当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-028821

漏洞标题:中国气象局分站sql注射可任意文件读取

相关厂商:中国气象局

漏洞作者: 雅柏菲卡

提交时间:2013-07-14 09:34

修复时间:2013-08-28 09:35

公开时间:2013-08-28 09:35

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-07-14: 细节已通知厂商并且等待厂商处理中
2013-07-18: 厂商已经确认,细节仅向厂商公开
2013-07-28: 细节向核心白帽子及相关领域专家公开
2013-08-07: 细节向普通白帽子公开
2013-08-17: 细节向实习白帽子公开
2013-08-28: 细节向公众公开

简要描述:

.....

详细说明:

....

漏洞证明:

注射点 http://www.ipcc.cma.gov.cn/background/index.php?lang=cn&NewsID=17
/etc/passwd 文件
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dhcpd:x:102:65534:DHCP server daemon:/var/lib/dhcp:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:50:109:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
hacluster:x:90:90:heartbeat processes:/var/lib/heartbeat/cores/hacluster:/bin/false
haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false
mysql:x:60:106:MySQL database admin:/var/lib/mysql:/bin/bash
named:x:44:44:Name server daemon:/var/lib/named:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:105:NTP daemon:/var/lib/ntp:/bin/false
oracle:x:103:103:Oracle user:/opt/oracle:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
quagga:x:104:107:Quagga routing daemon:/var/run/quagga:/bin/false
root:x:0:0:root:/root:/bin/bash
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:105:108:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
user001:x:1000:100:user001:/home/user001:/bin/bash
upload1:x:1001:1000::/space/local/wwwsvr/ncc.cma.gov.cn/Monitoring/:/bin/bash
upload2:x:1002:1000::/space/local/wwwsvr/ncc.cma.gov.cn/upload/upload2/:/bin/bash
upload3:x:1003:1000::/space/local/wwwsvr/ncc.cma.gov.cn/upload/upload3/:/bin/bash
upload4:x:1004:1000::/space/local/wwwsvr/ncc.cma.gov.cn/upload/upload4/:/bin/bash
upload5:x:1005:1000::/space/local/wwwsvr/ncc.cma.gov.cn/upload/upload5/:/bin/bash
upload6:x:1006:1000::/space/local/wwwsvr/ncc.cma.gov.cn/upload/upload6/:/bin/bash
upload7:x:1007:1000::/space/local/wwwsvr/ncc.cma.gov.cn/upload/upload7/:/bin/bash
upload8:x:1008:1000::/space/local/wwwsvr/ncc.cma.gov.cn/upload/upload8/:/bin/bash
upload9:x:1009:1000::/space/local/wwwsvr/ncc.cma.gov.cn/upload/upload9/:/bin/bash
www:x:1011:100::/space/local/wwwsvr:/bin/bash
suncr:x:3001:3000:SUN Churong:/home/suncr:/bin/bash
maqiang:x:3002:3000:MA Qiang:/home/maqiang:/bin/bash
dcd_prod:x:3004:3000:ZHANG Peiqun:/space/local/dcd4download/download1/docs:/bin/bash
nccweb:x:3008:3001:NCC Web:/space/local/wwwsvr:/bin/bash
uploada:x:3022:3000::/space/local/wwwsvr/ncc.cma.gov.cn/upload/uploada:/bin/bash
wwwsvr:x:3023:100::/home/wwwsvr:/bin/bash
liuym:x:3024:100::/space/local/wwwsvr/liuym_asm:/bin/bash
monitor:x:3197:3120::/home/monitor:/bin/bash
cwera:x:3198:1000::/space/local/wwwsvr/cwera.cma.gov.cn/upload/solar/:/bin/bash
monsoon:x:3199:100::/space/local/wwwsvr/bcc.cma.gov.cn/upload/monsoon/:/bin/bash
uploadx:x:3200:100::/space/local/wwwsvr/ncc.cma.gov.cn/upload/upload2/qhxx:/bin/bash
upload973:x:3201:100::/space/local/wwwsvr/ncc.cma.gov.cn/upload/973:/bin/bash
webuser:x:3202:100::/home/webuser:/bin/bash
monsoonRama:x:3203:100::/space/local/wwwsvr/bcc.cma.gov.cn/upload/monsoon/homepage/rama:/bin/bash
2.jpg




由于不能进后台  否则我还能继续测试下去

修复方案:

版权声明:转载请注明来源 雅柏菲卡@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-07-18 15:28

厂商回复:

最新状态:

暂无