乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-03: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-03-20: 厂商已经主动忽略漏洞,细节向公众公开
大陆ASfashion会员专区站点GETSHELL且获取多处数据库,包括AS服务器文件,AS会员文件,影响较大。
AS会员网站:http://member-sh.asfashion.net:9090/
站点存在Struts命令执行漏洞
http://member-sh.asfashion.net:9090/1.jsp
127.0.0.1 : 21 ................................. Close127.0.0.1 : 25 ................................. Close127.0.0.1 : 80 ................................. Open127.0.0.1 : 110 ................................. Close127.0.0.1 : 1433 ................................. Open127.0.0.1 : 1723 ................................. Close127.0.0.1 : 3306 ................................. Close127.0.0.1 : 3389 ................................. Open127.0.0.1 : 4899 ................................. Close127.0.0.1 : 5631 ................................. Open127.0.0.1 : 43958 ................................. Close127.0.0.1 : 65500 ................................. Close
As会员站点jdbc.propertiesjdbc.url=jdbc\:mysql\://localhost\:3306/test?useUnicode\=true&characterEncoding\=UTF-8jdbc.username=roothibernate.dialect=org.hibernate.dialect.MySQLDialectjdbc.driver=com.mysql.jdbc.Driverhibernate.show_sql=truejdbc.password=adminhibernate.format_sql=falsejdbc_sqlserver.propertiesjdbc.url=jdbc\:sqlserver\://localhost\:1433;DatabaseName\=Chain201428jdbc.username=sahibernate.dialect=org.hibernate.dialect.SQLServerDialectjdbc.driver=com.microsoft.sqlserver.jdbc.SQLServerDriverhibernate.show_sql=truejdbc.password=Harson2014hibernate.format_sql=falsejdbc_sqlserver2008.propertiesjdbc.url=jdbc\:sqlserver\://localhost;instanceName\=SQL2008;DatabaseName\=x201428jdbc.username=sahibernate.dialect=org.hibernate.dialect.SQLServerDialectjdbc.driver=com.microsoft.sqlserver.jdbc.SQLServerDriverhibernate.show_sql=truejdbc.password=hello123456hibernate.format_sql=false
小礼物有没有~
未能联系到厂商或者厂商积极拒绝