当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0182548

漏洞标题:神器而已之虎扑网某站心脏滴血漏洞

相关厂商:虎扑体育网

漏洞作者: 举起手来

提交时间:2016-03-09 14:20

修复时间:2016-03-09 14:56

公开时间:2016-03-09 14:56

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-09: 细节已通知厂商并且等待厂商处理中
2016-03-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

61.174.11.238:443
...FB...................gO......ET......................hO.....l&...6...................hO...........?.................,hO.........FB..................:......... .*..)................y.........0.............{\"status\":0,\"msg\":\"ok\",\"data\":{\"attr\":{\"attr\":[\"Size\"],\"content\":[{\"name\":\"2150998_7027882\",\"img\":\"http:\\/\\/shihuoproxy.hupucdn.com\\/aHR0cDovL25iYS5mcmdpbWFnZXMuY29tL0ZGSW1hZ2UvdGh1bWIuYXNweD9pPS9wcm9kdWN0SW1hZ2VzJTJmXzIxNTAwMDAlMmZmZl8yMTUwOTk4X2Z1bGwuanBnJnc9NjAw\",\"Size\":\"11\",\"price\":129.99,\"gid\":\"1635578\",\"pid\":233617,\"Price\":870.94,\"currencyCode\":\"$\",\"market_info\":[],\"pictures\":[\"http:\\/\\/shihuoproxy.hupucdn.com\\/aHR0cDovL25iYS5mcmdpbWFnZXMuY29tL0ZGSW1hZ2UvdGh1bWIuYXNweD9pPS9wcm9kdWN0aW1hZ2VzL18yMTUwMDAwL2FsdGltYWdlcy9mZl8yMTUwOTk4YWx0MV9mdWxsLmpwZyZ3PTYwMA?imageView2\\/1\\/w\\/400\\/h\\/400\",\"http:\\/\\/shihuoproxy.hupucdn.com\\/aHR0cDovL25iYS5mcmdpbWFnZXMuY29tL0ZGSW1hZ2UvdGh1bWIuYXNweD9pPS9wcm9kdWN0aW1hZ2VzL18yMTUwMDAwL2FsdGltYWdlcy9mZl8yMTUwOTk4YWx0Ml9mdWxsLmpwZyZ3PTYwMA?imageView2\\/1\\/w\\/400\\/h\\/400\",\"http:\\/\\/shihuoproxy.hupucdn.com\\/aHR0cDovL25iYS5mcmdpbWFnZXMuY29tL0ZGSW1hZ2UvdGh1bWIuYXNweD9pPS9wcm9kdWN0aW1hZ2VzL18yMTUwMDAwL2FsdGltYWdlcy9mZl8yMTUwOTk4YWx0M19mdWxsLmpwZyZ3PTYwMA?imageView2\\/1\\/w\\/400\\/h\\/400\",\"http:\\/\\/shihuoproxy.hupucdn.com\\/aHR0cDovL25iYS5mcmdpbWFnZXMuY29tL0ZGSW1hZ2UvdGh1bWIuYXNweD9pPS9wcm9kdWN0aW1hZ2VzL18yMTUwMDAwL2FsdGltYWdlcy9mZl8yMTUwOTk4YWx0NF9mdWxsLmpwZyZ3PTYwMA?imageView2\\/1\\/w\\/400\\/h\\/400\"],\"item_limit\":\"10\"},{\"name\":\"2150998_7027913\",\"img\":\"http:\\/\\/shihuoproxy.hupucdn.com\\/aHR0cDovL25iYS5mcmdpbWFnZXMuY29tL0ZGSW1hZ2UvdGh1bWIuYXNweD9pPS9wcm9kdWN0SW1hZ2VzJTJmXzIxNTAwMDAlMmZmZl8yMTUwOTk4X2Z1bGwuanBnJnc9NjAw\",\"Size\":\"11.5\",\"price\":129.99,\"gid\":\"1635579\",\"pid\":233617,\"Price\":870.94,\"currencyCode\":\"$\",\"market_info\":[],\"pictures\":[\"http:\\/\\/shihuoproxy.hupucdn.com\\/aHR0cDovL25iYS5mcmdpbWFnZXMuY29tL0ZGSW1hZ2UvdGh1bWIuYXNweD9pPS9wcm9kdWN0aW1hZ2VzL18yMTUwMDAwL2FsdGltYWdlcy9mZl8yMTUwOTk4YWx0MV9mdWxsLmpwZyZ3PTYwMA?imageView2\\/1\\/w\\/400\\/h\\/400\",\"http:\\/\\/shihuoproxy.hupucdn.com\\/aHR0cDovL25iYS5mcmdpbWFnZXMuY29tL0ZGSW1hZ2UvdGh1bWIuYXNweD9pPS9wcm9kdWN0aW1hZ2VzL18yMTUwMDAwL2FsdGltYWdlcy9mZl8yMTUwOTk4YWx0Ml9mdWxsLmpwZyZ3PTYwMA?imageView2\\/1\\/w\\/400\\/h\\/400\",\"http:\\/\\/shihuoproxy.hupucdn.com\\/aHR0cDovL25iYS5mcmdpbWFnZXMuY29tL0ZGSW1hZ2UvdGh1bWIuYXNweD9pPS9wcm9kdWN0aW1hZ2VzL18yMTUwMDAwL2FsdGltYWdlcy9mZl8yMTUwOTk4YWx0M19mdWxsLmpwZyZ3PTYwMA?imageView2\\/1\\/w\\/400\\/h\\/400\",\"http:\\/\\/shihuoproxy.hupucdn.com\\/aHR0cDovL25iYS5mcmdpbWFnZXMuY29tL0ZGSW1hZ2UvdGh1bWIuYXNweD9pPS9wcm9kdWN0aW1hZ2VzL18yMTUwMDAwL2FsdGltYWdlcy9mZl8yMTUwOTk4YWx0NF9mdWxsLmpwZyZ3PTYwMA?imageView2\\/1\\/w\\/400\\/h\\/400\"],\"item_limit\":\"10\"}],\"Size\":[\"11\",\"11.5\"]},\"limit\":\"10\"}}463794329<\\/p><p>&nbsp;<\\/p><p><img src=\\\"http:\\/\\/img.alicdn.com\\/imgextra\\/i1\\/325037880\\/TB2WSe1jpXXXXXQXpXXXXXXXXXX_!!325037880.jpg\\\" align=\\\"absmiddle\\\"\\/><img src=\\\"http:\\/\\/img.alicdn.com\\/imgextra\\/i4\\/325037880\\/TB24H1JjpXXXXXcXFXXXXXXXXXX_!!325037880.jpg\\\" align=\\\"absmiddle\\\"\\/><img src=\\\"http:\\/\\/img.alicdn.com\\/imgextra\\/i1\\/325037880\\/TB2UC14jpXXXXc1XXXXXXXXXXXX_!!325037880.jpg\\\" align=\\\"absmiddle\\\"\\/><img src=\\\"http:\\/\\/img.alicdn.com\\/imgextra\\/i2\\/325037880\\/TB28yiWjpXXXXatXpXXXXXXXXXX_!!325037880.jpg\\\" align=\\\"absmiddle\\\"\\/><img src=\\\"http:\\/\\/img.alicdn.com\\/imgextra\\/i2\\/325037880\\/TB2BebljpXXXXXIXXXXXXXXXXXX_!!325037880.jpg\\\" align=\\\"absmiddle\\\"\\/><img src=\\\"http:\\/\\/img.alicdn.com\\/imgextra\\/i1\\/325037880\\/TB2rGHmjpXXXXXuXXXXXXXXXXXX_!!325037880.jpg\\\" align=\\\"absmiddle\\\"\\/><img src=\\\"http:\\/\\/img.alicdn.com\\/imgextra\\/i3\\/325037880\\/TB2h2y_jpXXXXb9XXXXXXXXXXXX_!!325037880.jpg\\\" align=\\\"absmiddle\\\"\\/><img src=\\\"http:\\/\\/img.alicdn.com\\/imgextra\\/i3\\/325037880\\/TB2pyi5jpXXXXXdXpXXXXXXXXXX_!!325037880.jpg\\\" align=\\\"absmiddle\\\"\\/><\\/p>\",\"href\":\"shihuo:\\/\\/www.shihuo.cn?route=go&url=http%3A%2F%2Fitem.taobao.com%2Fitem.htm%3Fid%3D526088081549\"}}om/pc/js/common.js?v=2016012101\'], function(commmon) {.. require([url, md5js]);.. }).. </script>..</body>..</html>flag\":false},\"status\":0}........E..............

漏洞证明:

修复方案:

版权声明:转载请注明来源 举起手来@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-03-09 14:56

厂商回复:

.

最新状态:

暂无


漏洞评价:

评价

  1. 2016-03-09 14:58 | 举起手来 ( 核心白帽子 | Rank:1195 漏洞数:122 | 准备好,举起手来!)

    @虎扑体育网 难道你不应该说下你为什么忽略吗?

  2. 2016-03-09 15:02 | 大师兄 ( 实习白帽子 | Rank:31 漏洞数:8 | 每日必关注乌云)

    这么快公开啊

  3. 2016-03-09 15:05 | 大师兄 ( 实习白帽子 | Rank:31 漏洞数:8 | 每日必关注乌云)

    @举起手来 加上文字,再展开深入,估计就不会忽略了。(*^__^*)

  4. 2016-03-09 17:33 | 虎扑体育网(乌云厂商)

    @举起手来 超前了,等主站https。

  5. 2016-03-09 20:21 | Yuku ( 实习白帽子 | Rank:32 漏洞数:23 | 数据挖掘)

    @举起手来 看看厂商的漏洞列表,也就能理解了,建议大牛去撸掉主站。

  6. 2016-03-09 20:39 | 举起手来 ( 核心白帽子 | Rank:1195 漏洞数:122 | 准备好,举起手来!)

    @虎扑体育网 超前了?等主站https?

  7. 2016-03-09 20:45 | Yuku ( 实习白帽子 | Rank:32 漏洞数:23 | 数据挖掘)

    @举起手来 大牛憋多说,操起神器,来个主站shell。