漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0131815
漏洞标题:某政府建站系统存在三处SQL注入(影响大量省级和国家级)
相关厂商:北京合正软件有限公司
漏洞作者: 路人甲
提交时间:2015-08-14 16:51
修复时间:2015-11-12 12:48
公开时间:2015-11-12 12:48
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-14: 细节已通知厂商并且等待厂商处理中
2015-08-14: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-17: 细节向第三方安全合作伙伴开放
2015-10-08: 细节向核心白帽子及相关领域专家公开
2015-10-18: 细节向普通白帽子公开
2015-10-28: 细节向实习白帽子公开
2015-11-12: 细节向公众公开
简要描述:
来此前台可好,影响真的比较大啊
详细说明:
北京合正软件有限公司开发的政府建站系统存在三处SQL注入
关键字:
案例;
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=xykj&channel=A1309&templetid=1416883303117548
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=portal&channel=A08020205&templetid=1213071943953731&pageno=0&userId=10002
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=jsqjgxxw&channel=A2106010507&templetid=1258806549295298&userId=10002
**.**.**.**/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=xjstgz&channel=A2719&templetid=1193716671311938
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=hnzbcg&channel=A0811&templetid=1221627596569793
**.**.**.**:2013/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=wai&channel=A0105&templetid=1359443520651586&userId=10002
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=zsjgyey&channel=A130504&templetid=1407458109794734
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=portal&channel=A09012003&templetid=1227059679864527
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=women&channel=A121503&templetid=1372140907390775
http://**.**.**.**:8088/cms/cms/infopub/channelpre.jsp?
pubtype=M&pubpath=fjnj&channel=A130701&templetid=1338120978883617&pageno=0&userId=10002
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=portal&channel=A071901&templetid=1246866462195428
http://**.**.**.**/cms/cmsadmin/infopub/channelpre.jsp?
pubtype=D&pubpath=gjsb&channel=A091801&templetid=1396232460093023
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?
pubtype=D&pubpath=www&channel=A0411040606&templetid=1195787204086891
http://**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=cn&infoid=1427161015029071&templetid=1178737873571110&channelcode=A012406
http://**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=women&infoid=1420769259833265&templetid=1370591279687569&channelcode=A120101
http://**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=hnzbcg&infoid=1427249525231904&templetid=1210753703820118&channelcode=A080305
http://**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=xykj&infoid=1435109524005376&templetid=1431914538524590&channelcode=A13010402&userId=10002
http://**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=zsjgyey&infoid=1421716411705260&templetid=1407293364068949&channelcode=A13010201
http://**.**.**.**/cms/cmsadmin/infopub/infopre.jsp?pubtype=D&pubpath=gjsb&infoid=1410924314703164&templetid=1395901402388359&channelcode=A092003
http://**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=portal&infoid=1353296177896134&templetid=1248920904974712&channelcode=A07050753&userId=10002
http://**.**.**.**/gips/cms/infopub/infopre.jsp?pubtype=D&pubpath=A08&infoid=1220333754650169&templetid=1219033608284547&channelcode=A084801&userId=10002
**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=xjstgz&infoid=1286590194637774&templetid=1193716671311939&channelcode=A271901&userId=1194354522269030
http://**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=null&infoid=1225677064478517&templetid=1179950253073606&channelcode=A010119041010
http://**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=portal&infoid=1421892149404164&templetid=1193399467902511&channelcode=A090120030501
http://**.**.**.**/cms/cms/infopub/indexpre.jsp?pubtype=D&pubpath=xykj&webappcode=A13&templetid=1416883303056402&userId=10002
http://**.**.**.**/cms/cms/infopub/indexpre.jsp?pubtype=D&pubpath=cn&webappcode=A01&templetid=1169889841499167
**.**.**.**/cms/cms/infopub/indexpre.jsp?pubtype=D&pubpath=xjstgz&webappcode=A27&templetid=1193716671311937&userId=10002
http://**.**.**.**/cms/cms/infopub/indexpre.jsp?pubtype=D&pubpath=hnzbcg&webappcode=A08&templetid=1210753703820116
http://**.**.**.**/cms/cms/infopub/indexpre.jsp?pubtype=D&pubpath=women&webappcode=A12&templetid=1370591279571221&userId=10002
http://**.**.**.**/cms/cms/infopub/indexpre.jsp?pubtype=D&pubpath=portal&webappcode=A07&templetid=1413160234663065&userId=10002
**.**.**.**:2013/cms/cms/infopub/indexpre.jsp?pubtype=D&pubpath=wai&templetid=1359443520651585&webappcode=A01&userId=10002
漏洞证明:
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?pubtype=D&pubpath=xykj&channel=A1309&templetid=1416883303117548
http://**.**.**.**/cms/cms/infopub/channelpre.jsp?pubtype=D&pubpath=hnzbcg&channel=A0811&templetid=1221627596569793
http://**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=women&infoid=1420769259833265&templetid=1370591279687569&channelcode=A120101
http://**.**.**.**/cms/cms/infopub/infopre.jsp?pubtype=D&pubpath=null&infoid=1225677064478517&templetid=1179950253073606&channelcode=A010119041010
**.**.**.**/cms/cms/infopub/indexpre.jsp?pubtype=D&pubpath=xjstgz&webappcode=A27&templetid=1193716671311937&userId=10002
http://**.**.**.**/cms/cms/infopub/indexpre.jsp?pubtype=D&pubpath=hnzbcg&webappcode=A08&templetid=1210753703820116
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:12
确认时间:2015-08-14 12:46
厂商回复:
CNVD确认所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件(或电话)通报,由其后续提供解决方案并协调相关用户单位处置。
最新状态:
暂无