当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149398

漏洞标题:某市规划局存在SQL注入漏洞一枚

相关厂商:cncert国家互联网应急中心

漏洞作者: Yang

提交时间:2015-10-26 17:09

修复时间:2015-12-14 14:50

公开时间:2015-12-14 14:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-26: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

全是英文。没过三级的人表示看不懂

详细说明:

http://**.**.**.**:9090/xmghSearch/detail.jsp?docid=120

1.png


看表

WCMCHNLFLOW
WCMCHNLTEMP
WCMCONDITIONBEAN
WCMCONFIG
WCMCONTACT
WCMCONTENTEXTFIELD
WCMDOCBAK
WCMCONTENTLINK
WCMCONTGROUP
WCMCONTGRPMAP
WCMChannelChildIndexQuote
WCMDBUPDATE
WCMDBUPDATELOG
WCMDOCKEYWORD
XWCMWATERMARK
WCMDOCKIND
WCMIVTable9
WCMDOCREPLY
WCMDocQuoteImage
WCMDOCSYN
WCMDOCTYPE
WCMIVTable10
XWCMINDIVIDUATION
WCMEVENT
WCMIVTable11
WCMEVENTSHARE
WCMEVENTTYPE
WCMIVTable12
WCMCHANNELCONTENTLINK
WCMEXCELDATA
WCMEXPIRATION
WCMIVTable13
WCMEXTFIELD
WCMFILETYPE
WCMIVTable14
WCMFLOW
WCMFLOWACTION
WCMIVTable15
WCMFLOWBRANCH
XWCMFLOWDOCLOG
WCMFLOWCONTENTCONFIG
WCMFLOWDOC
WCMSTAT_WORKFLOW_GROUP_GENERAL
WCMFLOWDOCBAK
WCMSTAT_WORKFLOW_USER_GENERAL
WCMFLOWEMPLOY
WCMFLOWEVENTCONDITION
WCMInfoView
WCMFLOWEVENTOPERATE
WCMFLOWMONOPER
WCMFLOWNODE
WCMFLOWNODEEVENT
WCMFLOWNODEOPER
WCMInfoViewField
WCMFOLDERPUBLISHCONFIG
WCMFOLDERPUBLISHINFO
WCMInfoViewEmploy
WCMFORMFIELDS
WCMSECUREKEY
WCMFORMINFO
WCMGROUP
WCMInfoViewView
WCMGRPUSER
WCMHELP
WCMHITSCOUNT
WCMID
WCMJOB
WCMJOBEXERESULT
WCMInfoViewGroup
WCMLOG
WCMLOGBAK
WCMLOGTYPE
WCMMARKKIND
WCMMARKSHARE
WCMMEETINGCONT
WCMINFOVIEWSERIAL
WCMMEETINGROOM
WCMMEETINGUSER
WCMMESSAGE
WCMMSGQUEUE
XWCMAPPLYFORM
WCMMSGRECEIVER
WCMOBJTRIGGER
WCMOPER
XWCMMAILCONFIG
WCMOPERATIONBEAN
WCMOPERTYPE
XWCMAPPLYFORMDEALLOG
WCMPUBLISHCONFIG
WCMPUBLISHDISTRIBUTION
dtproperties
WCMPUBLISHERRORLOG
WCMPUBLISHTASK
WCMPUBSTATUSCONFIG
WCMRECENT
WCMRELATION
WCMREPLACE
WCMRIGHT
WCMRIGHTDEF
WCMROLE
WCMROLEUSER
WCMSCHEDULE
WCMSECURITY
WCMSITEEXTFIELD
WCMSITEUSER
WCMSOURCE
WCMSTATFIELDMAP
WCMSTATHOST
WCMSTATUS
WCMSTATVIEW
WCMSTATVIEWREL
WCMSTAT_CHANNEL_GENERAL
WCMSTAT_CHANNEL_TEMPLATE
WCMSTAT_DOCSOURCE_PUBALL
WCMSTAT_GROUP_GENERAL
WCMSTAT_SITE_GENERAL
WCMSTAT_USER_GENERAL
WCMTAGBEANS
WCMTASK
WCMTASKPOOL
WCMTEMPAPDREL
WCMTEMPAPPENDIX
WCMTEMPLATE
WCMTEMPLATEARGUMENT
WCMTEMPLATEEMPLOY
WCMIVTable1
WCMTEMPLATENEST
WCMTEMPLATEQUOTE
WCMTRUSTEEINFO
WCMUSER
WCMUSERSETTING
XWCMPAGEOPERATOR
WCMWEBSITE
XWCMDOCUMENTTOPIC
XWCMENTRYCONFIG
WCMIVTable3
XWCMLOGO
XWCMTOPICEDDOCRELATION
WCMIVTable5
WCMCONTENTLINKTYPE
WCMIVTable6
XWCMFLOWNODEFIELD
WCMIVTable7
webcount
XWCMFLOWRULE
WCMIVTable4
WCMADDRESS
WCMIVTable2
WCMADDRGROUP
WCMADDRGRPMAP
WCMIVTable8
WCMAPPENDIX
XWCMFLOWCONDITION
WCMAUTOBAKCONFIG
WCMBOOKMARK
WCMDOCUMENT
WCMBULLETIN
WCMCHANNEL
WCMCHANNELSYN
WCMCHNLDOC
WCMCHNLEXTFIELD
XWCMFLOWACTION

漏洞证明:

1.png

修复方案:

版权声明:转载请注明来源 Yang@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-30 14:48

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无