[公开漏洞]搜狗某分站存储xss(某后台未授权访问)
-
来源:WooYun 浏览:625次 时间:2014-06-18
搜狗某分站存储xss(某后台未授权访问)
相关厂商:
搜狗
漏洞作者:小龙
提交时间:2014-05-03 22:39
公开时间:2014-06-17 22:40
漏洞类型:xss跨站脚本攻击
危害等级:低
自评Rank:1
漏洞状态:
厂商已经确认
漏洞来源:http://www.wooyun.org
Tags标签:
反射型xss
持久型xss
存储型xss
漏洞详情
披露状态:
2014-05-03:细节已通知厂商并且等待厂商处理中
2014-05-06:厂商已经确认,细节仅向厂商公开
2014-05-16:细节向核心白帽子及相关领域专家公开
2014-05-26:细节向普通白帽子公开
2014-06-05:细节向实习白帽子公开
2014-06-17:细节向公众公开
搜狗搜狐两兄弟。。
详细说明:http://yy.sogou.com/gamecenter/
Date:2014-04-30 14:02:59
OS:Windows 7
Browser:IE 7.0
KeepSession: 0
Cookie: IPLOC=CN1100; SUV=005611D3DCB50BE85294019CCB7EB183; YYID=EC99EE029033861751BE6B530164F0E6; usid=-z8psmyQldNPq4Qy; sz=2-2; SUID=7BC6CA01230D0C0A5294019B000103EC; ad=7kllllllll2vOlpblllllV2kgBolllllltrpWZllllylllll4Oxlw@@@@@@@@@@@; CXID=4E8F88A571CFBA0BD837FDDDD464FBE1; IMEVER=6.7.0.0413; IMESKIN=1:; IMESKINID=2:; wuid=AAFwPKAlAgAAAKn X3iX0gEAMAI=; ppinf=2|1398339923|1399549523|bG9naW5pZDowOnx1c2VyaWQ6NDQ6MUUxQkNCNDQwRDkyQjBDNkQ3NEQ3MTJCNENEN0ZCNDVAcXEuc29odS5jb218c2VydmljZXVzZTozMDowMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDB8Y3J0OjA6fGVtdDoxOjB8YXBwaWQ6NDoxMTIwfHRydXN0OjE6MXxwYXJ0bmVyaWQ6MTowfHJlbGF0aW9uOjA6fHV1aWQ6MTY6MTFlYTQ5ZTJhMTk3NDcxeHx1aWQ6MTY6MTFlYTQ5ZTJhMTk3NDcxeHx1bmlxbmFtZTo0MDolRTclQjQlQUIxNjA4JUU1JTlDJUE4JUU2JTkwJTlDJUU3JThCJTkwfHJlZnVzZXJpZDozMjoxRTFCQ0I0NDBEOTJCMEM2RDc0RDcxMkI0Q0Q3RkI0NXxyZWZuaWNrOjE657SrfA; usid=-z8psmyQldNPq4Qy
REMOTE_ADDR: 220.181.11.232
Region:
HTTP_REFERER: http://yy.sogou.com/gamecenter/
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; MALC; InfoPath.2; .NET4.0E)
location: http://yy.sogou.com/gamecenter/
Toplocation: http://yy.sogou.com/gamecenter/
Opener: N
http://yy.sogou.com/gamecenter/ 未授权任意访问
不知道打在那里了,好像是安卓盲打
搜狗通行证与搜狐连接的。。但是他是通过QQ登录的-。 -
哈哈~.~
http://yy.sogou.com/gamecenter/
Date:2014-04-30 14:02:59
OS:Windows 7
Browser:IE 7.0
KeepSession: 0
Cookie: IPLOC=CN1100; SUV=005611D3DCB50BE85294019CCB7EB183; YYID=EC99EE029033861751BE6B530164F0E6; usid=-z8psmyQldNPq4Qy; sz=2-2; SUID=7BC6CA01230D0C0A5294019B000103EC; ad=7kllllllll2vOlpblllllV2kgBolllllltrpWZllllylllll4Oxlw@@@@@@@@@@@; CXID=4E8F88A571CFBA0BD837FDDDD464FBE1; IMEVER=6.7.0.0413; IMESKIN=1:; IMESKINID=2:; wuid=AAFwPKAlAgAAAKn X3iX0gEAMAI=; ppinf=2|1398339923|1399549523|bG9naW5pZDowOnx1c2VyaWQ6NDQ6MUUxQkNCNDQwRDkyQjBDNkQ3NEQ3MTJCNENEN0ZCNDVAcXEuc29odS5jb218c2VydmljZXVzZTozMDowMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDB8Y3J0OjA6fGVtdDoxOjB8YXBwaWQ6NDoxMTIwfHRydXN0OjE6MXxwYXJ0bmVyaWQ6MTowfHJlbGF0aW9uOjA6fHV1aWQ6MTY6MTFlYTQ5ZTJhMTk3NDcxeHx1aWQ6MTY6MTFlYTQ5ZTJhMTk3NDcxeHx1bmlxbmFtZTo0MDolRTclQjQlQUIxNjA4JUU1JTlDJUE4JUU2JTkwJTlDJUU3JThCJTkwfHJlZnVzZXJpZDozMjoxRTFCQ0I0NDBEOTJCMEM2RDc0RDcxMkI0Q0Q3RkI0NXxyZWZuaWNrOjE657SrfA; usid=-z8psmyQldNPq4Qy
REMOTE_ADDR: 220.181.11.232
Region:
HTTP_REFERER: http://yy.sogou.com/gamecenter/
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; MALC; InfoPath.2; .NET4.0E)
location: http://yy.sogou.com/gamecenter/
Toplocation: http://yy.sogou.com/gamecenter/
Opener: N
http://yy.sogou.com/gamecenter/ 未授权任意访问
不知道打在那里了,好像是安卓盲打
搜狗通行证与搜狐连接的。。但是他是通过QQ登录的-。 -
哈哈~.~
叫哥,哥告诉你!
版权声明:转载请注明来源 小龙@乌云 漏洞回应 厂商回应:危害等级:中
漏洞Rank:5
确认时间:2014-05-06 19:21
厂商回复:收到,感谢支持!欢迎到SGSRC提交漏洞!
最新状态:暂无
下一篇: [公开漏洞]新东方某分站任意文件下载