Pan micro E-office injection article it without landing in the injection of the first 1-2 0(attached to the official website of the case)-vulnerability warning-the black bar safety net

2015-10-14T00:00:00
ID MYHACK58:62201567867
Type myhack58
Reporter Bear baby@乌云
Modified 2015-10-14T00:00:00

Description

Today is my intake wooyun100 day, I like to tick the atmosphere, like this platform. Wish I could from everyone to learn more knowledge. Thank you everyone. The use of the website as a case presentation.

Detailed description:

File location:/E-mobile/flowdo_page.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flowdo_page. php? diff=delete&RUN_ID=1 //parameter RUN_ID

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flowdo_page. php? diff=delete&flowid=1 //parameter flowid

文件 位置 :/E-mobile/flowsorce_page.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flowsorce_page. php? flowid=2

File location:/E-mobile/flownext_page.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flownext_page. php? diff=candeal&detailid=2,3 //parameter detailid

文件 位置 :/E-mobile/flowimage_page.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flowimage_page. php? FLOW_ID=2

文件 位置 :/E-mobile/flowform_page.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flowform_page. php? FLOW_ID=2

文件 位置 :/E-mobile/diaryother_page.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/diaryother_page. php? searchword=2 3

文件 位置 :/E-mobile/create/ajax_do.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/create/ajax_do. php? diff=word&sortid=1 //parameter sortid

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/create/ajax_do. php? diff=word&idstr=2 //parameter idstr

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/create/ajax_do. php? diff=addr&sortid=1 //parameter sortid

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/create/ajax_do. php? diff=addr&userdept=1 //parameter userdept

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/create/ajax_do. php? diff=addr&userpriv=1 //parameter userpriv

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/create/ajax_do. php? diff=wordsearch&idstr=1 //parameter idstr

文件 位置 :/E-mobile/flow/flowhave_page.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flow/flowhave_page. php? detailid=2,3

文件 位置 :/E-mobile/flow/flowtype_free.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flow/flowtype_free. php? flowid=1

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flow/flowtype_free. php? runid=1

文件 位置 :/E-mobile/flow/flowtype_other.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flow/flowtype_other. php? flowid=1

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flow/flowtype_other. php? runid=1

文件 位置 :/E-mobile/flow/freeflowimage_page.php

Injection point:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flow/freeflowimage_page. php? fromid=2

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flow/freeflowimage_page. php? diff=new&runid=2 //parameter runid

Vulnerability proof:

Official website screenshots:

code area

http://eoffice8. weaver. cn:8 0 2 8/E-mobile/flowdo_page. php? diff=delete&RUN_ID=1

! 1. png

! 2. png

In addition feel free to a case of the screenshots:

code area

http://219.232.254.131:8 0 8 2/E-mobile/flowsorce_page. php? flowid=2

! 4.jpg

! 6.jpg