乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-17: 细节已通知厂商并且等待厂商处理中 2016-01-19: 厂商已经确认,细节仅向厂商公开 2016-01-29: 细节向核心白帽子及相关领域专家公开 2016-02-08: 细节向普通白帽子公开 2016-02-18: 细节向实习白帽子公开 2016-02-27: 细节向公众公开
,,,,,,,,,,,,,,好贵的英语学费。
http://116.213.69.250/index.phpzabbix弱口令:admin/zabbix两处SVNhttp://pms.51talk.com/.svn/entrieshttp://ts.51talk.com/.svn/entries然而第二处碉堡了,估计是主站的老代码,跟主站相似度极高。
我就不shell了毕竟权限是zabbix还要提权
看一个有意思的文件wj_user.php
<?php/** * 91外教用户注册信息 * @author malh<[email protected]> * */include 'init.php';//判断ip来源$arr_return = array();$ip = getClientIP();if (!in_array($ip, array('121.40.145.142', '112.124.41.101'))) { $arr_return['code'] = -2; $arr_return['url'] = ''; $arr_return['msg'] = '非法请求'; echo json_encode($arr_return);exit;}//实例化模型$obj_user = Load::loadModel("User");$obj_stu_point = Load::loadModel("StuPoint");$obj_storage = new Storage('/logs/');//接收参数$data = Http::post('data');$token = Http::post('token');//添加log日志$file = '91/' . date('Y_m', time()) . '_reg_log.txt';$obj_storage->write($file, $data . "\r\n", false);//解析用户参数 $data_arr = unserialize($data);//安全token验证$key = '51talk';$token_md5 = md5(md5($data) . $key);if ($token_md5 != $token) { $arr_return['code'] = -2; $arr_return['url'] = ''; $arr_return['msg'] = '签名错误'; echo json_encode($arr_return);exit;}//验证用户信息$fromurl = explode(',', Http::cookie('from_url'));$from = $data_arr['from'];//1.网站、2.wap$userinfo['user_name'] = $data_arr['mail'];$userinfo['password'] = $data_arr['password'];$userinfo['mobile'] = $data_arr['phone'];$userinfo['nickname'] = $data_arr['nickname'];$userinfo['from_url'] = $fromurl[0];$userinfo['key_word'] = Http::cookie('query_wd');$userinfo['from_ip'] = $data_arr['ip'];$userinfo['ext_id'] = Http::cookie('baihe_user_id', '');$userinfo['register_from'] = 1001;$obj_reg = new Model_Register($userinfo, $recommen_code);//检查注册合法性if (!$obj_reg->waiJiaoCheckReg()) { $arr_return['code'] = -1; $arr_return['url'] = $from >1 ? 'http://wap.51talk.com/login.php' : 'http://www.51talk.com/user/user_login.php'; $arr_return['msg'] = $obj_reg->getMessage(); echo json_encode($arr_return);exit;}$user_id = $obj_reg->doReg();//执行注册if (!$user_id) { $arr_return['code'] = -1; $arr_return['url'] = $from >1 ? 'http://wap.51talk.com/register.php' : 'http://www.51talk.com/user/user_register.php'; $arr_return['msg'] = '注册时出现异常,请重新注册'; echo json_encode($arr_return);exit;}$user_toke = encode($data_arr['mail'].'_'.$data_arr['password'].'_'.$from.'_'.time());$arr_return['code'] = 1;$arr_return['url'] = $from >1 ? 'http://www.51talk.com/wj_user_login.php?token='.$user_toke : 'http://www.51talk.com/wj_user_login.php?token='.$user_toke;$arr_return['msg'] = '';echo json_encode($arr_return);exit;
无限注册?http://pms.51talk.com/login撞库,
改口令,删.svn目录,加验证码。
危害等级:中
漏洞Rank:8
确认时间:2016-01-19 12:00
已联系相关人员进行处理,谢谢。
暂无