乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-15: 细节已通知厂商并且等待厂商处理中 2015-07-16: 厂商已经确认,细节仅向厂商公开 2015-07-26: 细节向核心白帽子及相关领域专家公开 2015-08-05: 细节向普通白帽子公开 2015-08-15: 细节向实习白帽子公开 2015-08-30: 细节向公众公开
暴风影音真棒,重视安全。今天打电话说送礼物,那就再帮你们检测一下把~~~
首先这个地址可以爆破。http://adorders.huiyan.baofeng.com/验证码不失效,导入top500姓名和top10密码。帐号wangpeng 密码 123456这人是个销售总监这儿就已经泄漏很多供应商信息。如图
然后这儿可以SQL注入注入参数real_name
GET /Acl/user/list?real_name=&is_delete=0&role_id=0 HTTP/1.1Host: adorders.huiyan.baofeng.comProxy-Connection: keep-aliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36Referer: http://adorders.huiyan.baofeng.com/Acl/user/list?real_name=&is_delete=1&role_id=0Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4Cookie: bfuid=135601920076674909; bfuname=1341_9018_4; bfcsid=CUNFhCvV3Fn7o_Pq2kyM1Q%3D%3D; SSOStatus=1439523232; st=8WpHKKvbFsmwHXTB7pR-aiF6I5v6XQLfuLRIgr3_vi33v3S3Hk1ejLSeu2n5l0ery0jn8KfoSMabvPTWvXo6I5D4YIXdtqL9GuOU02YNmjqY5epCXqG0XY8R2iLof2mR; loginToken=GNYDm443uDZuyyxd9f0Aim38mEwh0N7mydSSRv7VHznV_GgFP1dMb90AvEkamaeBXlf-F8PNPpXxErHoAieYDmxVoaPv88j0h4HugQAXShovPmrPxCPxTr4UzvIm0n3TcIbUJWqCZkMJb065AtjE0-AYw1bGK9YRLkYAisnbctUWWAqrIBalyKVr0_CKJ-8UT1LEOmK0W4hYzvyme854MUKzZ1KSSfrJMkM9lTO-KkqyOAaaJ9bNJMwM3SJHeP_eYA2mX6pkM4vnSnG7I_IpAKyKqAvLBTE82Ig6uw1Ua4SaovMLmx_BoCuZX2Nb0QB0; bfsid=50bac3b32aa211e594eae83935af1128; vipssl_ci_session=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%229e5ef996d986af286db344c06582435f%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22117.151.114.114%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A103%3A%22Mozilla%2F5.0+%28X11%3B+Linux+i686%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F37.0.2062.120+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1436964025%3B%7D3292b4aa1811dc5c69ff07a128d68db0; PHPSESSID=f6eoeiirhtr0gpflfn33k1ep65; updateinforandomstr=bb4102d4c1ca16c6ea4b2c79f3c3b611; bf_sid=135601920076674909; bf_user_name=1341_9018_4; bf_sid_check=135601920076674909; umail=1341_9018_4%7C553664196%40qq.com; bali=22; uid=e3f5d5d5fd04ba347a7ae7869b2595547c7fba70; viinfo=Eqw-DERmIzQz3sd1WJFAJQ9xguIuoDHZQQxQP09EgsQJm_ZS3TmQByufKAbRD-2fpRrVzCjP-CSyxs-xk8detw; __utmt=1; __utma=131384592.545561278.1436764443.1436947928.1436964454.3; __utmb=131384592.1.10.1436964454; __utmc=131384592; __utmz=131384592.1436964454.3.3.utmcsr=fofa.so|utmccn=(referral)|utmcmd=referral|utmcct=/lab/ips; bfCollects=; _ga=GA1.2.545561278.1436764443; Hm_lvt_034253c5988f5d0fef5c2eaeff95573c=1436964431,1436964566,1436964568,1436964575; Hm_lpvt_034253c5988f5d0fef5c2eaeff95573c=1436964575; selected-tab=1
加入防爆破机制。另外即使是后台也要防止注入
危害等级:低
漏洞Rank:5
确认时间:2015-07-16 15:31
感谢您提交的漏洞,我们会尽快修复。
暂无