Discuz!官方免费开源建站系统

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索

[BUG] UCenter Home的MySql注入

[复制链接]
yayamouse 发表于 2009-12-15 15:21:58 | 显示全部楼层 |阅读模式
本帖最后由 yayamouse 于 2009-12-15 17:43 编辑

SQL 盲注        64
SQL 注入        3
不充分帐户封锁        1
发现数据库错误模式        6
会话标识未更新        2
会话定置        2
基于 DOM 的跨站点脚本编制        1
可预测的登录凭证        1
跨站点脚本编制        8
使用 SQL 注入的认证旁路        1
有漏洞的 URL
URL         问题(类型)         修复任务(类型)
http://127.0.0.1/        3 (3)        3 (3)
http://127.0.0.1/com3/        1 (1)        1 (1)
http://127.0.0.1/com2/        1 (1)        1 (1)
http://127.0.0.1/com1/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/logs        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/.cobalt/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/www-sql/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/w3-msql/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/tools/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/templates/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/sws/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/suche/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/ssi/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/search/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/samples/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/rwcgi60/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/powerup/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/pollit/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/openwebmail/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/news/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/mwf/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/ikonboard/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/iisadmin/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/hwadmin5340/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/hamweather/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/gw5/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/guestbook/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/gbook/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/excite/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/ews/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/dcforum/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/dbman/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/dasp/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/cutecast/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/cssearch/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/csfaq/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/cgi-bin/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/cgi/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/carello/        1 (1)        1 (1)
http://127.0.0.1/cgi-bin/calendar/        1 (1)        1 (1)
http://127.0.0.1/aux/        1 (1)        1 (1)
http://127.0.0.1/qc122/        25 (3)        25 (3)
http://127.0.0.1/qc122/admincp.php        1 (1)        1 (1)
http://127.0.0.1/qc122/batch.common.php        3 (1)        3 (1)
http://127.0.0.1/qc122/batch.login.php        18 (10)        15 (7)
http://127.0.0.1/qc122/batch.panel.php        4 (3)        4 (3)
http://127.0.0.1/qc122/batch.postnews.php        1 (1)        1 (1)
http://127.0.0.1/qc122/batch.search.php        9 (5)        9 (3)
http://127.0.0.1/qc122/cp.php        21 (7)        19 (4)
http://127.0.0.1/qc122/do.php        10 (4)        10 (3)
http://127.0.0.1/qc122/index.php        2 (2)        2 (2)
http://127.0.0.1/qc122/space.php        4 (4)        4 (3)
http://127.0.0.1/qc122/home/        1 (1)        1 (1)
http://127.0.0.1/qc122/home/api/uc.php        10 (4)        5 (2)
http://127.0.0.1/qc122/ucenter/        1 (1)        1 (1)
http://127.0.0.1/qc122/ucenter/admin.php        3 (2)        3 (2)
http://127.0.0.1/qc122/bbs/        1 (1)        1 (1)
 楼主| yayamouse 发表于 2009-12-15 15:23:34 | 显示全部楼层
SQL 盲注 (2/12)
受影响的 URL
        http://127.0.0.1/qc122/
        http://127.0.0.1/qc122/batch.common.php
        http://127.0.0.1/qc122/batch.login.php
        http://127.0.0.1/qc122/batch.panel.php
        http://127.0.0.1/qc122/batch.postnews.php
        http://127.0.0.1/qc122/batch.search.php
        http://127.0.0.1/qc122/cp.php
        http://127.0.0.1/qc122/do.php
        http://127.0.0.1/qc122/home/api/uc.php
        http://127.0.0.1/qc122/space.php
回复

使用道具 举报

 楼主| yayamouse 发表于 2009-12-15 15:28:29 | 显示全部楼层
GET /qc122/home/api/uc.php?time=1260409586&code=5795GvVJczC4GNBAWZ6GDlXQbW7fjZuWwmTBjUtO3HTswNNPKZWg38guTotjRsVltm%252BPz6N2doCDB6euzA HTTP/1.0
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 127.0.0.1
X-Forwarded-For: %2527


HTTP/1.1 200 OK
Content-Length: 523
Date: Thu, 10 Dec 2009 05:36:28 GMT
Server: Apache/2.2.11 (Win32) PHP/5.2.10
X-Powered-By: PHP/5.2.10
Connection: close
Content-Type: text/html

<div style="position:absolute;font-size:11px;font-family:verdana,arial;background:#EBEBEB;padding:0.5em;">
                                <b>MySQL Error</b><br>
                                <b>Message</b>: Can not connect to MySQL server<br>
                                <b>SQL</b>: <br>
                                <b>Error</b>: Can't connect to MySQL server on 'localhost' (10048)<br>
                                <b>Errno.</b>: 2003<br>
                                <a href="http://faq.comsenz.com/?type=mysql&dberrno=2003&dberror=Can%27t%20connect%20to%20MySQL%20server%20on%20%27localhost%27%20%2810048%29" target="_blank">Click here to seek help.</a>
                                </div>
回复

使用道具 举报

 楼主| yayamouse 发表于 2009-12-15 15:30:18 | 显示全部楼层
发送GET /qc122/batch.search.php?searchkey=1234&type=&searchname=subject&page=WF'SQL"Probe;A--B HTTP/1.0
Cookie: _refer=deleted; supe__refer=%252Fqc122%252Fadmincp.php; supe_sauth=deleted; supe_auth=4488dicNG9PxYjGCQgYGIaVMcWeizPo32dbrZNTf4eV592XmY8qWLhLV7r5IzBPTQQoLFTpvUHY4osTGAJjr; prF_auth=01daRiYxm8qnnQ6higa%2BN2CmgXuXt0wjEZnlLfJBKLWTL4pp3rML5%2B3UrUV98ggnT0hw1DOK%2BWOvDS7lo6xINg; prF_cookietime=2592000; supe_supe_refresh_items=0_4889_4897_4868_4863_4882; supe_seccode=f88ePHmz3VM87NUzakrLaMkcKwvez2lV5JnrPQxpTSV2; supe_sid=deleted
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 127.0.0.1
Referer: http://127.0.0.1/qc122/batch.search.php

返回

HTTP/1.1 200 OK
Content-Length: 600
Date: Thu, 10 Dec 2009 04:23:55 GMT
Server: Apache/2.2.11 (Win32) PHP/5.2.10
X-Powered-By: PHP/5.2.10
Connection: close
Content-Type: text/html; charset=gbk

</table></table></table></table></table>
<p style="font-family: Verdana, Tahoma; font-size: 11px; background: #FFFFFF;"><b>SupeSite info</b>: MySQL Query Error<br />
<br />
<b>User</b>: admin<br />
<b>Time</b>: 2009-12-10 12:23pm<br />
<b>Script</b>: /qc122/batch.search.php<br />
<br />
<b>SQL</b>: SELECT * FROM [Table]spaceitems WHERE subject LIKE '%1234%' ORDER BY dateline DESC LIMIT -30,30<br />
<b>Error</b>:  You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-30,30' at line 1<br />
<b>Errno.</b>:  1064</p>
回复

使用道具 举报

 楼主| yayamouse 发表于 2009-12-15 15:30:36 | 显示全部楼层
大家可以试试
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

手机版|小黑屋|Discuz! 官方站 ( 皖ICP备16010102号 )star

GMT+8, 2024-11-16 09:27 , Processed in 0.023161 second(s), 3 queries , Gzip On, Redis On.

Powered by Discuz! X3.4

Copyright © 2001-2023, Tencent Cloud.

快速回复 返回顶部 返回列表