A Kingdee system hits the database and Remote Command Execution
. Detailed description:
1. credential stuffing: https://sso.youshang.com/sso/userauthnaction.dow.infinite credential stuffing
Packet Capturing, credential stuffing, 123456 Password
You can log on:
Mask Region
*****iyin**********qian**********ying**********ing**********mei**********ang**********mei**********hua**********ng5**********ng5**********ng5**********en5**********ng5**********ng5**********ia5**********ong**********jun**********eng**********xin**********hao**********ong**********jun**********ang**********qin**********hao**********ang**********mei**********rui**********hua**********ng**********an**********in**********ie**********ao**********an**********ua**********ie**********in**********g5**********i5**********n5**********g5**********a5**********g5**********i5**********o5**********54*****
Proof of vulnerability:
Login as proof
2. http://service.youshang.com/fee/moneybagHome.do S-19 Remote Command Execution
Solution:
Upgrade, verify;
Ask for a gift.