乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-24: 细节已通知厂商并且等待厂商处理中 2015-10-26: 厂商已经确认,细节仅向厂商公开 2015-11-05: 细节向核心白帽子及相关领域专家公开 2015-11-15: 细节向普通白帽子公开 2015-11-25: 细节向实习白帽子公开 2015-12-10: 细节向公众公开
中石化APP之SQL注入
目标:中石化车e族APP以下地方存在注入:(POST中的cardNo,报错型)
POST /api/shihuaCard/bindCard HTTP/1.1Content-Length: 440Content-Type: application/x-www-form-urlencodedCookie: ff911a88cc5c46ac9185aa1e2d241864%3D82f2ba74b46e3ae60ec55fac85f4d775d00f6e07a%3A4%3A%7Bi%3A0%3Bs%3A11%3A%2218000000000%22%3Bi%3A1%3Bs%3A11%3A%2218000000000%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A3%3A%7Bs%3A2%3A%22id%22%3Bs%3A6%3A%22689472%22%3Bs%3A4%3A%22name%22%3Bs%3A19%3A%22cy_1445582464_20034%22%3Bs%3A4%3A%22user%22%3Ba%3A17%3A%7Bs%3A6%3A%22userId%22%3Bs%3A6%3A%22689472%22%3Bs%3A4%3A%22name%22%3Bs%3A19%3A%22cy_1445582464_20034%22%3Bs%3A3%3A%22pwd%22%3Bs%3A32%3A%226267df2c218b8439a7b72d038833fd65%22%3Bs%3A3%3A%22mob%22%3Bs%3A11%3A%2218002512025%22%3Bs%3A5%3A%22alias%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22imgKey%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%220%22%3Bs%3A7%3A%22addTime%22%3Bs%3A19%3A%222015-10-23%2B14%3A41%3A04%22%3Bs%3A7%3A%22modTime%22%3Bs%3A19%3A%222015-10-23%2B14%3A41%3A04%22%3Bs%3A5%3A%22email%22%3Bs%3A29%3A%22cy_1445582464_20034%40huaat.net%22%3Bs%3A9%3A%22loginTime%22%3Bs%3A19%3A%222015-10-23%2B14%3A41%3A05%22%3Bs%3A4%3A%22type%22%3Bs%3A1%3A%220%22%3Bs%3A9%3A%22companyId%22%3Bs%3A1%3A%220%22%3Bs%3A6%3A%22client%22%3Bs%3A1%3A%220%22%3Bs%3A11%3A%22deviceToken%22%3Bs%3A0%3A%22%22%3Bs%3A10%3A%22modPwdTime%22%3Bs%3A19%3A%220000-00-00%2B00%3A00%3A00%22%3Bs%3A4%3A%22role%22%3Bs%3A1%3A%220%22%3B%7D%7D%7D%3B%20USERSESSID%3D1c77bb9dddde1a94319042e526b25b27Host: e.o2obest.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*ajax=1&cardNo=1000111300007528682&companyKey=874d8c821358a5e26f2524b10f43a292&https=0&idNo=440622196505060825&name=%E9%99%88%E4%BC%9F
1、可跨9个库,当前库为server_shuchuang。
2、跨去server_liantong库看看,共一百多个表,16万联通库用户数据
具体数据内容就不跑了~~
请多指教~
危害等级:高
漏洞Rank:11
确认时间:2015-10-26 17:48
谢谢!我们将尽快修改。
暂无