乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-07: 细节已通知厂商并且等待厂商处理中 2015-04-10: 厂商已经确认,细节仅向厂商公开 2015-04-13: 细节向第三方安全合作伙伴开放 2015-06-04: 细节向核心白帽子及相关领域专家公开 2015-06-14: 细节向普通白帽子公开 2015-06-24: 细节向实习白帽子公开 2015-07-09: 细节向公众公开
RT
关键词:inurl:RESOURCE/kindcontent
厂商:浙江皓翰科技有限公司官网:http://www.yuysoft.com/index.asp
文件:Resource/subjectmain.aspx抓包:
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTE1NzU2NzMxMg9kFgICAQ9kFiICAQ9kFgJmDxYCHgdWaXNpYmxlaGQCAw9kFgICBQ9kFgQCAw8WAh4Kb25LZXlQcmVzcwUhaWYoZXZlbnQua2V5Q29kZT09MTMpQ2hlY2tMb2dpbigpZAIGDxYCHgdvbmNsaWNrBRdqYXZhc2NyaXB0OkNoZWNrTG9naW4oKWQCBQ9kFgICAQ88KwALAQAPFggeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50Zh4JUGFnZUNvdW50AgEeFV8hRGF0YVNvdXJjZUl0ZW1Db3VudGZkZAIHD2QWAmYPFgIfBGZkAgkPZBYCZg88KwALAQAPFggfAxYAHwQCAh8FAgEfBgICZBYCZg9kFgQCAQ9kFgRmD2QWBGYPFQEDMTY3ZAIBDw8WAh4EVGV4dAUP6IKy5Y%2BL566h55CG5ZGYZGQCAQ8PFgIfBwUBM2RkAgIPZBYEZg9kFgRmDxUBAzE5MWQCAQ8PFgIfBwUJ6K6h6ICB5biIZGQCAQ8PFgIfBwUBMmRkAgsPZBYCZg8WAh8EZmQCDQ9kFgJmDxYCHwQCBRYKZg9kFgpmDw8WBB8HBQ5b5pWZ5a2m6K%2BE5a6aXR4LTmF2aWdhdGVVcmxlZGQCAQ8PFgIfBwUOW%2BaJgOacieW5tOe6p11kZAIDDxUDBTUwMjIwATcJc2RzZHNkc3NkZAIEDw8WAh8HBQgyMDEyLTgtN2RkAgUPDxYCHwcFCDIwMTItOC03ZGQCAQ9kFgpmDw8WBB8HBQ5b5pWZ5a2m6K%2BE5a6aXR8IZWRkAgEPDxYCHwcFDlvmiYDmnInlubTnuqddZGQCAw8VAwU1MDIxOQE3BnRlc3RzdGQCBA8PFgIfBwUIMjAxMi04LTdkZAIFDw8WAh8HBQgyMDEyLTgtN2RkAgIPZBYKZg8PFgQfBwUOW%2BaVmeWtpuivhOWuml0fCGVkZAIBDw8WAh8HBQ5b5omA5pyJ5bm057qnXWRkAgMPFQMFNTAyMTgBNwIyMmQCBA8PFgIfBwUIMjAxMi0xLTZkZAIFDw8WAh8HBQgyMDEyLTEtNmRkAgMPZBYKZg8PFgQfBwUOW%2BaVmeWtpuivhOWuml0fCGVkZAIBDw8WAh8HBQ5b5omA5pyJ5bm057qnXWRkAgMPFQMFNTAyMTcBNwIyMmQCBA8PFgIfBwUJMjAxMi0xMi02ZGQCBQ8PFgIfBwUJMjAxMi0xMi02ZGQCBA9kFgpmDw8WBB8HBQ5b5pWZ5a2m6K%2BE5a6aXR8IZWRkAgEPDxYCHwcFDlvmiYDmnInlubTnuqddZGQCAw8VAwU1MDIxNgE3A2VlZWQCBA8PFgIfBwUIMjAxMi0xLTZkZAIFDw8WAh8HBQgyMDEyLTEtNmRkAg8PZBYCZg8WAh8EZmQCEQ9kFgJmDxYCHwRmZAITD2QWAmYPFgIfBGZkAhUPZBYCZg8WAh8EZmQCFw9kFgJmDxYCHwRmZAIZD2QWAmYPFgIfBGZkAhsPZBYCZg8WAh8EZmQCHQ9kFgJmDxYCHwRmZAIfD2QWAmYPFgIfBGZkAiEPZBYCZg8WAh8EZmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFF1RvcFNpZ25pbjE6SW1hZ2VCdXR0b24xBRVUb3BTaWduaW4xOklCdG5DYW5jZWwzap1nID7oxrS9x1%2Fr31GLK2aUhA%3D%3D&TopSignin1%3AseachTxt=1%27&TopSignin1%3AImageButton1.x=0&TopSignin1%3AImageButton1.y=0&TopSignin1%3AtxtUserName=&TopSignin1%3AtxtPassword=&__EVENTVALIDATION=%2FwEWBwKB8oqNCwLf%2BKGjBAKZkuzkBgL6xYyjBAK%2Fxp7oDwKw9MXlCALesJp%2FjOAgoIRO3QGlvS47hb4nq4%2FaRko%3D
参数:
TopSignin1%3AseachTxt和TopSignin1%3AtxtUserName 没有过滤直接带入查询
相关案例:
http://www.gx2x.cn/Resource/subjectmain.aspxhttp://www.schoolbest.com/Resource/subjectmain.aspxhttp://www.hzlcyhxx.com/Resource/subjectmain.aspxhttp://www.xfls.net/Resource/subjectmain.aspx
危害等级:高
漏洞Rank:12
确认时间:2015-04-10 18:51
CNV未直接复现所述情况,已经转由CNCERT下发给浙江分中心,由其后续协调网站管理单位处置。
暂无