搜狐旗下爽歪歪活动网站用户信息泄露 | wooyun-2011-02796

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2011-02796

漏洞标题：

搜狐旗下爽歪歪活动网站用户信息泄露

漏洞详情

披露状态：

2011-09-07：积极联系厂商并且等待厂商认领中，细节不对外公开
2011-09-07：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

泄露不解释

详细说明：

http://wahaha.sohu.com/aa.php

漏洞证明：

INSERT INTO `whh4_vote_sum` set resource_id =7, vote_month= 10, name="孙耀阳" , votes =41;
INSERT INTO `whh4_vote_sum` set resource_id =14, vote_month= 10, name="王垚" , votes =25;
INSERT INTO `whh4_vote_sum` set resource_id =21, vote_month= 10, name="崔子涵" , votes =41;
INSERT INTO `whh4_vote_sum` set resource_id =28, vote_month= 10, name="张锦泽" , votes =39;
INSERT INTO `whh4_vote_sum` set resource_id =35, vote_month= 10, name="王帝景" , votes =19;
INSERT INTO `whh4_vote_sum` set resource_id =42, vote_month= 10, name="翟君卿" , votes =27;
INSERT INTO `whh4_vote_sum` set resource_id =49, vote_month= 10, name="王彦栋" , votes =43;
INSERT INTO `whh4_vote_sum` set resource_id =56, vote_month= 10, name="叶寒琪" , votes =46;
INSERT INTO `whh4_vote_sum` set resource_id =63, vote_month= 10, name="张靖曼" , votes =12;
INSERT INTO `whh4_vote_sum` set resource_id =70, vote_month= 10, name="邹子航" , votes =48;
INSERT INTO `whh4_vote_sum` set resource_id =77, vote_month= 10, name="王彤彤" , votes =46;
INSERT INTO `whh4_vote_sum` set resource_id =84, vote_month= 10, name="陈泽智" , votes =41;
INSERT INTO `whh4_vote_sum` set resource_id =91, vote_month= 10, name="吴晨越" , votes =17;
INSERT INTO `whh4_vote_sum` set resource_id =98, vote_month= 10, name="林政宇" , votes =38;
INSERT INTO `whh4_vote_sum` set resource_id =105, vote_month= 10, name="黎志丽" , votes =45;
INSERT INTO `whh4_vote_sum` set resource_id =112, vote_month= 10, name="耿天灿" , votes =45;
INSERT INTO `whh4_vote_sum` set resource_id =119, vote_month= 10, name="孟令屹" , votes =35;
INSERT INTO `whh4_vote_sum` set resource_id =126, vote_month= 10, name="郑芷琳" , votes =45;
………………………………

http://wahaha.sohu.com/aa.php

修复方案：

限制访问

版权声明：转载请注明来源 VIP@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：1 (WooYun评价)

WooYun.org

漏洞概要 关注数(24) 关注此漏洞