当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158295

漏洞标题:车易拍某分站SQL注入14库

相关厂商:cheyipai.com

漏洞作者: 几何黑店

提交时间:2015-12-04 16:45

修复时间:2016-01-21 10:30

公开时间:2016-01-21 10:30

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-04: 细节已通知厂商并且等待厂商处理中
2015-12-07: 厂商已经确认,细节仅向厂商公开
2015-12-17: 细节向核心白帽子及相关领域专家公开
2015-12-27: 细节向普通白帽子公开
2016-01-06: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

车易拍某分站SQL注入14库

详细说明:

POST http://e.cheyipai.com/WebController/Order/getBidDetails HTTP/1.1
Origin: http://e.cheyipai.com
Content-Length: 83
Accept-Language: zh-CN,zh;q=0.8
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Dnt: 1
Host: e.cheyipai.com
X-Requested-With: XMLHttpRequest
Cookie: ASP.NET_SessionId=fmrvco1wleo1j0zgcmbwu1a1; DMPWeb=71F9806E4CDEF26E57AB12077B3D05D08E8DD80DF67F903A162CD62026B51911895BC5BD92073E3608D2FB63A8321FED845F129C9A9435660B03E091797405E67638F1FFE839B99604135BBB30E963D6111EA3ADC7093334E563259783C5807DD9381DDA8F04B35AD750B54ADE823E64B559B88FDF936D804FD01570B2D13D1ECAD54FA41C35FD0B48736A910F3DBC696D745869B50C994E92E76E6E9AD9F89C24227C07DF61529EE25E7FEE7D2AF3659A82A08B8830790EB49588135BDBC819E8BB1091993AAFB5322B406522DE309595F6EDC42B8833012039CBE4F1015392FD4600FEE00406EABB6BBB590A203A931C9281C8BD9A11E04E69CD09731707E33CFE8E0A4DD061BC75A883F6459051141B6C13AFB34EC7C1BC38E124AE039A40252FE26B47022E52F21612543E7F507ACD1455649CF6A630FCAD5DD05B338C4126D3BACB737674110406E60756BE4C2E343328B684AC6A57F60683A9F56C25FD7C09B3873358AAB42D934822C1E08E2AFDF6FB9CD92D7F3953ADF86184F276E2F80E0800E5D45B1094C26EBA290CA0F7112959FECD4452115A220D3D6B2719CA83D5F2F785EDEA3BD1734273848FAE6456F07C407B1217304EEB77778F921244E441D3178FAE5C02AC40C492BCBCF344CD5064A38C30FE2552FC4251DEB52C5123FADF88C5D03EBD3B865ECCBAEC001E93CB5809175DF1160EF53D2D1792053CECA5C1613C8C07D8FF85A7E166E0DFFB3203A0CB932DC442A245A552E072874141E0CB0FD122F4173FB6E1E39A8A1F236B931015396158357E09004E680CBC783E4E73347FDF7FC0C8C428150AFD08EF0A6075048ABB23745FB7FC6D2892EDB0846D40F2DF67ED52C7D4A41D86A500D7BF94E845C1362BCE86FDD2C36EE1E8C00D78BD992A32DAB3B5C94470CF1EF5A08967E3FD71BD5E263637F731319CA3BCAB97D983EEE6184BD5D8A4AE7798E8244061C392B54F863CB639BA14F46C382A900CFF0DDDAA4F164A9D2FE0AA6C576744A4EA4A1F211530EFFCD3D194EDC29D436B955AEED235FC3E260A37B27FF7904D198467077A1AF12094FEE6B45B7766DCEB255F5417D512144DAAF3675589AE0FD5D7A3B8CC355C78AE9FF923B920A6E9B49CBA46E6C7623DF29D084F89616D2FDAFE196ADE0B6645D18DAA554F291F5D4FD7C7EF3D8D2970E8A334F317E9975D85B3DBE0C016C7D8B612D734EDF93074E913A7EE785E52EA80E8913E1A29613D418A6ADA6751A3E1705BF80BAC8695ABCA759498F132CAAAE949EEC11AF0A323AAAD8DD1B6AC95BCDB7F40E8FCBC96C3417B98A7A9C282D68AD3FBDDEF3DDAEAA8709A9B154B392878162D10F4DA1296B60CA67AF3E7BC15F202FF1636DE90DEDD7C36D93E5E75111D483A4A8576F72FF689A0097E2C1E7449FAE0ABDCFAB938BFF0433F69E07754ADEF35D3FD4C42B72AA0447FABAC2B96D8D94288F947C24F73471B3C1AD32D5D4E0C266D35B977ADBDDADFA3D2D5D3840E94229D9F34FA7DAC015900A6B9CD14E016760CD562DDDF7247E41456ADB6B08BB7113BEC9CF86A847B41CC38E50C2FE92805E555D60FEC2170C63DD685169DDD50C0AFFCD212E9732B89698EA1FA07BCDFD3402088FA44B78E78B49A5A8743147283E71A3074A170CBD0BD42EB72723BD3C9C126D40C3ABEBB84B70A6D43E1EBA7AF5A1EFC8C0548D561B1E9594FA0D18C29359CE391F492BDAD1EDDEED5350F3B9ACE35CC1032B0ECE72105D1AE244FAEADAF741DB04123FACB723E5DB5640AB5C6E43A6A8B3A86663971317A693DFB4A1B3FCDF8AE359301DAC3E98E03FBBB52E575FFF25B1B66C347ACFEBF627B0560CA42D02F6923D3ABC625F6C7F244EEED0369DB9DFBBAF42A7F735D335840F2FB6A3A7F86C5A739570BA630EE1B9E29667DDC6ABD97
Referer: http://e.cheyipai.com/WebController/Order/List
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
PageIndex=1&PageSize=10&OrderID=01012015111100850400017&AucID=1085421&ActionMode=13

漏洞证明:

QQ图片20151204162638.png


QQ图片20151204162608.png


QQ图片20151204162618.png

修复方案:

你懂的

版权声明:转载请注明来源 几何黑店@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-07 10:23

厂商回复:

感谢提交,我们会尽快修复!

最新状态:

暂无