乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-13: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-03-13: 厂商已经主动忽略漏洞,细节向公众公开
- -
登录地址http://tcm.iquanyou.com.cn/tcm/userLogin.action有漏洞但是会自动跳转http://tcm.iquanyou.com.cn/tcm/frameLogin.jsp所以上传一个名字为 frameLogin.jsp的文件即可
上传一句话
配置信息一览无余
#jdbc.connection.infojdbc.driver=oracle.jdbc.driver.OracleDrivermysql.jdbc.url=jdbc:mysql://192.168.14.132:3306/crm?characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNulljdbc.url=jdbc:oracle:thin:@10.10.0.156:1521:tcm#jdbc.url=jdbc:oracle:thin:@10.10.0.57:1521:tcmjdbc.username=tcm#jdbc.password=tcmjdbc.password=mip2tcmmysql.jdbc.driver=com.mysql.jdbc.Driver#mysql.jdbc.url=jdbc:mysql://localhost:3306/mixcall?characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNull&transformedBitIsBoolean=truemysql.jdbc.username=rootmysql.jdbc.password=psxuser.name=adminuser.password=admin#sap.username=ZTCM001#sap.password=123456sap.username=ZITCM001sap.password=tcmlzy123bpm.username=bpmbpm.password=bpm#ZITCM001 \u5bc6\u7801tcmlzy123user.name=adminuser.password=adminsap.username=ZITCM001sap.password=tcmtcm#sap.username=ZITCM001#sap.password=tcmlzy123crm.username=crmtcm011crm.password=tcmcrm110bpm.username=bpmbpm.password=bpm#tcm提供给官网的webservice用户名和密码gw.userName = tcmguusergw.passWord = tcmgwpass#官网提供给Tcm的webservice信息GWurl = http://user.quanyou.com.cn/CardServer.wsdltcm.username = qyhyusernametcm.password = qyhypassword
ST框架补起来
未能联系到厂商或者厂商积极拒绝