A teaching system of the generic Oracle injection&arbitrary file upload-vulnerability warning-the black bar safety net

2014-05-08T00:00:00
ID MYHACK58:62201446448
Type myhack58
Reporter 佚名
Modified 2014-05-08T00:00:00

Description

1. The set of"JSP+Oracle"of the CMS is mainly used for University, vocational and technical schools the educational system, many universities, including China medicine University Office of Academic Affairs also in the use of the sleeve system, which system comprisesSQL injectionvulnerabilities and an arbitrary file upload vulnerabilities, resulting not only can be injected, or you can upload a JSP script Trojan. Through Google, Baidu, sogou and other search engines can crawl to the extensive use of the academic systems website.

|

1

2

3

4

5

|

GoogleorBaidu

inurl:ACTIONSHOWNEWS

inurl:ACTIONSHOWNEWS. APPPROCESS

---|---

2. The injection point is mainly:“ACTIONSHOWNEWS. APPPROCESS? mode=2&NewsID=”where NewsID presence of implantation, the following enumeration of the more than twenty examples of the existence of the system of the site for Cncert test.

http://jw.bhcy.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=2 6 1

http://jwcweb.lnpu.edu.cn:7001/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=1 3 6 1

http://fzyjwc.com/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=1 5 2 1

http://ea.lnutcm.edu.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=2 3 8 1

http://edu.jnvc.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=4 0 2 3

http://218.61.108.163/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=1 2 4

[1] [2] next