乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-19: 细节已通知厂商并且等待厂商处理中 2014-11-24: 厂商已经确认,细节仅向厂商公开 2014-12-04: 细节向核心白帽子及相关领域专家公开 2014-12-14: 细节向普通白帽子公开 2014-12-24: 细节向实习白帽子公开 2015-01-03: 细节向公众公开
话说夜观天象,得到了一个shell声明:出于职业道德,仅仅证明漏洞存在!没有深入!30+子站+50+数据库=多少数据?
shell
http://oa.gwbnsh.net.cn/help.aspx 密码:herolon113
稍微看了一下,不多不少31个站:
123.gwbnsh.net.cn123.shpbs.combeijing.gwbn.net.cnBlog.gwbnsh.net.cnblog.gwbnsh.net.cn(IpPhone)car.gwbnsh.net.cncmanage.gwbnsh.net.cn 商业用户管理系统coop.gwbn.net.cncoop.gwbnsh.net.cncoop.shpgs.comct.gwbnsh.net.cndevice.gwbnsh.net.cnfapiao.gwbnsh.net.cnfapiao2.shpbs.comgc.gwbnsh.net.cnGwbn.Net.cnIp.gwbnsh.net.cnmanage.gwbnsh.net.cn 上海长宽技术中心oa.gwbnsh.net.cnoa.gwbnzj.netoa.shpbs.comold.gwbnsh.net.cnsdfz.gwbnsh.net.cnservice.gwbnsh.net.cnshop.shpbs.comsys.gwbnsh.net.cnw1.gwbnsh.net.cnWeiXin.gwbnsh.net.cnwww.61226600.comwww.gwbnsh.net.cnzsk.gwbnsh.net.cn
每个站有1到2个数据库,cmanager有3个,粗略估计50个数据库差不多,先来几个:
cmanage.gwbnsh.net.cn <add key="SqlConncectionString" value="Server=db1.gwbnsh.net.cn;User ID=GwbnB;Password=gwbnsh@business22;database=GwbnBusiness;Connection Reset=FALSE"></add> <add key="GwbnBossConncection" value="Server=10.64.2.81;User ID=GwbnBoss;Password=gwbnsh@boss;database=GwbnBoss;Connection Reset=FALSE"></add> <add key="FaPiaoConncection" value="Server=db2.gwbnsh.net.cn;User ID=gwbninvoice;Password=#@!gwbn;database=GwbnInvoiceFlow;Connection Reset=FALSE"></add> <add key="FCKeditor:BasePath" value="~/FCKeditor/" />123.gwbnsh.net.cn <add key="MsSql" value="server=db2.gwbnsh.net.cn;database=WebGuid;uid=gwbnshweb;pwd=gwbnsh@123;" /> <add key="GwbnSql" value="server=db2.gwbnsh.net.cn;database=GwbnShWeb;uid=gwbnshweb;pwd=gwbnsh@123;" />123.shpbs.com<add key="MsSql" value="server=10.72.25.87;database=WebGuid;uid=gwbnshweb;pwd=gwbnsh@123;" /> <add key="GwbnSql" value="Server=10.72.25.88;User ID=shpbsweb;Password=!shpbs!@#$%^*();database=ShpbsWeb;Connection Reset=FALSE"></beijing.gwbn.net.cn<add key="SqlConncectionString" value="Server=10.72.25.87;User ID=gwbnshweb;Password=gwbnsh@123;database=GwbnbjWeb;Connection Reset=FALSE">blog.gwbnsh.net.cn(IpPhone) connstr="Provider=SQLOLEDB.1; Persist Security Info=True; Data Source=10.72.22.22; Initial Catalog=iphone; User ID=webdata; Password=gwbnsh@dataweb; Connect Timeout=15" coop.gwbn.net.cn <add key="SqlConncectionString" value="Server=db1.gwbnsh.net.cn;User ID=ipview;Password=gwbnsh@ipview;database=ipview;Connection Reset=FALSE"></add> </appSettings>
无图无真相:
危害等级:高
漏洞Rank:17
确认时间:2014-11-24 08:13
暂无