Huatu education has a vulnerability that kills 21 database servers in the intranet and involves millions of users.
Seckilling 21 database servers on the Intranet. The affected sites include but are not limited to: face-to-face, online schools, books, famous teachers, jobs, live broadcasts, libraries, etc. The affected data includes but is not limited: user Data and order data. The data includes various account passwords, email addresses, mobile phone numbers, ID cards, bank cards, and addresses. If used by black industry practitioners, it can be described as dragging the database to hand cramps.
PS: A gentleman loves his fortune. @ Coordinates of all manufacturers: Guangzhou seeks one role as an O & M attacker, which can be considered as a security O & M engineer.
Entry point:
Admin http://youxue.huatu.com/manage/index.php
2015.12.04 has been getshell, and the Intranet does not seem to have been installed with a firewall. Currently, the visual inspection has been performed on the firewall and the post data is verified. Therefore, the kitchen knife is invalid (the file is in and cannot be used ).
Webshell:
Http://youxue.huatu.com/data/safe/pass.php // v2ex
Http://youxue.huatu.com/data/enums/V.php // one-sentence password whoami
29 database servers, 21 database servers, and the root password are: htmysql @ 112233
// Database connection information $ pai_dbhost = '2017. 168.11.110: 3306 '; $ export _dbname = 'huatu _ gjyx'; $ export _dbuser = 'root'; $ export _dbpwd = 'htmysql @ 112233 '; $ export _dbprefix = 'dede _'; $ pai_db_language = 'gbk';?>
// Enabled
// The password is the same as 192.168.11.102192.168.11.110192.168.11.117192.168.11.140 192.168.11.1411942511.146 192.168.11.148 255.192.168.11.173192.168.11.1_192.168.11.192192.168.11.195192.168.11.200192.168.11.222192.168.11.180
Htexam Database User table:
141.
148.
Htexam library sf table:
Newhuatubook Database User table:
Live Library web_teacher table:
Huatu_wenku Database User table:
Teacherhome database pre_common_member table:
Large data volumes are not listed in detail.
Solution:
Modify & Query