漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2011-02129
漏洞标题:56分站注入,泄露多个数据库和root密码
相关厂商:56.com
漏洞作者: etcat
提交时间:2011-05-17 14:17
修复时间:2011-05-17 15:32
公开时间:2011-05-17 15:32
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2011-05-17: 积极联系厂商并且等待厂商认领中,细节不对外公开
2011-05-17: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
导致多个分站数据库泄露账号密码
详细说明:
这个注入危险比较严重,泄露太多敏感内容
漏洞证明:
http://sml.56.com/index.php?act=show&Pid=56
数据库账号密码
51tv_php *8A43D2A0EFC7C4883CCA541A84E53ED9BE42AC30 61.146.192.167
58bb520 *0CA4B76111274A44D0E41142BA85899CBD8B095B localhost
azi *2A032F7C5BA932872F0F045E0CF6B53CF702F2C5 localhost
chenzhx *B1461C9C68AFA1129A5F968C343636192A084ADB localhost
dbbak *5427E0F8EE2346C9CD1A800449920BBAE77142AD 172.16.215.0/255.255.255.0
dbbak *5427E0F8EE2346C9CD1A800449920BBAE77142AD 172.16.215.121
liangjb *93455291DB054B12B35F94BEB2DF32ED784D0C35 localhost
onesec *702F73B37142953BDF979B46F838E8E7FFB239C4 172.16.215.0/255.255.255.0
onesec *702F73B37142953BDF979B46F838E8E7FFB239C4 localhost
rebill *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 localhost
root localhost
root localhost.localdomain
seamaid *ED5127A2B34C040776096DB81FFF1A17B9AF447E localhost
spec_php *20EE3752A62E7B3E4BF2A6B53607B0F95FD12387 172.16.215.%
spec_php *20EE3752A62E7B3E4BF2A6B53607B0F95FD12387 61.142.208.0/255.255.255.0
spec_php *20EE3752A62E7B3E4BF2A6B53607B0F95FD12387 172.16.215.0/255.255.255.0
spec_php *20EE3752A62E7B3E4BF2A6B53607B0F95FD12387 172.16.215.13
suxinning *650573960F2171730E6A38E6A32C75B8470B6B1A localhost
wuwei *7860837416FF2F245F77419A564C5E853FC2DFDF localhost
可查询多个分站数据库
cooperate_sml
information_schema
08live
56pro
56sys
DNF
EQ
active
alan
baby61
biye09
brand
broadcast
c2c
chjh3
cooperate
cooperate_2008
cooperate_51tv
cooperate_anycall
cooperate_backkom
cooperate_bbsee
cooperate_beauty
cooperate_dance
cooperate_ddt
cooperate_dgch
cooperate_doufaxiuxianjian
cooperate_fun
cooperate_gamech
cooperate_gjqt
cooperate_gtj
cooperate_happy_castle
cooperate_hhsh
cooperate_icinemec
cooperate_jxqy
cooperate_kdjl
cooperate_mcsd
cooperate_mlxt
cooperate_mr_top
cooperate_muchang
cooperate_pkcar
cooperate_pkfzl
cooperate_pmjx
cooperate_puke
cooperate_rxsg
cooperate_rxxy
cooperate_rxzt
cooperate_sgfy
cooperate_sml
cooperate_sydh
cooperate_tdyx
cooperate_torch2008
cooperate_tvb
cooperate_wlyx
cooperate_wulin
cooperate_wztx
cooperate_yqcm
cooperate_zgch
cooperate_zsg
coopertire
coopv_021215
coopv_021216
coopv_ask_and_answer
coopv_foto
coopv_hunantv
coopv_huodong
coopv_huodongutf8
coopv_mingxing
coopv_top
copyright_admin
disney
disney_1
dvman
dvman1
fcwr2011
fiesta
foto
game
happy
修复方案:
过滤字符
版权声明:转载请注明来源 etcat@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:10 (WooYun评价)