当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-011088

漏洞标题:VOGUE时尚网后台SQL注入

相关厂商:VOGUE时尚网

漏洞作者: zhk

提交时间:2012-08-20 12:20

修复时间:2012-10-04 12:21

公开时间:2012-10-04 12:21

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-08-20: 积极联系厂商并且等待厂商认领中,细节不对外公开
2012-10-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

VOGUE时尚网后台SQL注入

详细说明:

http://bg.vogue.com.cn/admin/
登录框SQL注入

漏洞证明:

Current database
[2 tables]
+---------------------------------------+
| ENGINES |
| EVENTS |
+---------------------------------------+
Database: voguevideo3
[4 tables]
+---------------------------------------+
| video_cat |
| video_comment |
| video_detail |
| video_num |
+---------------------------------------+
Database: voguecms
[51 tables]
+---------------------------------------+
| block_info |
| interface_pushdata |
| interface_ucdata |
| iphone_ad |
| iphone_ad1 |
| iphone_app |
| iphone_app1 |
| iphone_cat |
| iphone_cat1 |
| iphone_catbind |
| iphone_catbind1 |
| iphone_news |
| iphone_news1 |
| iphone_news_pic |
| iphone_news_pic1 |
| news_backup |
| news_bvote |
| news_bvotelist |
| news_bvoteresult |
| news_bvotetext |
| news_bvotetitle |
| news_cat |
| news_click |
| news_collect |
| news_comment |
| news_gallery |
| news_gallerybackup |
| news_link |
| news_linkcat |
| news_list |
| news_pic |
| news_publish |
| news_relation |
| news_sorelation |
| news_source |
| news_tag |
| news_tagorder |
| news_temptag |
| news_temptagorder |
| news_type |
| sys_log |
| sys_model |
| sys_relation |
| sys_role |
| sys_safe |
| sys_sessions |
| sys_user |
| wap_cat |
| wap_catbind |
| wap_news |
| weiboinfo |
+---------------------------------------+
Database: information_schema
[35 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: voguefno
[12 tables]
+---------------------------------------+
| fno2012_cookie |
| fno2012_event |
| fno2012_info |
| fno2012_material |
| fno2012_my_product |
| fno2012_product |
| fno2012_seller |
| fno2012_send |
| fno2012_send_material |
| fno2012_store |
| fno2012_tblog |
| fno2012_tuser |
+---------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 zhk@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝