The getshell vulnerability exists due to improper verification by a domain name vendor (information such as + member account and password is leaked)

The getshell vulnerability exists due to improper verification by a domain name vendor (information such as + member account and password is leaked)

Posanaka!
Leakage of a large amount of user information # Control of 18658 domain name resolution # leakage of over Member account and password, filing, payment, personal and other sensitive information # modification of user order, recharge and withdrawal amount # you can sell and resolve others' domain names at will.

After the management review, add a thick mosaic!



Problem domain: http://jinmi8.com

Register an account and upload the ID card to capture packets in the template authentication area.
 

Shell address: http://img.jinmi8.com/jmimg/logopic/T.asp;201612701926742.jpg

Password: xiaojiege
 

The image server and the main site are not the same server! Flip the code to an email account
 

uname="[email protected]"pwd="jmHl862613"atoumail="[email protected]"

It was a surprise to log on to your mailbox!
 

You can also directly transfer the domain name of another user.
 

 

It is also a proxy for various domain name vendors !! I feel something is wrong.

Then I went back to the source code and found another request.
 

loginurl="https://www.dnspod.cn/Auth/Login"logindata="email=linliangemail%40qq.com&password=jmHl862613&remember=1"loginck=winhttp_html(loginurl,logindata,"POST","gb2312","https://www.dnspod.cn",1,"nullcc")

Try to log on

Result: 12369 domain names are directly controlled and 9 hosts are monitored.
 

Domain name resolution and other operations
 

Check the email box and you will find that you have registered an agent or member account in multiple domain name vendors and have bound multiple mailboxes.
 

Reset the Proxy account of Western Digital via email
 

Dear jinmi8! Because you have lost the login password of the user account jinmi8, the system automatically generates a new temporary password for you: yyckegbc (the password is case sensitive) please change your password to your own immediately and keep your account password safe (the temporary password is not displayed in clear text in the email, please change it immediately). Thank you! Tel: 028-86263960

6281 domain names can be directly controlled...
 

Available for sale and resolution
 

It was found that the main site server was also purchased in the western region directly on the server 3389, and then uploaded a sentence on the main site for easy operation.
 

Shell address: http://www.jinmi8.com/bs.asp password: t0133
 

1.8 of database users leak various information
 

 

To verify that the database is real and randomly selected, two accounts are used to log on.

A common account

One is the administrator account



Member with id: 18026

Domain name resolution and other operations
 

Personal Information
 

Administrator Account:

Amount: 111212. I can pay for it and withdraw it.
 

 

All 290 + domain names under the Administrator account
 

Another administrator has more than 900 domain names.
 

All domain names can be resolved and opened at will.
 

 

In addition, you can recharge your account and withdraw the order amount or change the amount of your account.

Administrator amount comparison chart
 

I didn't try to recharge myself or modify the amount involved to avoid trouble.

 

 

 

Solution:

--