华数服务器某系统弱口令+未授权下载+列目录漏洞

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0129477

漏洞标题：华数服务器某系统弱口令+未授权下载+列目录漏洞

漏洞作者：路人甲

提交时间：2015-07-26 18:28

修复时间：2015-09-10 14:58

公开时间：2015-09-10 14:58

漏洞类型：后台弱口令

危害等级：中

自评Rank：8

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-07-26：细节已通知厂商并且等待厂商处理中
2015-07-27：厂商已经确认，细节仅向厂商公开
2015-08-06：细节向核心白帽子及相关领域专家公开
2015-08-16：细节向普通白帽子公开
2015-08-26：细节向实习白帽子公开
2015-09-10：细节向公众公开

简要描述：

华数说给我发礼物的呢？

详细说明：

探测到一个ip

211.140.39.212:8088 
211.140.39.212:8089

点第一个进入到一个登录系统，第二个显示“It works!”
那么来打第一个吧
很幸运，github上打到了一点信息

https://github.com/joeiren/washu-jk/blob/3187faee0f436e9700eb240c891c9897031ca2d8/wasu-commerce/conf/routes

# Home page
GET           /                                                  controllers.Application.index()
POST          /login                                             controllers.Application.login()
GET           /project/progress/list                             controllers.Application.projectProgress()
GET           /industryLine/list                                 controllers.Application.industryLine()
GET           /bussinessType/list                                controllers.Application.bussinessTypeList()
GET           /user/list                                         controllers.Application.userList()
GET           /user/add                                          controllers.Application.userAdd()
POST          /user/post                                         controllers.Application.userPost()
GET           /sales/list                                        controllers.Application.salesList()
POST          /project/:id/progressLog/add                       controllers.Application.projectProgressLogAdd(id:Long)
POST          /project/progressLog/delete                        controllers.Application.projectProgressLogDelete()
POST          /project/add                                       controllers.Application.projectAdd()
POST          /project/:id/update                                controllers.Application.projectUpdate(id:Long)
POST          /project/delete/:id                                controllers.Application.projectDelete(id:Long)
GET           /project/filter                                    controllers.Application.projectFilter()
GET           /project/:id                                       controllers.Application.projectDetail(id:Long)
GET           /projectstate/filter                               controllers.Application.projectStateFilter()
GET           /chargeOf/filter                                   controllers.Application.chargeOfFilter()
GET           /client/state/list                                 controllers.Application.clientStateList()
GET           /client/type/list                                  controllers.Application.clientTypeList()
GET           /client/level/list                                 controllers.Application.clientLevelList()
GET           /client/filter                                     controllers.Application.clientFilter()
POST          /client/add                                        controllers.Application.clientAdd()
POST          /client/delete/:id                                 controllers.Application.clientDelete(id:Long)
POST          /client/:id/update                                 controllers.Application.clientUpdate(id:Long)
POST          /client/:clientId/contact/add                      controllers.Application.clientContactAdd(clientId:Long)
POST          /client/contact/:contactId/update                  controllers.Application.clientContactUpdate(contactId :Long)
DELETE        /client/:clientId/contact/:contactId/delete        controllers.Application.clientContactDelete(clientId:Long,contactId:Long)
GET           /client/contact/hobbies                            controllers.Application.clientContacthobbies()
GET           /work/log/filter                                   controllers.Application.workLogFilter()
POST          /work/log/add                                      controllers.Application.workLogAdd()
POST          /workortask/add                                    controllers.Application.workLogOrTaskAdd()
GET           /work/log/:id                                      controllers.Application.workLogDetail(id:Long)
POST          /work/log/delete/:id                               controllers.Application.workLogDelete(id:Long)
GET           /visit/log/filter                                  controllers.Application.visitLogFilter()
POST          /visit/log/add                                     controllers.Application.visitLogAdd()
POST          /visit/log/:id/update                              controllers.Application.visitLogUpdate(id:Long)
POST          /visit/log/delete                                  controllers.Application.visitLogDelete()
GET           /property/list                                     controllers.Application.getProperties()
GET           /productindustry/list                              controllers.Application.getProductIndustry()
GET           /productscheme/list                                controllers.Application.getProductScheme()
GET           /product/filter                                    controllers.Application.productFilter()
POST          /product/delete/:id                                controllers.Application.productDelete(id:Long)
POST          /task/add                                          controllers.Application.taskAdd()
POST          /task/post/:id                                     controllers.Application.taskUpdate(id:Long)
POST          /task/delete/:id                                   controllers.Application.taskDelete(id:Long)
GET           /task/get                                          controllers.Application.taskGet()
GET           /task/daily/get                                    controllers.Application.taskGetDaily()
GET           /task/notification/:userId                         controllers.Application.taskNotification(userId:String)
GET           /task/notify/test                                  controllers.Application.notifyTest()
POST          /task/notify/receive                               controllers.Application.notifyReceive()
POST          /contract/add                                      controllers.Application.contractAdd()
POST          /contract/delete/:id                               controllers.Application.contractDelete(id:String)
POST          /contract/update/:id                               controllers.Application.contractUpdate(id:String)
GET           /contract/getAll                                   controllers.Application.contractGet()
GET           /workOrder                                         controllers.Application.getWorkOrder()
# Map static resources from the /public folder to the /assets URL path
GET           /assets/javascripts/routes                         controllers.MyApp.javascriptRoutes()
GET           /assets/*file                                      controllers.Assets.at(path="/public", file)
GET           /app/user/add                                      controllers.MyApp.userAdd()
POST          /app/user/post                                     controllers.MyApp.userPost()
GET           /app/manager/setting/:id                           controllers.MyApp.userAuthoritySetting(id:Long)
POST          /app/manager/setting/update/:id                    controllers.MyApp.userAuthoritySettingUpdate(id:Long)
GET           /app/user/list                                     controllers.MyApp.userList()
GET           /app/user/table                                    controllers.MyApp.getUserTable()
GET           /app/user/:id                                      controllers.MyApp.userEdit(id:Long)
POST          /app/user/post/:id                                 controllers.MyApp.userUpdate(id:Long)
GET           /app/user/:userId/:authorityId/userTable           controllers.MyApp.getUserTableByAuthority(userId :Long,authorityId :Long)
GET           /app/user/password/:id                             controllers.MyApp.redirectPasswordUpdate(id:Long)
POST          /app/user/passwordUpdate/:id                       controllers.MyApp.userPasswordUpdate(id:Long)
GET           /app/progress/list                                 controllers.ProgressController.list()
GET           /app/progress/table                                controllers.ProgressController.getDataTable()
GET           /app/progress/add                                  controllers.ProgressController.add()
POST          /app/progress/post                                 controllers.ProgressController.post()
GET           /app/progress/edit/:id                             controllers.ProgressController.edit(id:Long)
POST          /app/progress/update/:id                           controllers.ProgressController.update(id:Long)
POST          /app/progress/delete/:id                           controllers.ProgressController.delete(id:Long)
GET           /app/property/list                                 controllers.PropertyController.list()
GET           /app/property/table                                controllers.PropertyController.getDataTable()
GET           /app/property/add                                  controllers.PropertyController.add()
POST          /app/property/post                                 controllers.PropertyController.post()
GET           /app/property/edit/:id                             controllers.PropertyController.edit(id:Long)
POST          /app/property/update/:id                           controllers.PropertyController.update(id:Long)
POST          /app/property/delete/:id                           controllers.PropertyController.delete(id:Long)
GET           /app/product_industry/list                         controllers.ProductIndustryController.list()
GET           /app/product_industry/table                        controllers.ProductIndustryController.getDataTable()
GET           /app/product_industry/edit/:id                     controllers.ProductIndustryController.edit(id:Long)
POST          /app/product_industry/update/:id                   controllers.ProductIndustryController.update(id:Long)
POST          /app/product_industry/delete/:id                   controllers.ProductIndustryController.delete(id:Long)
GET           /app/product_industry/add                          controllers.ProductIndustryController.add()
POST          /app/product_industry/post                         controllers.ProductIndustryController.post()
GET           /app/product_scheme/list                           controllers.ProductSchemeController.list()
GET           /app/product_scheme/table                          controllers.ProductSchemeController.getDataTable()
GET           /app/product_scheme/edit/:id                       controllers.ProductSchemeController.edit(id:Long)
POST          /app/product_scheme/update/:id                     controllers.ProductSchemeController.update(id:Long)
POST          /app/product_scheme/delete/:id                     controllers.ProductSchemeController.delete(id:Long)
GET           /app/product_scheme/add                            controllers.ProductSchemeController.add()
POST          /app/product_scheme/post                           controllers.ProductSchemeController.post()
GET           /app/product/list                                  controllers.ProductController.list()
GET           /app/product/table                                 controllers.ProductController.getDataTable()
GET           /app/product/add                                   controllers.ProductController.add()
POST          /app/product/post                                  controllers.ProductController.post()
GET           /app/product/edit/:id                              controllers.ProductController.edit(id:Long)
POST          /app/product/update/:id                            controllers.ProductController.update(id:Long)
POST          /app/product/delete/:id                            controllers.ProductController.delete(id:Long)
GET           /app/client/list                                   controllers.ClientController.list()
GET           /app/client/table                                  controllers.ClientController.getDataTable
GET           /app/client/add                                    controllers.ClientController.add()
POST          /app/client/post                                   controllers.ClientController.post()
GET           /app/client/edit/:id                               controllers.ClientController.edit(id:Long)
POST          /app/client/update/:id                             controllers.ClientController.update(id:Long)
POST          /app/client/delete/:id                             controllers.ClientController.delete(id:Long)
GET           /app/client_type/list                              controllers.ClientTypeController.list()
GET           /app/client_type/table                             controllers.ClientTypeController.getDataTable
GET           /app/client_type/add                               controllers.ClientTypeController.add()
POST          /app/client_type/post                              controllers.ClientTypeController.post()
GET           /app/client_type/edit/:id                          controllers.ClientTypeController.edit(id:Long)
POST          /app/client_type/update/:id                        controllers.ClientTypeController.update(id:Long)
POST          /app/client_type/delete/:id                        controllers.ClientTypeController.delete(id:Long)
GET           /app/client_state/list                             controllers.ClientStateController.list()
GET           /app/client_state/table                            controllers.ClientStateController.getDataTable
GET           /app/client_state/add                              controllers.ClientStateController.add()
POST          /app/client_state/post                             controllers.ClientStateController.post()
GET           /app/client_state/edit/:id                         controllers.ClientStateController.edit(id:Long)
POST          /app/client_state/update/:id                       controllers.ClientStateController.update(id:Long)
POST          /app/client_state/delete/:id                       controllers.ClientStateController.delete(id:Long)
GET           /app/client_level/list                             controllers.ClientLevelController.list()
GET           /app/client_level/table                            controllers.ClientLevelController.getDataTable
GET           /app/client_levle/add                              controllers.ClientLevelController.add()
POST          /app/client_level/post                             controllers.ClientLevelController.post()
GET           /app/client_level/edit/:id                         controllers.ClientLevelController.edit(id:Long)
POST          /app/client_level/update/:id                       controllers.ClientLevelController.update(id:Long)
POST          /app/client_level/delete/:id                       controllers.ClientLevelController.delete(id:Long)
GET           /app/bussiness_type/list                           controllers.BussinessTypeController.list()
GET           /app/bussiness_type/table                          controllers.BussinessTypeController.getDataTable
GET           /app/bussiness_type/add                            controllers.BussinessTypeController.add()
POST          /app/bussiness_type/post                           controllers.BussinessTypeController.post()
GET           /app/bussiness_type/edit/:id                       controllers.BussinessTypeController.edit(id:Long)
POST          /app/bussiness_type/update/:id                     controllers.BussinessTypeController.update(id:Long)
POST          /app/bussiness_type/delete/:id                     controllers.BussinessTypeController.delete(id:Long)
GET           /app/industry_line/list                            controllers.IndustryLineController.list()
GET           /app/industry_line/table                           controllers.IndustryLineController.getDataTable
GET           /app/industry_line/add                             controllers.IndustryLineController.add()
POST          /app/industry_line/post                            controllers.IndustryLineController.post()
GET           /app/industry_line/edit/:id                        controllers.IndustryLineController.edit(id:Long)
POST          /app/industry_line/update/:id                      controllers.IndustryLineController.update(id:Long)
POST          /app/industry_line/delete/:id                      controllers.IndustryLineController.delete(id:Long)
GET           /app/project/list                                  controllers.ProjectController.list()
GET           /app/project/table                                 controllers.ProjectController.getDataTable
GET           /app/project/add                                   controllers.ProjectController.add()
POST          /app/project/post                                  controllers.ProjectController.post()
GET           /app/project/edit/:id                              controllers.ProjectController.edit(id:Long)
POST          /app/project/update/:id                            controllers.ProjectController.update(id:Long)
POST          /app/project/delete/:id                            controllers.ProjectController.delete(id:Long)
GET           /app/project_progress_log/list                     controllers.ProjectProgressLogController.list()
GET           /app/project_progress_log/table                    controllers.ProjectProgressLogController.getDataTable
GET           /app/project_progress_log/add                      controllers.ProjectProgressLogController.add()
POST          /app/project_progress_log/post                     controllers.ProjectProgressLogController.post()
GET           /app/visit_log/list                                controllers.VisitLogController.list()
GET           /app/visit_log/table                               controllers.VisitLogController.getDataTable
GET           /app/visit_log/add                                 controllers.VisitLogController.add()
POST          /app/visit_log/post                                controllers.VisitLogController.post()
GET           /app/TimeTask/list                                 controllers.TimeTaskController.list()
GET           /app/TimeTask/getList                              controllers.TimeTaskController.getList()
GET           /app/TimeTask/detail                               controllers.TimeTaskController.detail()
POST          /app/TimeTask/post                                 controllers.TimeTaskController.post()

一个一个试，输入http://211.140.39.212:8088/user/list，打到一处用户信息，未授权可下载

有了用户名，试一下弱口令，中了，都是123456,用测试经理登录

找了上传点，点击产品设置》产品信息》添加，选择文件上传，提交

添加成功后返回列表，看到文件下载，但下载地址是http://192.168.24.147:8089/uploads/1437905555658_mkzy.jsp 是内网
看到8090端口，联想到刚开始的那两个地址，果断替换为http://211.140.39.212:8089/uploads/1437905555658_mkzy.jsp，访问之。
但是未解析，再一个个试aspx,php都不解析，郁闷
还是大牛上
最后一处列目录
http://211.140.39.212:8089/uploads

里面有些我传的shell，请删之

漏洞证明：

探测到一个ip

211.140.39.212:8088 
211.140.39.212:8089

点第一个进入到一个登录系统，第二个显示“It works!”
那么来打第一个吧
很幸运，github上打到了一点信息

https://github.com/joeiren/washu-jk/blob/3187faee0f436e9700eb240c891c9897031ca2d8/wasu-commerce/conf/routes

# Home page
GET           /                                                  controllers.Application.index()
POST          /login                                             controllers.Application.login()
GET           /project/progress/list                             controllers.Application.projectProgress()
GET           /industryLine/list                                 controllers.Application.industryLine()
GET           /bussinessType/list                                controllers.Application.bussinessTypeList()
GET           /user/list                                         controllers.Application.userList()
GET           /user/add                                          controllers.Application.userAdd()
POST          /user/post                                         controllers.Application.userPost()
GET           /sales/list                                        controllers.Application.salesList()
POST          /project/:id/progressLog/add                       controllers.Application.projectProgressLogAdd(id:Long)
POST          /project/progressLog/delete                        controllers.Application.projectProgressLogDelete()
POST          /project/add                                       controllers.Application.projectAdd()
POST          /project/:id/update                                controllers.Application.projectUpdate(id:Long)
POST          /project/delete/:id                                controllers.Application.projectDelete(id:Long)
GET           /project/filter                                    controllers.Application.projectFilter()
GET           /project/:id                                       controllers.Application.projectDetail(id:Long)
GET           /projectstate/filter                               controllers.Application.projectStateFilter()
GET           /chargeOf/filter                                   controllers.Application.chargeOfFilter()
GET           /client/state/list                                 controllers.Application.clientStateList()
GET           /client/type/list                                  controllers.Application.clientTypeList()
GET           /client/level/list                                 controllers.Application.clientLevelList()
GET           /client/filter                                     controllers.Application.clientFilter()
POST          /client/add                                        controllers.Application.clientAdd()
POST          /client/delete/:id                                 controllers.Application.clientDelete(id:Long)
POST          /client/:id/update                                 controllers.Application.clientUpdate(id:Long)
POST          /client/:clientId/contact/add                      controllers.Application.clientContactAdd(clientId:Long)
POST          /client/contact/:contactId/update                  controllers.Application.clientContactUpdate(contactId :Long)
DELETE        /client/:clientId/contact/:contactId/delete        controllers.Application.clientContactDelete(clientId:Long,contactId:Long)
GET           /client/contact/hobbies                            controllers.Application.clientContacthobbies()
GET           /work/log/filter                                   controllers.Application.workLogFilter()
POST          /work/log/add                                      controllers.Application.workLogAdd()
POST          /workortask/add                                    controllers.Application.workLogOrTaskAdd()
GET           /work/log/:id                                      controllers.Application.workLogDetail(id:Long)
POST          /work/log/delete/:id                               controllers.Application.workLogDelete(id:Long)
GET           /visit/log/filter                                  controllers.Application.visitLogFilter()
POST          /visit/log/add                                     controllers.Application.visitLogAdd()
POST          /visit/log/:id/update                              controllers.Application.visitLogUpdate(id:Long)
POST          /visit/log/delete                                  controllers.Application.visitLogDelete()
GET           /property/list                                     controllers.Application.getProperties()
GET           /productindustry/list                              controllers.Application.getProductIndustry()
GET           /productscheme/list                                controllers.Application.getProductScheme()
GET           /product/filter                                    controllers.Application.productFilter()
POST          /product/delete/:id                                controllers.Application.productDelete(id:Long)
POST          /task/add                                          controllers.Application.taskAdd()
POST          /task/post/:id                                     controllers.Application.taskUpdate(id:Long)
POST          /task/delete/:id                                   controllers.Application.taskDelete(id:Long)
GET           /task/get                                          controllers.Application.taskGet()
GET           /task/daily/get                                    controllers.Application.taskGetDaily()
GET           /task/notification/:userId                         controllers.Application.taskNotification(userId:String)
GET           /task/notify/test                                  controllers.Application.notifyTest()
POST          /task/notify/receive                               controllers.Application.notifyReceive()
POST          /contract/add                                      controllers.Application.contractAdd()
POST          /contract/delete/:id                               controllers.Application.contractDelete(id:String)
POST          /contract/update/:id                               controllers.Application.contractUpdate(id:String)
GET           /contract/getAll                                   controllers.Application.contractGet()
GET           /workOrder                                         controllers.Application.getWorkOrder()
# Map static resources from the /public folder to the /assets URL path
GET           /assets/javascripts/routes                         controllers.MyApp.javascriptRoutes()
GET           /assets/*file                                      controllers.Assets.at(path="/public", file)
GET           /app/user/add                                      controllers.MyApp.userAdd()
POST          /app/user/post                                     controllers.MyApp.userPost()
GET           /app/manager/setting/:id                           controllers.MyApp.userAuthoritySetting(id:Long)
POST          /app/manager/setting/update/:id                    controllers.MyApp.userAuthoritySettingUpdate(id:Long)
GET           /app/user/list                                     controllers.MyApp.userList()
GET           /app/user/table                                    controllers.MyApp.getUserTable()
GET           /app/user/:id                                      controllers.MyApp.userEdit(id:Long)
POST          /app/user/post/:id                                 controllers.MyApp.userUpdate(id:Long)
GET           /app/user/:userId/:authorityId/userTable           controllers.MyApp.getUserTableByAuthority(userId :Long,authorityId :Long)
GET           /app/user/password/:id                             controllers.MyApp.redirectPasswordUpdate(id:Long)
POST          /app/user/passwordUpdate/:id                       controllers.MyApp.userPasswordUpdate(id:Long)
GET           /app/progress/list                                 controllers.ProgressController.list()
GET           /app/progress/table                                controllers.ProgressController.getDataTable()
GET           /app/progress/add                                  controllers.ProgressController.add()
POST          /app/progress/post                                 controllers.ProgressController.post()
GET           /app/progress/edit/:id                             controllers.ProgressController.edit(id:Long)
POST          /app/progress/update/:id                           controllers.ProgressController.update(id:Long)
POST          /app/progress/delete/:id                           controllers.ProgressController.delete(id:Long)
GET           /app/property/list                                 controllers.PropertyController.list()
GET           /app/property/table                                controllers.PropertyController.getDataTable()
GET           /app/property/add                                  controllers.PropertyController.add()
POST          /app/property/post                                 controllers.PropertyController.post()
GET           /app/property/edit/:id                             controllers.PropertyController.edit(id:Long)
POST          /app/property/update/:id                           controllers.PropertyController.update(id:Long)
POST          /app/property/delete/:id                           controllers.PropertyController.delete(id:Long)
GET           /app/product_industry/list                         controllers.ProductIndustryController.list()
GET           /app/product_industry/table                        controllers.ProductIndustryController.getDataTable()
GET           /app/product_industry/edit/:id                     controllers.ProductIndustryController.edit(id:Long)
POST          /app/product_industry/update/:id                   controllers.ProductIndustryController.update(id:Long)
POST          /app/product_industry/delete/:id                   controllers.ProductIndustryController.delete(id:Long)
GET           /app/product_industry/add                          controllers.ProductIndustryController.add()
POST          /app/product_industry/post                         controllers.ProductIndustryController.post()
GET           /app/product_scheme/list                           controllers.ProductSchemeController.list()
GET           /app/product_scheme/table                          controllers.ProductSchemeController.getDataTable()
GET           /app/product_scheme/edit/:id                       controllers.ProductSchemeController.edit(id:Long)
POST          /app/product_scheme/update/:id                     controllers.ProductSchemeController.update(id:Long)
POST          /app/product_scheme/delete/:id                     controllers.ProductSchemeController.delete(id:Long)
GET           /app/product_scheme/add                            controllers.ProductSchemeController.add()
POST          /app/product_scheme/post                           controllers.ProductSchemeController.post()
GET           /app/product/list                                  controllers.ProductController.list()
GET           /app/product/table                                 controllers.ProductController.getDataTable()
GET           /app/product/add                                   controllers.ProductController.add()
POST          /app/product/post                                  controllers.ProductController.post()
GET           /app/product/edit/:id                              controllers.ProductController.edit(id:Long)
POST          /app/product/update/:id                            controllers.ProductController.update(id:Long)
POST          /app/product/delete/:id                            controllers.ProductController.delete(id:Long)
GET           /app/client/list                                   controllers.ClientController.list()
GET           /app/client/table                                  controllers.ClientController.getDataTable
GET           /app/client/add                                    controllers.ClientController.add()
POST          /app/client/post                                   controllers.ClientController.post()
GET           /app/client/edit/:id                               controllers.ClientController.edit(id:Long)
POST          /app/client/update/:id                             controllers.ClientController.update(id:Long)
POST          /app/client/delete/:id                             controllers.ClientController.delete(id:Long)
GET           /app/client_type/list                              controllers.ClientTypeController.list()
GET           /app/client_type/table                             controllers.ClientTypeController.getDataTable
GET           /app/client_type/add                               controllers.ClientTypeController.add()
POST          /app/client_type/post                              controllers.ClientTypeController.post()
GET           /app/client_type/edit/:id                          controllers.ClientTypeController.edit(id:Long)
POST          /app/client_type/update/:id                        controllers.ClientTypeController.update(id:Long)
POST          /app/client_type/delete/:id                        controllers.ClientTypeController.delete(id:Long)
GET           /app/client_state/list                             controllers.ClientStateController.list()
GET           /app/client_state/table                            controllers.ClientStateController.getDataTable
GET           /app/client_state/add                              controllers.ClientStateController.add()
POST          /app/client_state/post                             controllers.ClientStateController.post()
GET           /app/client_state/edit/:id                         controllers.ClientStateController.edit(id:Long)
POST          /app/client_state/update/:id                       controllers.ClientStateController.update(id:Long)
POST          /app/client_state/delete/:id                       controllers.ClientStateController.delete(id:Long)
GET           /app/client_level/list                             controllers.ClientLevelController.list()
GET           /app/client_level/table                            controllers.ClientLevelController.getDataTable
GET           /app/client_levle/add                              controllers.ClientLevelController.add()
POST          /app/client_level/post                             controllers.ClientLevelController.post()
GET           /app/client_level/edit/:id                         controllers.ClientLevelController.edit(id:Long)
POST          /app/client_level/update/:id                       controllers.ClientLevelController.update(id:Long)
POST          /app/client_level/delete/:id                       controllers.ClientLevelController.delete(id:Long)
GET           /app/bussiness_type/list                           controllers.BussinessTypeController.list()
GET           /app/bussiness_type/table                          controllers.BussinessTypeController.getDataTable
GET           /app/bussiness_type/add                            controllers.BussinessTypeController.add()
POST          /app/bussiness_type/post                           controllers.BussinessTypeController.post()
GET           /app/bussiness_type/edit/:id                       controllers.BussinessTypeController.edit(id:Long)
POST          /app/bussiness_type/update/:id                     controllers.BussinessTypeController.update(id:Long)
POST          /app/bussiness_type/delete/:id                     controllers.BussinessTypeController.delete(id:Long)
GET           /app/industry_line/list                            controllers.IndustryLineController.list()
GET           /app/industry_line/table                           controllers.IndustryLineController.getDataTable
GET           /app/industry_line/add                             controllers.IndustryLineController.add()
POST          /app/industry_line/post                            controllers.IndustryLineController.post()
GET           /app/industry_line/edit/:id                        controllers.IndustryLineController.edit(id:Long)
POST          /app/industry_line/update/:id                      controllers.IndustryLineController.update(id:Long)
POST          /app/industry_line/delete/:id                      controllers.IndustryLineController.delete(id:Long)
GET           /app/project/list                                  controllers.ProjectController.list()
GET           /app/project/table                                 controllers.ProjectController.getDataTable
GET           /app/project/add                                   controllers.ProjectController.add()
POST          /app/project/post                                  controllers.ProjectController.post()
GET           /app/project/edit/:id                              controllers.ProjectController.edit(id:Long)
POST          /app/project/update/:id                            controllers.ProjectController.update(id:Long)
POST          /app/project/delete/:id                            controllers.ProjectController.delete(id:Long)
GET           /app/project_progress_log/list                     controllers.ProjectProgressLogController.list()
GET           /app/project_progress_log/table                    controllers.ProjectProgressLogController.getDataTable
GET           /app/project_progress_log/add                      controllers.ProjectProgressLogController.add()
POST          /app/project_progress_log/post                     controllers.ProjectProgressLogController.post()
GET           /app/visit_log/list                                controllers.VisitLogController.list()
GET           /app/visit_log/table                               controllers.VisitLogController.getDataTable
GET           /app/visit_log/add                                 controllers.VisitLogController.add()
POST          /app/visit_log/post                                controllers.VisitLogController.post()
GET           /app/TimeTask/list                                 controllers.TimeTaskController.list()
GET           /app/TimeTask/getList                              controllers.TimeTaskController.getList()
GET           /app/TimeTask/detail                               controllers.TimeTaskController.detail()
POST          /app/TimeTask/post                                 controllers.TimeTaskController.post()

一个一个试，输入http://211.140.39.212:8088/user/list，打到一处用户信息，未授权可下载

有了用户名，试一下弱口令，中了，都是123456,用测试经理登录

找了上传点，点击产品设置》产品信息》添加，选择文件上传，提交

里面有些我传的shell，请删之

修复方案：

测试用也要注意安全哦

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-07-27 14:57

厂商回复：

已通知处理。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0129477

漏洞标题：华数服务器某系统弱口令+未授权下载+列目录漏洞

相关厂商：华数数字电视传媒集团有限公司

漏洞作者：路人甲

提交时间：2015-07-26 18:28

修复时间：2015-09-10 14:58

公开时间：2015-09-10 14:58

漏洞类型：后台弱口令

危害等级：中

自评Rank：8

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0129477

漏洞标题：华数服务器某系统弱口令+未授权下载+列目录漏洞

相关厂商：华数数字电视传媒集团有限公司

漏洞作者： 路人甲

提交时间：2015-07-26 18:28

修复时间：2015-09-10 14:58

公开时间：2015-09-10 14:58

漏洞类型：后台弱口令

危害等级：中

自评Rank：8

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0129477"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云