乐子网游戏平台注入一枚

漏洞概要

缺陷编号:WooYun-2012-016301

漏洞标题:乐子网游戏平台注入一枚

相关厂商:乐子网

漏洞作者:moro

提交时间:2012-12-21 11:05

公开时间:2013-02-04 11:05

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

Tags标签:

漏洞详情

披露状态:

2012-12-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-02-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

如题

详细说明:

Error page: /activity/201205_fab/index.php?action=news_detail&id=107710'Error infos: execute_store_resultsYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' limit 0,1' at line 4Error sql: SELECT a.id, a.title, a.litpic, a.typeid, b.redirecturl, b.body, a.typeid, a.senddate, a.description FROM lezi_cms_archives AS a LEFT JOIN lezi_cms_addonarticle AS b ON (a.typeid = b.typeid AND a.id = b.aid) WHERE a.id = 107710\' limit 0,1;地址:http://mh.lezi.com/activity/201205_fab/index.php?action=news_detail&id=107710

漏洞证明:

修复方案:

[email protected]

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

评价