一次差一点的漫游暴风影音内网##

漏洞详情

披露状态:

2014-04-30: 细节已通知厂商并且等待厂商处理中
2014-05-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

刚才网吧没机子,我把一个小学生机子抢了 他说要把我头按在键盘上,我哈哈哈哈哈,就凭fjdnxsbhsdjncbsbdhxbbsjwfujdjwjdshckhlnvsldkhl

详细说明:

问题站点:



http://g.baofeng.com/





找到post注入点一枚



http://g.baofeng.com/event/getgoter





post内容



type=msyyh000YyBv





库,表



Database: bfgame
[45 tables]
+------------------------+
| FlashClassV2 |
| FlashsV2 |
| StatisticsGame |
| StatisticsZone |
| accounts |
| admin_log |
| admin_user |
| applications |
| card_data |
| cms_ads |
| cms_ads_pos |
| cms_article_categories |
| cms_articles |
| cms_resources |
| colleges |
| coupon |
| flash_class |
| flash_class_v2 |
| flash_gather_v2 |
| flash_uploads |
| flashs |
| flashs_v2 |
| game_ads |
| game_card |
| game_orders |
| game_pages |
| game_publisher |
| game_role |
| game_users |
| game_zones |
| games |
| gateway_app_rel |
| gateways |
| invite_users |
| message |
| message_data |
| payments |
| policy |
| send_notify |
| send_order |
| unions |
| user_service_a |
| user_service_q |
| users |
| voucher |
+------------------------+





game_card,这是点卡么?还是点卡么?



管理账号密码



baofeng.png









后台地址:



http://g.baofeng.com/admin/login





成功登陆



houtai.png







上传那里是奇葩



我想说,既然做了上传跳转,为什么不传到别的服务器呢?



成功拿下shell





shell.png





可以执行命令



mingl.png







接下来还要玩内网渗透么?



配置文件翻到一半,发现shell不能连了



所以就没玩内网了~~



管理员还是很专业的



而且此次渗透也只是出于安全检测,所以就到此结束



赶快修复吧! 数据库里几百万的用户了!



漏洞证明:

库,表



Database: bfgame
[45 tables]
+------------------------+
| FlashClassV2 |
| FlashsV2 |
| StatisticsGame |
| StatisticsZone |
| accounts |
| admin_log |
| admin_user |
| applications |
| card_data |
| cms_ads |
| cms_ads_pos |
| cms_article_categories |
| cms_articles |
| cms_resources |
| colleges |
| coupon |
| flash_class |
| flash_class_v2 |
| flash_gather_v2 |
| flash_uploads |
| flashs |
| flashs_v2 |
| game_ads |
| game_card |
| game_orders |
| game_pages |
| game_publisher |
| game_role |
| game_users |
| game_zones |
| games |
| gateway_app_rel |
| gateways |
| invite_users |
| message |
| message_data |
| payments |
| policy |
| send_notify |
| send_order |
| unions |
| user_service_a |
| user_service_q |
| users |
| voucher |
+------------------------+





game_card,这是点卡么?还是点卡么?



管理账号密码



baofeng.png









后台地址:



http://g.baofeng.com/admin/login





成功登陆



houtai.png













shell.png





可以执行命令



mingl.png



修复方案:

你懂的~~

版权声明:转载请注明来源 卡卡@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-04-30 10:39

厂商回复:

最新状态:

暂无


漏洞评价: