漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-054288
漏洞标题:海澜之家某站SQL注入漏洞
相关厂商:heilanhome.com
漏洞作者: 小驴牙牙
提交时间:2014-03-25 12:25
修复时间:2014-05-09 12:25
公开时间:2014-05-09 12:25
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:6
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-03-25: 细节已通知厂商并且等待厂商处理中
2014-03-25: 厂商已经确认,细节仅向厂商公开
2014-04-04: 细节向核心白帽子及相关领域专家公开
2014-04-14: 细节向普通白帽子公开
2014-04-24: 细节向实习白帽子公开
2014-05-09: 细节向公众公开
简要描述:
SQL
详细说明:
http://www.tyresort.com/
POST注入点,position_id参数:
1.http://www.tyresort.com/hr/upload/resume.html if_upload_resume=1&hope_position=88952634&user_name=88952634&contact_phone=88952634&handset=88952634&email=safe3q%40gmail.com&msn_qq=88952634&Input=%E6%8F%90%E4%BA%A4&function_id=0&department_id=0&position_id=88952634
2.http://www.tyresort.com/hr/write/resume.html if_upload_resume=2&user_name=88952634&id_card=88952634&native_place=88952634&height=88952634&weight=88952634&now_address=88952634&foreign_language_first=88952634&foreign_language_second=88952634&qq=88952634&email=safe3q%40gmail.com&contact_phone=88952634&speciality=88952634&address=88952634&hope_position=88952634°ree_type_1=88952634&school_name_1=88952634&work_company_1=88952634&work_position_1=88952634&work_content_1=88952634&tij=%E6%8F%90%E4%BA%A4&evaluation=88952634&birthday_year=%E6%9C%AA%E6%B7%BB&gender=%E6%9C%AA%E6%B7%BB&marital_status=%E6%9C%AA%E6%B7%BB&political_status=%E6%9C%AA%E6%B7%BB&graduation_time=1990%E4%B9%8B%E5%89%8D&flf_status=%E6%9C%AA%E6%B7%BB°ree=%E6%9C%AA%E6%B7%BB&fls_status=%E6%9C%AA%E6%B7%BB&work_experience=%E6%9C%AA%E6%B7%BB&work_type=%E6%9C%AA%E6%B7%BB&function_id=0&department_id=0&hope_monthly_pay=%E6%9C%AA%E6%B7%BB°ree_1=%E6%9C%AA%E6%B7%BB°ree_begin_1=%E6%9C%AA%E6%B7%BB°ree_end_1=%E6%9C%AA%E6%B7%BB&work_time_1=%E6%9C%AA%E6%B7%BB&position_id=88952634
漏洞证明:
管理员密码明文存储,271个用户数据等
修复方案:
过滤~~~~~~
版权声明:转载请注明来源 小驴牙牙@乌云
漏洞回应
厂商回应:
危害等级:低
漏洞Rank:5
确认时间:2014-03-25 12:58
厂商回复:
多谢提交,立即修复,谢谢!
最新状态:
暂无