp?AsSortID=4
http://www.ychysp.com/about.asp?AsSortID=1
http://www.ychysp.com/proinfo.asp?id=562
http://www.ychysp.com/newsinfo.asp?id=378
http://www.ychysp.com/message.asp?AsSortID=53
http://www.nxyatfl.com/about.asp?AsSortID=64
http://www.nxyatfl.com/proinfo.asp?id=530
http://www.nxyatfl.com/newsinfo.asp?id=424
http://www.nxyatfl.com/message.asp?AsSortID=63
http://www.qzlpgs.com/about.asp?AsSortID=54
http://www.qzlpgs.com/proinfo.asp?id=866
http://www.qzlpgs.com/newsinfo.asp?id=390
http://www.qzlpgs.com/message.asp?AsSortID=53
http://www.grace-english.com/about.asp?AsSortID=30
http://www.grace-english.com/proinfo.asp?id=331
http://www.grace-english.com/newsinfo.asp?id=340
http://www.grace-english.com/message.asp?AsSortID=33
http://www.nxdongcheng.com/about.asp?AsSortID=1
http://www.nxdongcheng.com/proinfo.asp?id=740
http://www.nxdongcheng.com/newsinfo.asp?id=885
http://www.nxdongcheng.com/Article/Message.asp?ID=378
http://www.nxksjc.com/about.asp?AsSortID=1
http://www.nxksjc.com/proinfo.asp?id=664
http://www.nxksjc.com/newsinfo.asp?id=682
http://www.nxksjc.com/message.asp?AsSortID=64
http://www.usana1992.com/about.asp?AsSortID=53
http://www.usana1992.com/proinfo.asp?id=379
http://www.usana1992.com/newsinfo.asp?id=370
http://www.usana1992.com/message.asp?AsSortID=52
http://gesenna.gotoip3.com/about.asp?AsSortID=67
http://gesenna.gotoip3.com/proinfo.asp?id=443
http://gesenna.gotoip3.com/newsinfo.asp?id=495
http://gesenna.gotoip3.com/message.asp?AsSortID=66
http://www.nxthbp.com/about.asp?AsSortID=1
http://www.nxthbp.com/proinfo.asp?id=409
http://www.nxthbp.com/newsinfo.asp?id=487
http://www.nxthbp.com/message.asp?AsSortID=52
http://www.nxycwy.net/about.asp?AsSortID=1
http://www.nxycwy.net/proinfo.asp?id=499
http://www.nxycwy.net/newsinfo.asp?id=532
http://www.nxycwy.net/message.asp?AsSortID=64

漏洞证明:

我就只演示1个站了
http://nxsmnszs.com/message.asp?AsSortID=33

QQ图片20141020221721.jpg


QQ图片20141020221921.jpg


QQ图片20141020221946.jpg


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝