当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145705

漏洞标题:酷我音乐某站存在SQL注入漏洞

相关厂商:酷我音乐

漏洞作者: 中央军

提交时间:2015-10-10 11:16

修复时间:2015-11-24 11:20

公开时间:2015-11-24 11:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-10: 细节已通知厂商并且等待厂商处理中
2015-10-10: 厂商已经确认,细节仅向厂商公开
2015-10-20: 细节向核心白帽子及相关领域专家公开
2015-10-30: 细节向普通白帽子公开
2015-11-09: 细节向实习白帽子公开
2015-11-24: 细节向公众公开

简要描述:

详细说明:

POST /yy/dd/BillBoardIndex HTTP/1.1
Content-Length: 153
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://yinyue.kuwo.cn
Cookie: JSESSIONID=2239AB7B78CA1BA5360DE883275DA713.worker3; JSESSIONID=3EB1C6CF70E5E8F0C6D890C4B22E9304.worker3; Hm_lvt_cdb524f42f0ce19b169a8071123a4797=1444408982,1444409080,1444409184,1444409273; Hm_lpvt_cdb524f42f0ce19b169a8071123a4797=1444409273; bdshare_firstime=1444408373733; HMACCOUNT=DE1039CBFBE0CBB4; BAIDU_DUP_lcr=http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); rec_usr=1444408451288x248_0_1444408451288; BAIDUID=E873CCF12448972C14F2C33F05E23DBB:FG=1; KW_COL_MUSIC=6484107%2C6484108%2C6484109%2C6484110%2C6484111%2C6469484%2C6469480%2C6469481%2C6469482%2C6469483%2C6469485%2C442554%2C1294406%2C635632%2C125854%2C513481%2C481141%2C891712%2C150621%2C4061663%2C218086%2C4998874%2C138243%2C213974%2C84423%2C58604%2C162175%2C80403%2C279153%2C229022%2C4855762%2C202673%2C268360%2C1161285%2C156514%2C3615946%2C4020459%2C166731%2C78114%2C3307158%2C102851%2C5235286%2C320411%2C830227%2C156517%2C243825%2C1084932%2C1120849%2C1964675%2C4405653%2C81457%2C4802881%2C3241508%2C551607%2C540455%2C4122290%2C6573892%2C6623012%2C5354512; is_unique=sc8062124.1444409886.0; __cfduid=d20a0c14b0842eb66af268de781a491661444410333; _gscu_2087265495=44410487i5msu720; _gscs_2087265495=44410487l14p8v20|pv:1; _gscbrs_2087265495=1
Host: yinyue.kuwo.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
cat=15&phase=39156&_=

cat参数存在注入

111.png

22.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 中央军@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:2

确认时间:2015-10-10 11:19

厂商回复:

已有其他用户提交漏洞,所以rank给得低

最新状态:

暂无


漏洞评价:

评论