当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162588

漏洞标题:青岛新闻网某分站存在SQL注入漏洞

相关厂商:qingdaonews.com

漏洞作者: 路人甲

提交时间:2015-12-19 12:36

修复时间:2015-12-24 12:38

公开时间:2015-12-24 12:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-19: 细节已通知厂商并且等待厂商处理中
2015-12-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

sql

详细说明:

baoxian.qingdaonews.com


青岛保险网

222.png

漏洞证明:


POST注入

/u/48/log1/?Page=1&userid=48


post数据

AspNetPager1=go&AspNetPager1_input=1&uid=48&__EVENTVALIDATION=/wEWAgLVspKpBwLBmcmVDDgG7u8O3yxEEWjZ9310AwOdCWVfNfgK/GQG9BYRZcuy&__VIEWSTATE=/wEPDwUKLTE1NTcyNjE0NA9kFgJmD2QWBAICDxYCHgtfIUl0ZW1Db3VudAIGFgxmD2QWCGYPFQMCNDgiLi4vdXNlcmZhY2UvMjAwOTExMDkxNDQyMTgzMjA5LmpwZwnpmYjmlrDpvplkAgEPFQECNDhkAgIPFQcCNDgEMTA0ODzkuK3lm73lpKrlubPkuI7pnZLlspvluILkurrmsJHmlL/lupznrb7nvbLmiJjnlaXlkIjkvZzljY/orq4KMjAxMy0wNC0yOAI0OAnpmYjmlrDpvplhMjAxM%2bW5tDTmnIgyN%2baXpe%2b8jOS4reWbveWkquW5s%2bS/nemZqembhuWbouS4jumdkuWym%2bW4guS6uuawkeaUv%2bW6nOWcqOmdkuWym%2betvue9suaImOeVpeWQiOS9nOWNj2QCAw8VAQQxMDQ4ZAIBD2QWCGYPFQMCNDgiLi4vdXNlcmZhY2UvMjAwOTExMDkxNDQyMTgzMjA5LmpwZwnpmYjmlrDpvplkAgEPFQECNDhkAgIPFQcCNDgEMTA0NznotK3kubDph43lpKfnlr7nl4Xkv53pmankuI3lj6/kuI3nn6XnmoTigJzkuIPlpKfkuovpobnigJ0KMjAxMy0wNC0yOAI0OAnpmYjmlrDpvplVMjAxM%2bW5tDA05pyIMjHml6Ug5p2l5rqQ77ya5oqV6LWE6ICF5oqlICAgIOmHjeWkp%2beWvueXheS/nemZqeaYr%2bW9k%2biiq%2bS/nemZqeS6uuWcqOS/nWQCAw8VAQQxMDQ3ZAICD2QWCGYPFQMCNDgiLi4vdXNlcmZhY2UvMjAwOTExMDkxNDQyMTgzMjA5LmpwZwnpmYjmlrDpvplkAgEPFQECNDhkAgIPFQcCNDgDMzU4Lei1lOWBv%2bmHkeaYr%2batu%2biAheWvueWutuS6uueIseeahOe7j%2ba1juW7tue7rQoyMDEwLTA5LTAxAjQ4CemZiOaWsOm%2bmVnmsrPljZfoiKrnqbrmnInpmZDlhazlj7gzMOaXpeWFrOW4g%2bS6huKAnDgmIzE4MzsyNOKAnemjnuacuuWdoOavgeS6i%2baVhemBh%2bmavuaXheWuoui1lOWBv2QCAw8VAQMzNThkAgMPZBYIZg8VAwI0OCIuLi91c2VyZmFjZS8yMDA5MTEwOTE0NDIxODMyMDkuanBnCemZiOaWsOm%2bmWQCAQ8VAQI0OGQCAg8VBwI0OAMzNDMh5bCK6YeN5LiN5Lmw5L%2bd6Zmp55qE6YOo5YiG5Lq6576kCjIwMTAtMDgtMjUCNDgJ6ZmI5paw6b6Zb%2bS/nemZqeWBmuS5heS6hu%2b8jOmavuWFjeS8muaCo%2bKAnOiBjOS4mueXheKAne%2b8jOi6q%2bi%2bueWkp%2bWkmuaVsOeahOWQjOS7ge%2b8jOaAu%2baYr%2beQhuaJgOW9k%2beEtueahOiupOS4uuS4gOS4quS6umQCAw8VAQMzNDNkAgQPZBYIZg8VAwI0OCIuLi91c2VyZmFjZS8yMDA5MTEwOTE0NDIxODMyMDkuanBnCemZiOaWsOm%2bmWQCAQ8VAQI0OGQCAg8VBwI0OAMyNzQb5LiJ5q2l5pWZ5L2g6L%2bc56a75YGH5L%2bd5Y2VCjIwMTAtMDctMjgCNDgJ6ZmI5paw6b6ZQzIwMTDlubQwN%2baciDI15pelMTQ6NTLjgIDmnaXmupDvvJogICAgICAgICDmnKzmnIjliJ3vvIzkv53nm5HkvJrlj6xkAgMPFQEDMjc0ZAIFD2QWCGYPFQMCNDgiLi4vdXNlcmZhY2UvMjAwOTExMDkxNDQyMTgzMjA5LmpwZwnpmYjmlrDpvplkAgEPFQECNDhkAgIPFQcCNDgDMjM1S%2bWkquW5s%2bS6uuWvv%2baAu%2be7j%2beQhumDkeiNo%2bemhO%2b8muKAnOS/nemZqeaYr%2bmql%2bS6uueahOKAneW%2biOWuueaYk%2biiq%2bmps%2bWAkgoyMDEwLTA3LTAzAjQ4CemZiOaWsOm%2bmVEyMDEw5bm0MDXmnIgyN%2baXpTA3OjM344CA5p2l5rqQ77yaIOOAgCDljYHlha3lubTliY3vvIzmiJHov5jlnKjlpI3ml6blpKflrablm73pmYVkAgMPFQEDMjM1ZAIDDw8WCB4LUmVjb3JkY291bnQCGh4OQ3VzdG9tSW5mb1RleHQFCOWFsTI25p2hHglVUlBhdHRlcm4FDS91LzQ4L2xvZ3swfS8eEEN1cnJlbnRQYWdlSW5kZXgCAWRkZGmkka6YrdfLVqXzSg%2bVi0DlqKjYZYaaehBCR9Egp3/C&__VIEWSTATEGENERATOR=32A9BC3E


注入字段

uid


3.png


5.png


修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-24 12:38

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价