乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-10: 细节已通知厂商并且等待厂商处理中 2015-06-15: 厂商已经确认,细节仅向厂商公开 2015-06-25: 细节向核心白帽子及相关领域专家公开 2015-07-05: 细节向普通白帽子公开 2015-07-15: 细节向实习白帽子公开 2015-07-30: 细节向公众公开
各种漏洞小礼包····
http://www11.chinatelecom.com.cn/wcm/index.html登录框有Post注入
越权,任意上传,注入,遍历。不忍直视啊
POST /wcm/user/findpassword______old/identify_answer.jsp HTTP/1.1Host: www11.chinatelecom.com.cnContent-Length: 30Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www11.chinatelecom.com.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36Content-Type: application/x-www-form-urlencodedDNT: 1Referer: http://www11.chinatelecom.com.cn/wcm/user/findpassword______old/identify_user.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=6BE94C9F1C463C8C93F8C4D614024A7FUserName=11111111111&x=25&y=0
http://www11.chinatelecom.com.cn/wcm/ftp/ftp_main.htm
http://www11.chinatelecom.com.cn/wcm/webedit/ http://www11.chinatelecom.com.cn/wcm/help/ http://www11.chinatelecom.com.cn/wcm/user/ http://www11.chinatelecom.com.cn/wcm/include/ http://www11.chinatelecom.com.cn/wcm/editor/include/ http://www11.chinatelecom.com.cn/wcm/editor/ http://www11.chinatelecom.com.cn/wcm/ftp/ http://www11.chinatelecom.com.cn/wcm/images/ http://www11.chinatelecom.com.cn/wcm/system/ http://www11.chinatelecom.com.cn/wcm/test/ http://www11.chinatelecom.com.cn/wcm/update/ http://www11.chinatelecom.com.cn/wcm/doc/ http://www11.chinatelecom.com.cn/wcm/help.htm http://www11.chinatelecom.com.cn/wcm/statistic/ http://www11.chinatelecom.com.cn/wcm/excel/ http://www11.chinatelecom.com.cn/wcm/exchange/ http://www11.chinatelecom.com.cn/wcm/extend/ http://www11.chinatelecom.com.cn/wcm/loginpage/ http://www11.chinatelecom.com.cn/wcm/template/ http://www11.chinatelecom.com.cn/wcm/tousu/
http://www11.chinatelecom.com.cn/wcm/help.htm用的是TRS WCM 5.0
危害等级:高
漏洞Rank:13
确认时间:2015-06-15 10:26
CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.
暂无